├── .gitignore ├── README.md └── k8s ├── cenm.yaml ├── efs.yaml ├── helm ├── auth │ ├── .helmignore │ ├── Chart.yaml │ ├── files │ │ ├── authservice.conf │ │ └── run.sh │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── pvc.yaml │ │ ├── service.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── bootstrap.cenm ├── bootstrap.cenm.connections ├── gateway │ ├── .helmignore │ ├── Chart.yaml │ ├── files │ │ ├── gateway.conf │ │ ├── groups │ │ │ ├── ca-signers.json │ │ │ ├── configuration-maintainers.json │ │ │ ├── configuration-readers.json │ │ │ ├── editors.json │ │ │ ├── flagDayExecutors.json │ │ │ ├── network-maintainers.json │ │ │ ├── network-operation-readers.json │ │ │ ├── network-operators.json │ │ │ ├── nonca-signers.json │ │ │ ├── readers-soft.json │ │ │ ├── readers.json │ │ │ └── signers.json │ │ ├── roles │ │ │ ├── CASigner.json │ │ │ ├── ConfigurationMaintainer.json │ │ │ ├── ConfigurationReader.json │ │ │ ├── EditAndModify.json │ │ │ ├── FlagDayExecute.json │ │ │ ├── NetworkMaintainer.json │ │ │ ├── NetworkOperationsReader.json │ │ │ ├── NetworkOperator.json │ │ │ ├── NonCASigner.json │ │ │ ├── RadOnlyLockdown.json │ │ │ ├── ReadOnly.json │ │ │ └── Signer.json │ │ ├── run.sh │ │ ├── setupAuth.sh │ │ └── users │ │ │ ├── business-reader.json │ │ │ ├── ca-signer.json │ │ │ ├── config-maintainer.json │ │ │ ├── config-reader.json │ │ │ ├── james-flagday.json │ │ │ ├── jenny-editor.json │ │ │ ├── johnny-reader.json │ │ │ ├── malcolm-signer.json │ │ │ ├── network-maintainer.json │ │ │ ├── network-operator.json │ │ │ └── nonca-signer.json │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── job.yaml │ │ ├── pvc.yaml │ │ ├── service.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── hsm │ ├── Chart.yaml │ ├── files │ │ └── run.sh │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── job.yaml │ │ ├── pvc.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── idman-ip │ ├── .helmignore │ ├── Chart.yaml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ └── service.yaml │ └── values.yaml ├── idman │ ├── .helmignore │ ├── Chart.yaml │ ├── files │ │ ├── getZoneToken.sh │ │ ├── identitymanager-init.conf │ │ └── run.sh │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── pvc.yaml │ │ ├── service.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── nmap │ ├── .helmignore │ ├── Chart.yaml │ ├── files │ │ ├── getZoneToken.sh │ │ ├── network-parameters-update-example.conf │ │ ├── networkmap-init.conf │ │ ├── run.sh │ │ └── set-network-parameters.sh │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── pvc.yaml │ │ ├── service.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── notary-ip │ ├── .helmignore │ ├── Chart.yaml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ └── service.yaml │ └── values.yaml ├── notary │ ├── .helmignore │ ├── Chart.yaml │ ├── files │ │ ├── create-network-parameters-file.sh │ │ ├── notary-initial-registration.sh │ │ ├── notary.conf │ │ └── run.sh │ ├── templates │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── pvc.yaml │ │ ├── service.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── pki │ ├── .helmignore │ ├── Chart.yaml │ ├── files │ │ ├── pki-azure.conf │ │ ├── pki.conf │ │ └── run.sh │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── job.yaml │ │ ├── pvc.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── signer │ ├── .helmignore │ ├── Chart.yaml │ ├── files │ │ ├── getZoneToken.sh │ │ ├── run.sh │ │ ├── signer-azure.conf │ │ └── signer.conf │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── deployment.yaml │ │ ├── pvc.yaml │ │ ├── service.yaml │ │ └── serviceaccount.yaml │ └── values.yaml └── zone │ ├── .helmignore │ ├── Chart.yaml │ ├── files │ └── run.sh │ ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── configmap.yaml │ ├── deployment.yaml │ ├── pvc.yaml │ ├── service.yaml │ └── serviceaccount.yaml │ └── values.yaml ├── storage-class-aws.yaml └── storage-class-azure.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | /.idea/ 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Corda Enterprise Network Manager (CENM) deployment 2 | 3 | Documentation on Corda Enterprise Network Manager (CENM) can be found at [CENM Deployment with Docker, Kubernetes and Helm charts](https://docs.r3.com/en/platform/corda/1.6/cenm/deployment-kubernetes.html). 4 | 5 | ## How to get deployment for particular CENM version: 6 | 7 | | CENM version | Command to run | 8 | |------------------------------|---------------------| 9 | | 1.6 | git checkout v1.6 | 10 | | 1.5.9 | git checkout v1.5.9 | 11 | 13 | -------------------------------------------------------------------------------- /k8s/cenm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: cenm 5 | 6 | --- 7 | kind: Role 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | metadata: 10 | namespace: cenm 11 | name: all-in-cenm-namespace 12 | rules: 13 | - apiGroups: ["", "extensions", "apps"] # "" indicates the core API group 14 | resources: ["*"] 15 | verbs: ["*"] 16 | 17 | --- 18 | kind: RoleBinding 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | metadata: 21 | namespace: cenm 22 | name: everything-in-cenm 23 | roleRef: 24 | kind: Role 25 | name: all-in-cenm-namespace 26 | apiGroup: rbac.authorization.k8s.io 27 | subjects: 28 | - kind: Group 29 | name: "[use your own group]" 30 | apiGroup: rbac.authorization.k8s.io 31 | -------------------------------------------------------------------------------- /k8s/efs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cenm 6 | 7 | --- 8 | kind: ServiceAccount 9 | apiVersion: v1 10 | metadata: 11 | name: efs-provisioner 12 | namespace: cenm 13 | 14 | --- 15 | apiVersion: v1 16 | kind: ConfigMap 17 | metadata: 18 | name: efs-provisioner 19 | namespace: cenm 20 | data: 21 | file.system.id: [EFS file system ID] 22 | aws.region: [REGION] 23 | provisioner.name: aws.io/aws-efs 24 | dns.name: "" 25 | 26 | --- 27 | kind: Deployment 28 | apiVersion: apps/v1 29 | metadata: 30 | name: efs-provisioner 31 | namespace: cenm 32 | spec: 33 | replicas: 1 34 | selector: 35 | matchLabels: 36 | app: efs-provisioner 37 | strategy: 38 | type: Recreate 39 | template: 40 | metadata: 41 | labels: 42 | app: efs-provisioner 43 | spec: 44 | serviceAccount: efs-provisioner 45 | containers: 46 | - name: efs-provisioner 47 | image: quay.io/external_storage/efs-provisioner:v2.4.0 48 | env: 49 | - name: FILE_SYSTEM_ID 50 | valueFrom: 51 | configMapKeyRef: 52 | name: efs-provisioner 53 | key: file.system.id 54 | - name: AWS_REGION 55 | valueFrom: 56 | configMapKeyRef: 57 | name: efs-provisioner 58 | key: aws.region 59 | - name: DNS_NAME 60 | valueFrom: 61 | configMapKeyRef: 62 | name: efs-provisioner 63 | key: dns.name 64 | optional: true 65 | - name: PROVISIONER_NAME 66 | valueFrom: 67 | configMapKeyRef: 68 | name: efs-provisioner 69 | key: provisioner.name 70 | volumeMounts: 71 | - name: pv-volume 72 | mountPath: /persistentvolumes 73 | volumes: 74 | - name: pv-volume 75 | nfs: 76 | server: [EFS file system ID].efs.[REGION].amazonaws.com 77 | path: / 78 | 79 | 80 | --- 81 | kind: ClusterRole 82 | apiVersion: rbac.authorization.k8s.io/v1 83 | metadata: 84 | name: efs-provisioner-runner 85 | rules: 86 | - apiGroups: [""] 87 | resources: ["persistentvolumes"] 88 | verbs: ["get", "list", "watch", "create", "delete"] 89 | - apiGroups: [""] 90 | resources: ["persistentvolumeclaims"] 91 | verbs: ["get", "list", "watch", "update"] 92 | - apiGroups: ["storage.k8s.io"] 93 | resources: ["storageclasses"] 94 | verbs: ["get", "list", "watch"] 95 | - apiGroups: [""] 96 | resources: ["events"] 97 | verbs: ["create", "update", "patch"] 98 | - apiGroups: [""] 99 | resources: ["endpoints"] 100 | verbs: ["get", "list", "watch", "create", "update", "patch"] 101 | 102 | --- 103 | kind: ClusterRoleBinding 104 | apiVersion: rbac.authorization.k8s.io/v1 105 | metadata: 106 | name: run-efs-provisioner 107 | subjects: 108 | - kind: ServiceAccount 109 | name: efs-provisioner 110 | # replace with namespace where provisioner is deployed 111 | namespace: cenm 112 | roleRef: 113 | kind: ClusterRole 114 | name: efs-provisioner-runner 115 | apiGroup: rbac.authorization.k8s.io 116 | 117 | --- 118 | kind: Role 119 | apiVersion: rbac.authorization.k8s.io/v1 120 | metadata: 121 | name: leader-locking-efs-provisioner 122 | rules: 123 | - apiGroups: [""] 124 | resources: ["endpoints"] 125 | verbs: ["get", "list", "watch", "create", "update", "patch"] 126 | 127 | --- 128 | kind: RoleBinding 129 | apiVersion: rbac.authorization.k8s.io/v1 130 | metadata: 131 | name: leader-locking-efs-provisioner 132 | subjects: 133 | - kind: ServiceAccount 134 | name: efs-provisioner 135 | # replace with namespace where provisioner is deployed 136 | namespace: cenm 137 | roleRef: 138 | kind: Role 139 | name: leader-locking-efs-provisioner 140 | apiGroup: rbac.authorization.k8s.io 141 | -------------------------------------------------------------------------------- /k8s/helm/auth/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /k8s/helm/auth/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: auth 3 | description: A Helm chart for CENM Auth Service 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 2.0.6 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: '1.6' 22 | -------------------------------------------------------------------------------- /k8s/helm/auth/files/authservice.conf: -------------------------------------------------------------------------------- 1 | database { 2 | driverClassName = "{{ .Values.database.driverClassName }}" 3 | jdbcDriver = "{{ .Values.database.jdbcDriver }}" 4 | url = "{{ .Values.database.url }}" 5 | user = "{{ .Values.database.user }}" 6 | password = "{{ .Values.database.password }}" 7 | runMigration = "{{ .Values.database.runMigration }}" 8 | } 9 | jwk { 10 | location = "etc/jwt-store.jks" 11 | password = "password" 12 | keyAlias = "oauth-test-jwt" 13 | keyId = "key-id" 14 | } 15 | clientConfig = { 16 | clients = [ 17 | { 18 | clientId = "gateway1" 19 | clientSecret = "secret1" 20 | scopes = [ 21 | "accounts:user", 22 | "accounts:admin" 23 | ] 24 | audience = [ 25 | "ACCOUNTS", 26 | "zone", 27 | "signer", 28 | "identity-manager" 29 | "network-map" 30 | ] 31 | accessTokenValidity = 1800 32 | refreshTokenValidity = 86400 33 | } 34 | ], 35 | issuer = "http://test" 36 | } 37 | server { 38 | port = {{ .Values.service.port }} 39 | ssl = { 40 | keyStore = { 41 | location = "./DATA/key-stores/corda-ssl-auth-keys.jks" 42 | password = "password" 43 | keyAlias = "cordasslauthservice" 44 | } 45 | trustStore = { 46 | location = "./DATA/trust-stores/corda-ssl-trust-store.jks" 47 | password = "trust-store-password" 48 | } 49 | } 50 | } -------------------------------------------------------------------------------- /k8s/helm/auth/files/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | {{ if eq .Values.bashDebug true }} 3 | set -x 4 | {{ end }} 5 | 6 | # 7 | # main run 8 | # 9 | if [ -f bin/accounts-application.jar ] 10 | then 11 | echo 12 | echo "CENM: starting CENM Auth service ..." 13 | echo 14 | java -jar bin/accounts-application.jar --config-file authservice.conf --initial-user-name admin --initial-user-password p4ssWord --keep-running --verbose 15 | EXIT_CODE=${?} 16 | else 17 | echo "Missing Auth service jar file." 18 | EXIT_CODE=110 19 | fi 20 | 21 | if [ "${EXIT_CODE}" -ne "0" ] 22 | then 23 | HOW_LONG={{ .Values.sleepTimeAfterError }} 24 | echo 25 | echo "Auth service failed - exit code: ${EXIT_CODE} (error)" 26 | echo 27 | echo "Going to sleep for the requested {{ .Values.sleepTimeAfterError }} seconds to let you log in and investigate." 28 | sleep {{ .Values.sleepTimeAfterError }} 29 | echo 30 | fi 31 | 32 | echo -------------------------------------------------------------------------------- /k8s/helm/auth/templates/NOTES.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corda/cenm-deployment/4cbbf81ce962a8d8bb6672ca76e1e2dfe7619f72/k8s/helm/auth/templates/NOTES.txt -------------------------------------------------------------------------------- /k8s/helm/auth/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "auth.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "auth.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "auth.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "auth.labels" -}} 38 | helm.sh/chart: {{ include "auth.chart" . }} 39 | {{ include "auth.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end -}} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "auth.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "auth.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end -}} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "auth.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create -}} 59 | {{ default (include "auth.fullname" .) .Values.serviceAccount.name }} 60 | {{- else -}} 61 | {{ default "default" .Values.serviceAccount.name }} 62 | {{- end -}} 63 | {{- end -}} 64 | -------------------------------------------------------------------------------- /k8s/helm/auth/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ .Values.prefix }}-auth-conf 6 | labels: 7 | {{ include "auth.labels" . | indent 4 }} 8 | data: 9 | run.sh: |+ 10 | {{ tpl (.Files.Get "files/run.sh") . | indent 4 }} 11 | 12 | authservice.conf: |+ 13 | {{ tpl (.Files.Get "files/authservice.conf") . | indent 4 }} 14 | -------------------------------------------------------------------------------- /k8s/helm/auth/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "auth.fullname" . }} 5 | labels: 6 | {{- include "auth.labels" . | nindent 4 }} 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | {{- include "auth.selectorLabels" . | nindent 6 }} 12 | template: 13 | metadata: 14 | labels: 15 | {{- include "auth.selectorLabels" . | nindent 8 }} 16 | spec: 17 | {{- with .Values.imagePullSecrets }} 18 | imagePullSecrets: 19 | {{- toYaml . | nindent 8 }} 20 | {{- end }} 21 | serviceAccountName: {{ include "auth.serviceAccountName" . }} 22 | securityContext: 23 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 24 | initContainers: 25 | - name: init-waitforpki 26 | env: 27 | - name: ACCEPT_LICENSE 28 | value: "{{required "You must accept the license agreement to use this software." .Values.acceptLicense }}" 29 | securityContext: 30 | {{- toYaml .Values.securityContext | nindent 12 }} 31 | image: "{{ required "auth[waitforpki]: missing value for .Values.authImage.repository" .Values.authImage.repository }}:{{ required "auth[waitforpki]: missing value for .Values.authImage.tag" .Values.authImage.tag }}" 32 | imagePullPolicy: {{ .Values.authImage.pullPolicy }} 33 | command: ["/bin/sh", "-c"] 34 | args: 35 | - |- 36 | pwd 37 | ls -alR 38 | echo "Waiting for ./DATA/PKITOOL-DONE ..." 39 | until [ -f ./DATA/PKITOOL-DONE ] 40 | do 41 | sleep 5 42 | done 43 | ls -al ./DATA/PKITOOL-DONE 44 | echo "Waiting for ./DATA/PKITOOL-DONE ... done." 45 | resources: 46 | {{- toYaml .Values.resources | nindent 12 }} 47 | volumeMounts: 48 | - name: pki-certs-keys 49 | mountPath: /opt/cenm/DATA 50 | - name: init-jwt 51 | securityContext: 52 | {{- toYaml .Values.securityContext | nindent 12 }} 53 | image: "{{ .Values.authImage.repository }}:{{ .Values.authImage.tag }}" 54 | imagePullPolicy: {{ .Values.authImage.pullPolicy }} 55 | command: ["/bin/sh", "-c"] 56 | args: 57 | - |- 58 | keytool -genkeypair -alias oauth-test-jwt -keyalg RSA -keypass password -keystore etc/jwt-store.jks -storepass password -dname "CN=abc1, OU=abc2, O=abc3, L=abc4, ST=abc5, C=abc6" 59 | ls -alR 60 | resources: 61 | {{- toYaml .Values.resources | nindent 12 }} 62 | volumeMounts: 63 | - name: auth-etc 64 | mountPath: /opt/cenm/etc 65 | containers: 66 | - name: main 67 | securityContext: 68 | {{- toYaml .Values.securityContext | nindent 12 }} 69 | image: "{{ .Values.authImage.repository }}:{{ .Values.authImage.tag }}" 70 | imagePullPolicy: {{ .Values.authImage.pullPolicy }} 71 | command: ["/bin/sh", "-c"] 72 | args: 73 | - |- 74 | pwd 75 | ls -alR 76 | cat -n authservice.conf 77 | ./run.sh 78 | volumeMounts: 79 | - name: auth-conf 80 | mountPath: /opt/cenm/authservice.conf 81 | subPath: authservice.conf 82 | - name: auth-conf 83 | mountPath: /opt/cenm/run.sh 84 | subPath: run.sh 85 | - name: pki-certs-keys 86 | mountPath: /opt/cenm/DATA 87 | - name: auth-etc 88 | mountPath: /opt/cenm/etc 89 | - name: auth-logs 90 | mountPath: /opt/cenm/logs 91 | - name: auth-h2 92 | mountPath: /opt/cenm/h2 93 | {{- if .Values.livenessProbe.enabled }} 94 | livenessProbe: 95 | tcpSocket: 96 | port: {{ .Values.service.port }} 97 | initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} 98 | periodSeconds: {{ .Values.livenessProbe.periodSeconds }} 99 | timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} 100 | successThreshold: {{ .Values.livenessProbe.successThreshold }} 101 | failureThreshold: {{ .Values.livenessProbe.failureThreshold }} 102 | {{- end }} 103 | {{- if .Values.readinessProbe.enabled }} 104 | readinessProbe: 105 | tcpSocket: 106 | port: {{ .Values.service.port }} 107 | initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} 108 | periodSeconds: {{ .Values.readinessProbe.periodSeconds }} 109 | timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} 110 | successThreshold: {{ .Values.readinessProbe.successThreshold }} 111 | failureThreshold: {{ .Values.readinessProbe.failureThreshold }} 112 | {{- end }} 113 | resources: 114 | {{- toYaml .Values.resources | nindent 12 }} 115 | {{- if .Values.logsContainersEnabled }} 116 | - name: logs-auth 117 | securityContext: 118 | {{- toYaml .Values.securityContext | nindent 12 }} 119 | image: "{{ required "auth[logs]: missing value for .Values.authImage.repository" .Values.authImage.repository }}:{{ required "auth[logs]: missing value for .Values.authImage.tag" .Values.authImage.tag }}" 120 | imagePullPolicy: {{ .Values.authImage.pullPolicy }} 121 | command: ["/bin/bash", "-c"] 122 | args: 123 | - |- 124 | cd /opt/cenm/ 125 | while true; do tail -f logs/accounts-service/*.log 2>/dev/null; sleep 5; done 126 | # in case sth went wrong just wait indefinitely ... 127 | tail -f /dev/null 128 | volumeMounts: 129 | - name: auth-logs 130 | mountPath: /opt/cenm/logs 131 | resources: 132 | {{- toYaml .Values.resources | nindent 12 }} 133 | {{- end }} 134 | volumes: 135 | - name: pki-certs-keys 136 | persistentVolumeClaim: 137 | claimName: {{ .Values.prefix }}-pki-certs-keys 138 | - name: auth-conf 139 | configMap: 140 | name: {{ .Values.prefix }}-auth-conf 141 | defaultMode: 0777 142 | - name: auth-etc 143 | persistentVolumeClaim: 144 | claimName: {{ .Values.prefix }}-auth-etc 145 | - name: auth-h2 146 | persistentVolumeClaim: 147 | claimName: {{ .Values.prefix }}-auth-h2 148 | - name: auth-logs 149 | persistentVolumeClaim: 150 | claimName: {{ .Values.prefix }}-auth-logs 151 | {{- with .Values.nodeSelector }} 152 | nodeSelector: 153 | {{- toYaml . | nindent 8 }} 154 | {{- end }} 155 | {{- with .Values.affinity }} 156 | affinity: 157 | {{- toYaml . | nindent 8 }} 158 | {{- end }} 159 | {{- with .Values.tolerations }} 160 | tolerations: 161 | {{- toYaml . | nindent 8 }} 162 | {{- end }} 163 | -------------------------------------------------------------------------------- /k8s/helm/auth/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ .Values.prefix }}-auth-etc 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | storageClassName: {{ .Values.storageClass }} 10 | resources: 11 | requests: 12 | storage: {{ .Values.volumeSizeAuthEtc }} 13 | 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: {{ .Values.prefix }}-auth-h2 19 | spec: 20 | accessModes: 21 | - ReadWriteOnce 22 | storageClassName: {{ .Values.storageClass }} 23 | resources: 24 | requests: 25 | storage: {{ .Values.volumeSizeAuthH2 }} 26 | 27 | --- 28 | apiVersion: v1 29 | kind: PersistentVolumeClaim 30 | metadata: 31 | name: {{ .Values.prefix }}-auth-logs 32 | spec: 33 | accessModes: 34 | - ReadWriteOnce 35 | storageClassName: {{ .Values.storageClass }} 36 | resources: 37 | requests: 38 | storage: {{ .Values.volumeSizeAuthLogs }} 39 | -------------------------------------------------------------------------------- /k8s/helm/auth/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "auth.fullname" . }} 5 | labels: 6 | {{- include "auth.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: {{ .Values.service.port }} 12 | protocol: TCP 13 | selector: 14 | {{- include "auth.selectorLabels" . | nindent 4 }} 15 | -------------------------------------------------------------------------------- /k8s/helm/auth/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "auth.serviceAccountName" . }} 6 | labels: 7 | {{- include "auth.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /k8s/helm/auth/values.yaml: -------------------------------------------------------------------------------- 1 | ######################################## 2 | ### CENM configuration options ### 3 | ######################################## 4 | 5 | # Display more messages while executing Kubernetes deployment 6 | bashDebug: false 7 | 8 | # Docker images to use by the Auth Service Helm chart 9 | authImage: 10 | repository: corda/enterprise-auth 11 | tag: 1.6-zulu-openjdk8u392 12 | pullPolicy: Always 13 | 14 | # Configuration for database 15 | database: 16 | driverClassName: "org.h2.Driver" 17 | jdbcDriver: "" 18 | url: "jdbc:h2:file:./h2/auth-persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=0;AUTO_SERVER_PORT=0" 19 | user: "testuser" 20 | password: "password" 21 | runMigration: true 22 | 23 | # Volume size for etc/ directory 24 | volumeSizeAuthEtc: 1Gi 25 | 26 | # Volume size for h2/ directory 27 | volumeSizeAuthH2: 5Gi 28 | 29 | # Volume size for logs/ directory 30 | volumeSizeAuthLogs: 5Gi 31 | 32 | # Sleep time (in seconds) after an error occured 33 | sleepTimeAfterError: 300 34 | 35 | # Enable container displaying live logs 36 | logsContainersEnabled: true 37 | 38 | ######################################## 39 | ### Kubernetes related settings ### 40 | ######################################## 41 | 42 | # Name of Kubernetes secret storing credentials to Docker registry 43 | imagePullSecrets: 44 | - name: cenm-registry 45 | 46 | nameOverride: "" 47 | fullnameOverride: "" 48 | 49 | serviceAccount: 50 | # Specifies whether a service account should be created 51 | create: true 52 | # Annotations to add to the service account 53 | annotations: {} 54 | # The name of the service account to use. 55 | # If not set and create is true, a name is generated using the fullname template 56 | name: 57 | 58 | podSecurityContext: 59 | runAsUser: 1000 60 | runAsGroup: 1000 61 | fsGroup: 1000 62 | 63 | securityContext: {} 64 | # capabilities: 65 | # drop: 66 | # - ALL 67 | # readOnlyRootFilesystem: true 68 | # runAsNonRoot: true 69 | # runAsUser: 1000 70 | 71 | service: 72 | type: ClusterIP 73 | port: 8081 74 | 75 | resources: 76 | # We usually recommend not to specify default resources and to leave this as a conscious 77 | # choice for the user. This also increases chances charts run on environments with little 78 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 79 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 80 | limits: 81 | # cpu: 100m 82 | memory: 2Gi 83 | requests: 84 | # cpu: 100m 85 | memory: 2Gi 86 | 87 | nodeSelector: {} 88 | 89 | tolerations: [] 90 | 91 | affinity: {} 92 | 93 | ## Liveness and readiness probe values 94 | ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 95 | ## 96 | livenessProbe: 97 | enabled: false 98 | failureThreshold: 3 99 | initialDelaySeconds: 10 100 | periodSeconds: 10 101 | successThreshold: 1 102 | timeoutSeconds: 1 103 | readinessProbe: 104 | enabled: false 105 | failureThreshold: 3 106 | initialDelaySeconds: 10 107 | periodSeconds: 10 108 | successThreshold: 1 109 | timeoutSeconds: 1 110 | 111 | storageClass: cenm 112 | -------------------------------------------------------------------------------- /k8s/helm/bootstrap.cenm.connections: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -ef -o pipefail 4 | 5 | print_help () { 6 | cat << EOF 7 | Usage: ${0##*/} ... 8 | -h display help and exit 9 | -p|--prefix [prefix] specify release prefix for all Helm charts 10 | EOF 11 | } 12 | 13 | while [ $# -gt 0 ] 14 | do 15 | case $1 in 16 | -h|-\?|--help) 17 | print_help 18 | exit 19 | ;; 20 | -p|--prefix) 21 | PrefixVar="${2}" 22 | shift 23 | shift 24 | ;; 25 | *) 26 | print_help 27 | exit 28 | ;; 29 | esac 30 | done 31 | 32 | releasePrefix=${PrefixVar:-cenm} 33 | 34 | gatewayPublicIP=$(kubectl get svc "${releasePrefix}"-gateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 35 | gatewayPort=$(kubectl get svc "${releasePrefix}"-gateway -o=jsonpath="{.spec.ports[0].port}") 36 | idmanServiceName="${releasePrefix}"-idman-ip 37 | 38 | printf "\n\nCENM endpoint to connect using CENM CLI tool: " 39 | printf "%s:%s\n" "${gatewayPublicIP}" "${gatewayPort}" 40 | 41 | idmanPort=$(kubectl get svc "${releasePrefix}"-idman-ip -o=jsonpath="{.spec.ports[0].port}") 42 | nmapPort=$(kubectl get svc "${releasePrefix}"-nmap -o=jsonpath="{.spec.ports[0].port}") 43 | 44 | idmanPublicIP=$(kubectl get svc "${idmanServiceName}" -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 45 | nmapPublicIP=$(kubectl get svc "${releasePrefix}"-nmap -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 46 | 47 | printf "\nPlease use this snippet in your node.conf to register Corda nodes:\n" 48 | printf "\nnetworkServices {\n" 49 | printf "\tdoormanURL=\"http://%s:%s\"\n" "${idmanPublicIP}" "${idmanPort}" 50 | printf "\tnetworkMapURL=\"http://%s:%s\"\n}\n\n" "${nmapPublicIP}" "${nmapPort}" 51 | -------------------------------------------------------------------------------- /k8s/helm/gateway/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /k8s/helm/gateway/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: gateway 3 | description: A Helm chart for CENM Gateway Service 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 2.0.6 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: '1.6' 22 | -------------------------------------------------------------------------------- /k8s/helm/gateway/files/gateway.conf: -------------------------------------------------------------------------------- 1 | auth { 2 | serverUrl = "https://{{ .Values.prefix }}-auth:{{ .Values.authPort }}" 3 | sslConfig = { 4 | trustStore = "./DATA/trust-stores/corda-ssl-trust-store.jks" 5 | trustStorePassword = "trust-store-password" 6 | } 7 | clientCredentials = { 8 | clientId = "gateway1" 9 | clientSecret = "secret1" 10 | } 11 | } 12 | 13 | cenm { 14 | zoneHost: "{{ .Values.prefix }}-zone" 15 | zonePort: {{ .Values.zonePort }} 16 | ssl = { 17 | keyStore = { 18 | location = ./DATA/key-stores/corda-ssl-identity-manager-keys.jks 19 | password = password 20 | } 21 | trustStore = { 22 | location = ./DATA/trust-stores/corda-ssl-trust-store.jks 23 | password = trust-store-password 24 | } 25 | } 26 | } 27 | 28 | server { 29 | port = {{ .Values.service.port }} 30 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/groups/ca-signers.json: -------------------------------------------------------------------------------- 1 | { 2 | "admin": "false", 3 | "autoEnroll": "false", 4 | "description": "Can perform CA related operations", 5 | "name": "ca-signers", 6 | "users": [ "ca-signer" ] 7 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/groups/configuration-maintainers.json: -------------------------------------------------------------------------------- 1 | { 2 | "admin": "false", 3 | "autoEnroll": "false", 4 | "description": "Can read and update service configurations", 5 | "name": "configuration-maintainers", 6 | "users": [ "config-maintainer" ] 7 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/groups/configuration-readers.json: -------------------------------------------------------------------------------- 1 | { 2 | "admin": "false", 3 | "autoEnroll": "false", 4 | "description": "Can read configurations", 5 | "name": "configuration-readers", 6 | "users": [ "config-reader" ] 7 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/groups/editors.json: -------------------------------------------------------------------------------- 1 | { 2 | "admin": "false", 3 | "autoEnroll": "true", 4 | "description": "Read only access, locked down (members are guaranteed not to have modification rights)", 5 | "name": "editors", 6 | "users": [ "jenny-editor" ] 7 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/groups/flagDayExecutors.json: -------------------------------------------------------------------------------- 1 | { 2 | "admin": "false", 3 | "autoEnroll": "true", 4 | "description": "Flag day execution rights, everything else read only, locked down", 5 | "name": "flagDayExecutors", 6 | "users": [ "james-flagday" ] 7 | } 8 | -------------------------------------------------------------------------------- /k8s/helm/gateway/files/groups/network-maintainers.json: -------------------------------------------------------------------------------- 1 | { 2 | "admin": "false", 3 | "autoEnroll": "false", 4 | "description": "Can do Network Related operations (Read and Write) including Flag Day", 5 | "name": "network-maintainers", 6 | "users": [ "network-maintainer" ] 7 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/groups/network-operation-readers.json: -------------------------------------------------------------------------------- 1 | { 2 | "admin": "false", 3 | "autoEnroll": "false", 4 | "description": "Can read Network Related data", 5 | "name": "network-operation-readers", 6 | "users": [ "business-reader" ] 7 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/groups/network-operators.json: -------------------------------------------------------------------------------- 1 | { 2 | "admin": "false", 3 | "autoEnroll": "false", 4 | "description": "Can do Network Related operations (Read and Write) excluding Flag Day", 5 | "name": "network-operators", 6 | "users": [ "network-operator" ] 7 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/groups/nonca-signers.json: -------------------------------------------------------------------------------- 1 | { 2 | "admin": "false", 3 | "autoEnroll": "false", 4 | "description": "Can do non-CA signing related operations", 5 | "name": "nonca-signers", 6 | "users": [ "nonca-signer" ] 7 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/groups/readers-soft.json: -------------------------------------------------------------------------------- 1 | { 2 | "admin": "false", 3 | "autoEnroll": "true", 4 | "description": "Read only access, NOT locked down (members can gain modification rights via other groups)", 5 | "name": "readers-soft", 6 | "users": [ "jenny-editor", "james-flagday" ] 7 | } 8 | -------------------------------------------------------------------------------- /k8s/helm/gateway/files/groups/readers.json: -------------------------------------------------------------------------------- 1 | { 2 | "admin": "false", 3 | "autoEnroll": "true", 4 | "description": "Read only access, locked down (members are guaranteed not to have modification rights)", 5 | "name": "readers", 6 | "users": [ "johnny-reader" ] 7 | } 8 | -------------------------------------------------------------------------------- /k8s/helm/gateway/files/groups/signers.json: -------------------------------------------------------------------------------- 1 | { 2 | "admin": "false", 3 | "autoEnroll": "true", 4 | "description": "Sign everything", 5 | "name": "signers", 6 | "users": [ "malcolm-signer" ] 7 | } 8 | -------------------------------------------------------------------------------- /k8s/helm/gateway/files/roles/CASigner.json: -------------------------------------------------------------------------------- 1 | { 2 | "groups": [ 3 | { "entityName": "ca-signers", "objectName": "global" } 4 | ] 5 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/roles/ConfigurationMaintainer.json: -------------------------------------------------------------------------------- 1 | { 2 | "groups": [ 3 | { "entityName": "configuration-maintainers", "objectName": "global" } 4 | ] 5 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/roles/ConfigurationReader.json: -------------------------------------------------------------------------------- 1 | { 2 | "groups": [ 3 | { "entityName": "configuration-readers", "objectName": "global" } 4 | ] 5 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/roles/EditAndModify.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "EditAndModify", 3 | "description": "Allows every Write or Modify permission", 4 | "groups": [ 5 | { "entityName": "editors", "objectName": "global" }, 6 | { "entityName": "editors", "objectName": "1" } 7 | ], 8 | "permissions": [ 9 | { "effect": "ALLOW", "permissionName": "CENM/Zone/CreateSubzone" }, 10 | { "effect": "ALLOW", "permissionName": "CENM/Zone/UpdateSubzoneLabel" }, 11 | { "effect": "ALLOW", "permissionName": "CENM/Zone/UpdateSignerConfig" }, 12 | { "effect": "ALLOW", "permissionName": "CENM/Zone/UpdateSignerAddress" }, 13 | { "effect": "ALLOW", "permissionName": "CENM/Zone/UpdateImConfig" }, 14 | { "effect": "ALLOW", "permissionName": "CENM/Zone/UpdateImAddress" }, 15 | { "effect": "ALLOW", "permissionName": "CENM/Zone/UpdateNmConfig" }, 16 | { "effect": "ALLOW", "permissionName": "CENM/Zone/UpdateNmAddress" }, 17 | { "effect": "ALLOW", "permissionName": "CENM/Zone/UpdateNetworkParameters" } 18 | ], 19 | "users": [] 20 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/roles/FlagDayExecute.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "FlagDayExecute", 3 | "description": "Allows executing flag days, plus allows every Read-only permission", 4 | "groups": [ 5 | { "entityName": "flagDayExecutors", "objectName": "global" }, 6 | { "entityName": "flagDayExecutors", "objectName": "1" } 7 | ], 8 | "permissions": [ 9 | { "effect": "ALLOW", "permissionName": "CENM/NetworkMap/ExecuteNetworkParametersUpdate" }, 10 | { "effect": "ALLOW", "permissionName": "CENM/NetworkMap/AdvertiseNetworkParametersUpdate" }, 11 | { "effect": "DENY", "permissionName": "CENM/Zone/CreateSubzone" }, 12 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateSubzoneLabel" }, 13 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateSignerConfig" }, 14 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateSignerAddress" }, 15 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateImConfig" }, 16 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateImAddress" }, 17 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateNmConfig" }, 18 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateNmAddress" }, 19 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateNetworkParameters" } 20 | ], 21 | "users": [] 22 | } 23 | -------------------------------------------------------------------------------- /k8s/helm/gateway/files/roles/NetworkMaintainer.json: -------------------------------------------------------------------------------- 1 | { 2 | "groups": [ 3 | { "entityName": "network-maintainers", "objectName": "global" } 4 | ] 5 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/roles/NetworkOperationsReader.json: -------------------------------------------------------------------------------- 1 | { 2 | "groups": [ 3 | { "entityName": "network-operation-readers", "objectName": "global" } 4 | ] 5 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/roles/NetworkOperator.json: -------------------------------------------------------------------------------- 1 | { 2 | "groups": [ 3 | { "entityName": "network-operators", "objectName": "global" } 4 | ] 5 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/roles/NonCASigner.json: -------------------------------------------------------------------------------- 1 | { 2 | "groups": [ 3 | { "entityName": "nonca-signers", "objectName": "global" } 4 | ] 5 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/roles/RadOnlyLockdown.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "RadOnlyLockdown", 3 | "description": "Locks out all non-read permissions via Deny", 4 | "groups": [ 5 | { "entityName": "readers", "objectName": "global" }, 6 | { "entityName": "readers", "objectName": "1" } 7 | ], 8 | "permissions": [ 9 | { "effect": "DENY", "permissionName": "CENM/NetworkMap/ExecuteNetworkParametersUpdate" }, 10 | { "effect": "DENY", "permissionName": "CENM/NetworkMap/AdvertiseNetworkParametersUpdate" }, 11 | { "effect": "DENY", "permissionName": "CENM/Zone/CreateSubzone" }, 12 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateSubzoneLabel" }, 13 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateSignerConfig" }, 14 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateSignerAddress" }, 15 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateImConfig" }, 16 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateImAddress" }, 17 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateNmConfig" }, 18 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateNmAddress" }, 19 | { "effect": "DENY", "permissionName": "CENM/Zone/UpdateNetworkParameters" } 20 | ], 21 | "users": [] 22 | } 23 | -------------------------------------------------------------------------------- /k8s/helm/gateway/files/roles/ReadOnly.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "ReadOnly", 3 | "description": "Allows every Read-only permission", 4 | "groups": [ 5 | { "entityName": "readers", "objectName": "global" }, 6 | { "entityName": "readers-soft", "objectName": "global" }, 7 | { "entityName": "editors", "objectName": "global" } , 8 | { "entityName": "flagDayExecutors", "objectName": "global" }, 9 | { "entityName": "readers", "objectName": "1" }, 10 | { "entityName": "readers-soft", "objectName": "1" }, 11 | { "entityName": "editors", "objectName": "1" } , 12 | { "entityName": "flagDayExecutors", "objectName": "1" } 13 | ], 14 | "permissions": [ 15 | { "effect": "ALLOW", "permissionName": "CENM/Zone/GetAllSubzones" }, 16 | { "effect": "ALLOW", "permissionName": "CENM/Zone/GetSubzoneLabel" }, 17 | { "effect": "ALLOW", "permissionName": "CENM/Zone/GetImConfig" }, 18 | { "effect": "ALLOW", "permissionName": "CENM/Zone/GetNmConfig" }, 19 | { "effect": "ALLOW", "permissionName": "CENM/Zone/GetNetworkParameters" }, 20 | { "effect": "ALLOW", "permissionName": "CENM/Zone/GetServicesAddresses" } 21 | ], 22 | "users": [] 23 | } 24 | -------------------------------------------------------------------------------- /k8s/helm/gateway/files/roles/Signer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Signer", 3 | "description": "Allows signing everything", 4 | "groups": [ 5 | { "entityName": "signers", "objectName": "global" }, 6 | { "entityName": "signers", "objectName": "1" } 7 | ], 8 | "permissions": [ 9 | { "effect": "ALLOW", "permissionName": "CENM/Zone/GetServicesAddresses" }, 10 | { "effect": "ALLOW", "permissionName": "CENM/Signer/GetAllSigners" }, 11 | { "effect": "ALLOW", "permissionName": "CENM/Signer/GetCsrs" }, 12 | { "effect": "ALLOW", "permissionName": "CENM/Signer/GetCrrs" }, 13 | { "effect": "ALLOW", "permissionName": "CENM/Signer/GetCrl" }, 14 | { "effect": "ALLOW", "permissionName": "CENM/Signer/GetUnsignedNetworkMap" }, 15 | { "effect": "ALLOW", "permissionName": "CENM/Signer/GetUnsignedNetworkParams" }, 16 | { "effect": "ALLOW", "permissionName": "CENM/Signer/GetZoneMaterials" }, 17 | { "effect": "ALLOW", "permissionName": "CENM/Signer/GetSubZoneMaterials" }, 18 | { "effect": "ALLOW", "permissionName": "CENM/Signer/SignCsrs" }, 19 | { "effect": "ALLOW", "permissionName": "CENM/Signer/SignCrl" }, 20 | { "effect": "ALLOW", "permissionName": "CENM/Signer/SignNetworkMap" }, 21 | { "effect": "ALLOW", "permissionName": "CENM/Signer/SignNetworkParameters" } 22 | ], 23 | "users": [] 24 | } 25 | -------------------------------------------------------------------------------- /k8s/helm/gateway/files/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | {{ if eq .Values.bashDebug true }} 3 | set -x 4 | {{ end }} 5 | 6 | # 7 | # main run 8 | # 9 | if [ -f bin/gateway.jar ] 10 | then 11 | {{ if eq .Values.bashDebug true }} 12 | sha256sum bin/gateway.jar 13 | while [ ! -f etc/gateway.conf ]; 14 | do 15 | echo "Waiting for file etc/gateway.conf"; 16 | ls ets; 17 | sleep 5; 18 | done 19 | cat etc/gateway.conf 20 | {{ end }} 21 | echo 22 | echo "CENM: starting CENM Gateway service ..." 23 | echo 24 | java -jar bin/gateway.jar --config-file etc/gateway.conf 25 | EXIT_CODE=${?} 26 | else 27 | echo "Missing gateway service jar file." 28 | EXIT_CODE=110 29 | fi 30 | 31 | if [ "${EXIT_CODE}" -ne "0" ] 32 | then 33 | HOW_LONG={{ .Values.sleepTimeAfterError }} 34 | echo 35 | echo "Gateway service failed - exit code: ${EXIT_CODE} (error)" 36 | echo 37 | echo "Going to sleep for requested ${HOW_LONG} seconds to let you login and investigate." 38 | echo 39 | fi 40 | 41 | sleep ${HOW_LONG} 42 | echo -------------------------------------------------------------------------------- /k8s/helm/gateway/files/setupAuth.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # log in and cache access token 3 | ACCESS_TOKEN="" 4 | while [ -z "${ACCESS_TOKEN}" ] 5 | do 6 | TOKEN_RESPONSE="$(curl -X POST --data "grant_type=password" --data "username=admin" --data "password=p4ssWord" http://${1}:${2}/api/v1/authentication/authenticate)" 7 | ACCESS_TOKEN="$(echo ${TOKEN_RESPONSE} | jq -r '.access_token')" 8 | sleep 5 9 | done 10 | 11 | pwd 12 | ls -alR 13 | 14 | echo 15 | echo "========================= Creating users =========================" 16 | for i in u/*.json 17 | do 18 | echo 19 | echo ">>>>>>>> User: ${i}" 20 | cat ${i}; echo 21 | curl -X POST -H "Authorization: Bearer $ACCESS_TOKEN" -H "Content-Type: application/json" --data-binary "@${i}" http://${1}:${2}/api/v1/admin/users 22 | echo 23 | done 24 | 25 | echo 26 | echo "========================= Creating groups =========================" 27 | for i in g/*.json 28 | do 29 | echo 30 | echo ">>>>>>>> Group: ${i}" 31 | cat ${i}; echo 32 | curl -X POST -H "Authorization: Bearer $ACCESS_TOKEN" -H "Content-Type: application/json" --data-binary "@${i}" http://${1}:${2}/api/v1/admin/groups 33 | echo 34 | done 35 | 36 | echo 37 | echo "========================= Assigning roles to groups =========================" 38 | for role in "CASigner" "ConfigurationMaintainer" "ConfigurationReader" "NetworkMaintainer" "NetworkOperator" "NetworkOperationsReader" "NonCASigner"; do 39 | file='./r/'$role'.json' 40 | echo 41 | echo ">>>>>>>> Role: ${file}" 42 | cat ${file}; echo 43 | curl -X PATCH -H "Authorization: Bearer $ACCESS_TOKEN" -H "Content-Type: application/merge-patch+json" --data-binary "@${file}" http://${1}:${2}/api/v1/admin/roles/${role} 44 | echo 45 | done -------------------------------------------------------------------------------- /k8s/helm/gateway/files/users/business-reader.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "business-reader", 3 | "email": "business-reader@megacorp.com", 4 | "password": "p4ssWord", 5 | "enabled": "true", 6 | "groups": [ ], 7 | "admin": "false" 8 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/users/ca-signer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "ca-signer", 3 | "email": "ca-signer@megacorp.com", 4 | "password": "p4ssWord", 5 | "enabled": "true", 6 | "groups": [ ], 7 | "admin": "false" 8 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/users/config-maintainer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "config-maintainer", 3 | "email": "config-maintainer@megacorp.com", 4 | "password": "p4ssWord", 5 | "enabled": "true", 6 | "groups": [ ], 7 | "admin": "false" 8 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/users/config-reader.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "config-reader", 3 | "email": "config-reader@megacorp.com", 4 | "password": "p4ssWord", 5 | "enabled": "true", 6 | "groups": [ ], 7 | "admin": "false" 8 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/users/james-flagday.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "james-flagday", 3 | "email": "james.flagday@megacorp.com", 4 | "password": "password", 5 | "enabled": "true", 6 | "groups": [ ], 7 | "admin": "false" 8 | } 9 | -------------------------------------------------------------------------------- /k8s/helm/gateway/files/users/jenny-editor.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "jenny-editor", 3 | "email": "jenny.editor@megacorp.com", 4 | "password": "password", 5 | "enabled": "true", 6 | "groups": [ ], 7 | "admin": "false" 8 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/users/johnny-reader.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "johnny-reader", 3 | "email": "johnny.reader@megacorp.com", 4 | "password": "password", 5 | "enabled": "true", 6 | "groups": [ ], 7 | "admin": "false" 8 | } 9 | -------------------------------------------------------------------------------- /k8s/helm/gateway/files/users/malcolm-signer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "malcolm-signer", 3 | "email": "malcolm.signer@megacorp.com", 4 | "password": "password", 5 | "enabled": "true", 6 | "groups": [ ], 7 | "admin": "false" 8 | } 9 | -------------------------------------------------------------------------------- /k8s/helm/gateway/files/users/network-maintainer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "network-maintainer", 3 | "email": "network-maintainer@megacorp.com", 4 | "password": "p4ssWord", 5 | "enabled": "true", 6 | "groups": [ ], 7 | "admin": "false" 8 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/users/network-operator.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "network-operator", 3 | "email": "network-operator@megacorp.com", 4 | "password": "p4ssWord", 5 | "enabled": "true", 6 | "groups": [ ], 7 | "admin": "false" 8 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/files/users/nonca-signer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "nonca-signer", 3 | "email": "nonca-signer@megacorp.com", 4 | "password": "p4ssWord", 5 | "enabled": "true", 6 | "groups": [ ], 7 | "admin": "false" 8 | } -------------------------------------------------------------------------------- /k8s/helm/gateway/templates/NOTES.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corda/cenm-deployment/4cbbf81ce962a8d8bb6672ca76e1e2dfe7619f72/k8s/helm/gateway/templates/NOTES.txt -------------------------------------------------------------------------------- /k8s/helm/gateway/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "gateway.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "gateway.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "gateway.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "gateway.labels" -}} 38 | helm.sh/chart: {{ include "gateway.chart" . }} 39 | {{ include "gateway.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end -}} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "gateway.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "gateway.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end -}} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "gateway.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create -}} 59 | {{ default (include "gateway.fullname" .) .Values.serviceAccount.name }} 60 | {{- else -}} 61 | {{ default "default" .Values.serviceAccount.name }} 62 | {{- end -}} 63 | {{- end -}} 64 | -------------------------------------------------------------------------------- /k8s/helm/gateway/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ .Values.prefix }}-gateway-conf 6 | labels: 7 | {{ include "gateway.labels" . | indent 4 }} 8 | data: 9 | run.sh: |+ 10 | {{ tpl (.Files.Get "files/run.sh") . | indent 4 }} 11 | 12 | gateway.conf: |+ 13 | {{ tpl (.Files.Get "files/gateway.conf") . | indent 4 }} 14 | 15 | setupAuth.sh: |+ 16 | {{ .Files.Get "files/setupAuth.sh" | indent 4 }} 17 | 18 | {{- tpl ((.Files.Glob "files/users/*.json").AsConfig) . | nindent 2 }} 19 | {{- tpl ((.Files.Glob "files/roles/*.json").AsConfig) . | nindent 2 }} 20 | {{- tpl ((.Files.Glob "files/groups/*.json").AsConfig) . | nindent 2 }} 21 | -------------------------------------------------------------------------------- /k8s/helm/gateway/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "gateway.fullname" . }} 5 | labels: 6 | {{- include "gateway.labels" . | nindent 4 }} 7 | annotations: 8 | helm.sh/hook-weight: "0" 9 | spec: 10 | replicas: 1 11 | selector: 12 | matchLabels: 13 | {{- include "gateway.selectorLabels" . | nindent 6 }} 14 | template: 15 | metadata: 16 | labels: 17 | {{- include "gateway.selectorLabels" . | nindent 8 }} 18 | spec: 19 | {{- with .Values.imagePullSecrets }} 20 | imagePullSecrets: 21 | {{- toYaml . | nindent 8 }} 22 | {{- end }} 23 | serviceAccountName: {{ include "gateway.serviceAccountName" . }} 24 | securityContext: 25 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 26 | initContainers: 27 | - name: init-check-auth 28 | env: 29 | - name: ACCEPT_LICENSE 30 | value: "{{required "You must accept the license agreement to use this software." .Values.acceptLicense }}" 31 | securityContext: 32 | {{- toYaml .Values.securityContext | nindent 12 }} 33 | image: "{{ .Values.gatewayImage.repository }}:{{ .Values.gatewayImage.tag }}" 34 | imagePullPolicy: {{ .Values.gatewayImage.pullPolicy }} 35 | command: ["/bin/bash", "-c"] 36 | args: 37 | - |- 38 | echo Probing {{ .Values.prefix }}-auth port {{ .Values.authPort }} 39 | until nc -w 5 -vz {{ .Values.prefix }}-auth {{ .Values.authPort }} > /dev/null 2>&1 40 | do 41 | echo "Connect to {{ .Values.prefix }}-auth port {{ .Values.authPort }} (tcp) failed: Connection refused" 42 | done 43 | echo "Connection {{ .Values.prefix }}-auth port {{ .Values.authPort }} successful" 44 | resources: 45 | {{- toYaml .Values.resources | nindent 12 }} 46 | containers: 47 | - name: main 48 | env: 49 | - name: "CENM_ZONE_PORT" 50 | value: "12345" 51 | securityContext: 52 | {{- toYaml .Values.securityContext | nindent 12 }} 53 | image: "{{ .Values.gatewayImage.repository }}:{{ .Values.gatewayImage.tag }}" 54 | imagePullPolicy: {{ .Values.gatewayImage.pullPolicy }} 55 | command: ["/bin/sh", "-c"] 56 | args: 57 | - |- 58 | pwd 59 | ls -alR 60 | ./bin/run.sh 61 | volumeMounts: 62 | - name: gateway-conf 63 | mountPath: /opt/cenm/etc/gateway.conf 64 | subPath: gateway.conf 65 | - name: gateway-conf 66 | mountPath: /opt/cenm/bin/run.sh 67 | subPath: run.sh 68 | - name: pki-certs-keys 69 | mountPath: /opt/cenm/DATA 70 | - name: gateway-etc 71 | mountPath: /opt/cenm/etc 72 | - name: gateway-logs 73 | mountPath: /opt/cenm/logs 74 | {{- if .Values.livenessProbe.enabled }} 75 | livenessProbe: 76 | tcpSocket: 77 | port: {{ .Values.service.port }} 78 | initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} 79 | periodSeconds: {{ .Values.livenessProbe.periodSeconds }} 80 | timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} 81 | successThreshold: {{ .Values.livenessProbe.successThreshold }} 82 | failureThreshold: {{ .Values.livenessProbe.failureThreshold }} 83 | {{- end }} 84 | {{- if .Values.readinessProbe.enabled }} 85 | readinessProbe: 86 | tcpSocket: 87 | port: {{ .Values.service.port }} 88 | initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} 89 | periodSeconds: {{ .Values.readinessProbe.periodSeconds }} 90 | timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} 91 | successThreshold: {{ .Values.readinessProbe.successThreshold }} 92 | failureThreshold: {{ .Values.readinessProbe.failureThreshold }} 93 | {{- end }} 94 | resources: 95 | {{- toYaml .Values.resources | nindent 12 }} 96 | {{- if .Values.logsContainersEnabled }} 97 | - name: logs-gateway 98 | securityContext: 99 | {{- toYaml .Values.securityContext | nindent 12 }} 100 | image: "{{ required "gateway[logs]: missing value for .Values.gatewayImage.repository" .Values.gatewayImage.repository }}:{{ required "gateway[logs]: missing value for .Values.gatewayImage.tag" .Values.gatewayImage.tag }}" 101 | imagePullPolicy: {{ .Values.gatewayImage.pullPolicy }} 102 | command: ["/bin/bash", "-c"] 103 | args: 104 | - |- 105 | cd /opt/cenm/ 106 | while true; do tail -f logs/gateway-service/*.log 2>/dev/null; sleep 5; done 107 | # in case sth went wrong just wait indefinitely ... 108 | tail -f /dev/null 109 | volumeMounts: 110 | - name: gateway-logs 111 | mountPath: /opt/cenm/logs 112 | resources: 113 | {{- toYaml .Values.resources | nindent 12 }} 114 | {{- end }} 115 | volumes: 116 | - name: pki-certs-keys 117 | persistentVolumeClaim: 118 | claimName: {{ .Values.prefix }}-pki-certs-keys 119 | - name: gateway-conf 120 | configMap: 121 | name: {{ .Values.prefix }}-gateway-conf 122 | defaultMode: 0777 123 | - name: gateway-etc 124 | persistentVolumeClaim: 125 | claimName: {{ .Values.prefix }}-gateway-etc 126 | - name: gateway-logs 127 | persistentVolumeClaim: 128 | claimName: {{ .Values.prefix }}-gateway-logs 129 | {{- with .Values.nodeSelector }} 130 | nodeSelector: 131 | {{- toYaml . | nindent 8 }} 132 | {{- end }} 133 | {{- with .Values.affinity }} 134 | affinity: 135 | {{- toYaml . | nindent 8 }} 136 | {{- end }} 137 | {{- with .Values.tolerations }} 138 | tolerations: 139 | {{- toYaml . | nindent 8 }} 140 | {{- end }} 141 | -------------------------------------------------------------------------------- /k8s/helm/gateway/templates/job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: {{ include "gateway.fullname" . }}-job 5 | labels: 6 | {{- include "gateway.labels" . | nindent 4 }} 7 | annotations: 8 | helm.sh/hook-weight: "5" 9 | spec: 10 | backoffLimit: {{ .Values.backoffLimit }} 11 | template: 12 | spec: 13 | {{- with .Values.imagePullSecrets }} 14 | imagePullSecrets: 15 | {{- toYaml . | nindent 8 }} 16 | {{- end }} 17 | initContainers: 18 | - name: {{ .Chart.Name }}-check-gateway 19 | securityContext: 20 | {{- toYaml .Values.securityContext | nindent 12 }} 21 | image: "{{ .Values.gatewayImage.repository }}:{{ .Values.gatewayImage.tag }}" 22 | imagePullPolicy: {{ .Values.gatewayImage.pullPolicy }} 23 | command: ["/bin/bash", "-c"] 24 | args: 25 | - |- 26 | echo Probing {{ .Values.prefix }}-gateway port {{ .Values.gatewayPort }} 27 | until nc -w 5 -vz {{ .Values.prefix }}-gateway {{ .Values.gatewayPort }} > /dev/null 2>&1 28 | do 29 | echo "Connect to {{ .Values.prefix }}-gateway port {{ .Values.gatewayPort }} (tcp) failed: Connection refused" 30 | done 31 | echo "Connection {{ .Values.prefix }}-gateway port {{ .Values.gatewayPort }} successful" 32 | resources: 33 | {{- toYaml .Values.resources | nindent 12 }} 34 | - name: {{ .Chart.Name }}-check-auth 35 | securityContext: 36 | {{- toYaml .Values.securityContext | nindent 12 }} 37 | image: "{{ .Values.gatewayImage.repository }}:{{ .Values.gatewayImage.tag }}" 38 | imagePullPolicy: {{ .Values.gatewayImage.pullPolicy }} 39 | command: ["/bin/bash", "-c"] 40 | args: 41 | - |- 42 | echo Probing {{ .Values.prefix }}-auth port {{ .Values.authPort }} 43 | until nc -w 5 -vz {{ .Values.prefix }}-auth {{ .Values.authPort }} > /dev/null 2>&1 44 | do 45 | echo "Connect to {{ .Values.prefix }}-auth port {{ .Values.authPort }} (tcp) failed: Connection refused" 46 | done 47 | echo "Connection {{ .Values.prefix }}-auth port {{ .Values.authPort }} successful" 48 | resources: 49 | {{- toYaml .Values.resources | nindent 12 }} 50 | containers: 51 | - name: main 52 | securityContext: 53 | {{- toYaml .Values.securityContext | nindent 12 }} 54 | image: "{{ .Values.gatewayImage.repository }}:{{ .Values.gatewayImage.tag }}" 55 | imagePullPolicy: {{ .Values.gatewayImage.pullPolicy }} 56 | command: ["/bin/bash", "-c"] 57 | args: 58 | - |- 59 | pwd 60 | cd /opt/cenm/CM-FILES/ 61 | ls -alR 62 | ./setupAuth.sh {{ .Values.prefix }}-gateway {{ .Values.gatewayPort }} 63 | resources: 64 | {{- toYaml .Values.resources | nindent 12 }} 65 | volumeMounts: 66 | - name: pki-certs-keys 67 | mountPath: /opt/cenm/DATA 68 | - name: gateway-conf 69 | mountPath: /opt/cenm/CM-FILES/setupAuth.sh 70 | subPath: setupAuth.sh 71 | - name: gateway-conf 72 | mountPath: /opt/cenm/CM-FILES/g/ca-signers.json 73 | subPath: ca-signers.json 74 | - name: gateway-conf 75 | mountPath: /opt/cenm/CM-FILES/g/configuration-maintainers.json 76 | subPath: configuration-maintainers.json 77 | - name: gateway-conf 78 | mountPath: /opt/cenm/CM-FILES/g/configuration-readers.json 79 | subPath: configuration-readers.json 80 | - name: gateway-conf 81 | mountPath: /opt/cenm/CM-FILES/g/network-maintainers.json 82 | subPath: network-maintainers.json 83 | - name: gateway-conf 84 | mountPath: /opt/cenm/CM-FILES/g/network-operation-readers.json 85 | subPath: network-operation-readers.json 86 | - name: gateway-conf 87 | mountPath: /opt/cenm/CM-FILES/g/network-operators.json 88 | subPath: network-operators.json 89 | - name: gateway-conf 90 | mountPath: /opt/cenm/CM-FILES/g/nonca-signers.json 91 | subPath: nonca-signers.json 92 | - name: gateway-conf 93 | mountPath: /opt/cenm/CM-FILES/r/CASigner.json 94 | subPath: CASigner.json 95 | - name: gateway-conf 96 | mountPath: /opt/cenm/CM-FILES/r/ConfigurationMaintainer.json 97 | subPath: ConfigurationMaintainer.json 98 | - name: gateway-conf 99 | mountPath: /opt/cenm/CM-FILES/r/ConfigurationReader.json 100 | subPath: ConfigurationReader.json 101 | - name: gateway-conf 102 | mountPath: /opt/cenm/CM-FILES/r/NetworkMaintainer.json 103 | subPath: NetworkMaintainer.json 104 | - name: gateway-conf 105 | mountPath: /opt/cenm/CM-FILES/r/NetworkOperationsReader.json 106 | subPath: NetworkOperationsReader.json 107 | - name: gateway-conf 108 | mountPath: /opt/cenm/CM-FILES/r/NetworkOperator.json 109 | subPath: NetworkOperator.json 110 | - name: gateway-conf 111 | mountPath: /opt/cenm/CM-FILES/r/NonCASigner.json 112 | subPath: NonCASigner.json 113 | - name: gateway-conf 114 | mountPath: /opt/cenm/CM-FILES/u/business-reader.json 115 | subPath: business-reader.json 116 | - name: gateway-conf 117 | mountPath: /opt/cenm/CM-FILES/u/ca-signer.json 118 | subPath: ca-signer.json 119 | - name: gateway-conf 120 | mountPath: /opt/cenm/CM-FILES/u/config-maintainer.json 121 | subPath: config-maintainer.json 122 | - name: gateway-conf 123 | mountPath: /opt/cenm/CM-FILES/u/config-reader.json 124 | subPath: config-reader.json 125 | - name: gateway-conf 126 | mountPath: /opt/cenm/CM-FILES/u/network-maintainer.json 127 | subPath: network-maintainer.json 128 | - name: gateway-conf 129 | mountPath: /opt/cenm/CM-FILES/u/network-operator.json 130 | subPath: network-operator.json 131 | - name: gateway-conf 132 | mountPath: /opt/cenm/CM-FILES/u/nonca-signer.json 133 | subPath: nonca-signer.json 134 | restartPolicy: OnFailure 135 | volumes: 136 | - name: pki-certs-keys 137 | persistentVolumeClaim: 138 | claimName: {{ .Values.prefix }}-pki-certs-keys 139 | - name: gateway-conf 140 | configMap: 141 | name: {{ .Values.prefix }}-gateway-conf 142 | defaultMode: 0777 143 | {{- with .Values.nodeSelector }} 144 | nodeSelector: 145 | {{- toYaml . | nindent 8 }} 146 | {{- end }} 147 | {{- with .Values.affinity }} 148 | affinity: 149 | {{- toYaml . | nindent 8 }} 150 | {{- end }} 151 | {{- with .Values.tolerations }} 152 | tolerations: 153 | {{- toYaml . | nindent 8 }} 154 | {{- end }} 155 | -------------------------------------------------------------------------------- /k8s/helm/gateway/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ .Values.prefix }}-gateway-etc 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | storageClassName: {{ .Values.storageClass }} 10 | resources: 11 | requests: 12 | storage: {{ .Values.volumeSizeGatewayEtc }} 13 | 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: {{ .Values.prefix }}-gateway-logs 19 | spec: 20 | accessModes: 21 | - ReadWriteOnce 22 | storageClassName: {{ .Values.storageClass }} 23 | resources: 24 | requests: 25 | storage: {{ .Values.volumeSizeGatewayLogs }} 26 | -------------------------------------------------------------------------------- /k8s/helm/gateway/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "gateway.fullname" . }} 5 | labels: 6 | {{- include "gateway.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: {{ .Values.service.port }} 12 | protocol: TCP 13 | selector: 14 | {{- include "gateway.selectorLabels" . | nindent 4 }} 15 | -------------------------------------------------------------------------------- /k8s/helm/gateway/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "gateway.serviceAccountName" . }} 6 | labels: 7 | {{- include "gateway.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /k8s/helm/gateway/values.yaml: -------------------------------------------------------------------------------- 1 | ######################################## 2 | ### CENM configuration options ### 3 | ######################################## 4 | 5 | # Display more messages while executing Kubernetes deployment 6 | bashDebug: false 7 | 8 | # Docker images to use by the Gateway Service Helm chart 9 | gatewayImage: 10 | repository: corda/enterprise-gateway 11 | tag: 1.6-zulu-openjdk8u392 12 | pullPolicy: Always 13 | 14 | # Volume size for etc/ directory 15 | volumeSizeGatewayEtc: 1Gi 16 | 17 | # Volume size for logs/ directory 18 | volumeSizeGatewayLogs: 5Gi 19 | 20 | # Sleep time (in seconds) after an error occured 21 | sleepTimeAfterError: 300 22 | 23 | # Auth Service port 24 | authPort: 8081 25 | 26 | # Gateway Service port 27 | gatewayPort: 8080 28 | 29 | # Zone Service port 30 | zonePort: 12345 31 | 32 | # Enable container displaying live logs 33 | logsContainersEnabled: true 34 | 35 | ######################################## 36 | ### Kubernetes related settings ### 37 | ######################################## 38 | 39 | nameOverride: "" 40 | fullnameOverride: "" 41 | 42 | serviceAccount: 43 | # Specifies whether a service account should be created 44 | create: true 45 | # Annotations to add to the service account 46 | annotations: {} 47 | # The name of the service account to use. 48 | # If not set and create is true, a name is generated using the fullname template 49 | name: 50 | 51 | podSecurityContext: 52 | runAsUser: 1000 53 | runAsGroup: 1000 54 | fsGroup: 1000 55 | 56 | securityContext: {} 57 | # capabilities: 58 | # drop: 59 | # - ALL 60 | # readOnlyRootFilesystem: true 61 | # runAsNonRoot: true 62 | # runAsUser: 1000 63 | 64 | service: 65 | type: LoadBalancer 66 | port: 8080 67 | 68 | resources: 69 | # We usually recommend not to specify default resources and to leave this as a conscious 70 | # choice for the user. This also increases chances charts run on environments with little 71 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 72 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 73 | limits: 74 | # cpu: 100m 75 | memory: 2Gi 76 | requests: 77 | # cpu: 100m 78 | memory: 2Gi 79 | 80 | nodeSelector: {} 81 | 82 | tolerations: [] 83 | 84 | affinity: {} 85 | 86 | ## Liveness and readiness probe values 87 | ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 88 | ## 89 | livenessProbe: 90 | enabled: false 91 | failureThreshold: 3 92 | initialDelaySeconds: 10 93 | periodSeconds: 10 94 | successThreshold: 1 95 | timeoutSeconds: 1 96 | readinessProbe: 97 | enabled: false 98 | failureThreshold: 3 99 | initialDelaySeconds: 10 100 | periodSeconds: 10 101 | successThreshold: 1 102 | timeoutSeconds: 1 103 | 104 | 105 | storageClass: cenm 106 | 107 | # Name of Kubernetes secret storing credentials to Docker registry 108 | imagePullSecrets: 109 | - name: cenm-registry 110 | 111 | backoffLimit: 6 112 | -------------------------------------------------------------------------------- /k8s/helm/hsm/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: hsm 3 | description: A Helm chart for CENM HSM 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 2.0.6 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: '1.6' 22 | -------------------------------------------------------------------------------- /k8s/helm/hsm/files/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | touch /opt/cenm/HSM/HSM-LOAD-DONE 4 | echo -------------------------------------------------------------------------------- /k8s/helm/hsm/templates/NOTES.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corda/cenm-deployment/4cbbf81ce962a8d8bb6672ca76e1e2dfe7619f72/k8s/helm/hsm/templates/NOTES.txt -------------------------------------------------------------------------------- /k8s/helm/hsm/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "hsm.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "hsm.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "hsm.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "hsm.labels" -}} 38 | helm.sh/chart: {{ include "hsm.chart" . }} 39 | {{ include "hsm.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end -}} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "hsm.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "hsm.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end -}} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "hsm.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create -}} 59 | {{ default (include "hsm.fullname" .) .Values.serviceAccount.name }} 60 | {{- else -}} 61 | {{ default "default" .Values.serviceAccount.name }} 62 | {{- end -}} 63 | {{- end -}} 64 | -------------------------------------------------------------------------------- /k8s/helm/hsm/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ .Values.prefix }}-hsm-conf 7 | labels: 8 | {{ include "hsm.labels" . | nindent 4 }} 9 | data: 10 | run.sh: |+ 11 | {{ tpl (.Files.Get "files/run.sh") . | nindent 4 }} 12 | -------------------------------------------------------------------------------- /k8s/helm/hsm/templates/job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: {{ .Values.prefix }}-hsm 5 | spec: 6 | backoffLimit: {{ .Values.backoffLimit }} 7 | template: 8 | spec: 9 | {{- with .Values.imagePullSecrets }} 10 | imagePullSecrets: 11 | {{- toYaml . | nindent 8 }} 12 | {{- end }} 13 | containers: 14 | - name: main 15 | securityContext: 16 | {{- toYaml .Values.securityContext | nindent 12 }} 17 | image: "{{ .Values.hsmImage.repository }}:{{ .Values.hsmImage.tag }}" 18 | imagePullPolicy: {{ .Values.hsmImage.pullPolicy }} 19 | command: ["/bin/sh", "-c"] 20 | args: 21 | - |- 22 | cd /opt/cenm 23 | cp -r {{ .Values.libFolder }}/* /opt/cenm/HSM 24 | mkdir bin 25 | cp CM-FILES/run.sh bin/run.sh 26 | chmod +x bin/run.sh 27 | bin/run.sh 28 | resources: 29 | {{- toYaml .Values.resources | nindent 12 }} 30 | volumeMounts: 31 | - name: hsm-libs 32 | mountPath: /opt/cenm/HSM 33 | - name: hsm-conf 34 | mountPath: /opt/cenm/CM-FILES/run.sh 35 | subPath: run.sh 36 | restartPolicy: OnFailure 37 | volumes: 38 | - name: hsm-conf 39 | configMap: 40 | name: {{ .Values.prefix }}-hsm-conf 41 | - name: hsm-libs 42 | persistentVolumeClaim: 43 | claimName: {{ .Values.prefix }}-hsm-libs 44 | {{- with .Values.nodeSelector }} 45 | nodeSelector: 46 | {{- toYaml . | nindent 8 }} 47 | {{- end }} 48 | {{- with .Values.affinity }} 49 | affinity: 50 | {{- toYaml . | nindent 8 }} 51 | {{- end }} 52 | {{- with .Values.tolerations }} 53 | tolerations: 54 | {{- toYaml . | nindent 8 }} 55 | {{- end }} 56 | -------------------------------------------------------------------------------- /k8s/helm/hsm/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ .Values.prefix }}-hsm-libs 6 | spec: 7 | accessModes: 8 | - ReadWriteMany 9 | storageClassName: {{ .Values.storageClassShared }} 10 | resources: 11 | requests: 12 | storage: {{ .Values.volumeSizeHsmLibs }} 13 | -------------------------------------------------------------------------------- /k8s/helm/hsm/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "hsm.serviceAccountName" . }} 6 | labels: 7 | {{- include "hsm.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /k8s/helm/hsm/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for pki. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | bashDebug: false 6 | 7 | imagePullSecrets: 8 | - name: 9 | 10 | nameOverride: "" 11 | fullnameOverride: "" 12 | 13 | serviceAccount: 14 | # Specifies whether a service account should be created 15 | create: true 16 | # Annotations to add to the service account 17 | annotations: {} 18 | # The name of the service account to use. 19 | # If not set and create is true, a name is generated using the fullname template 20 | name: 21 | 22 | podSecurityContext: {} 23 | # fsGroup: 2000 24 | 25 | securityContext: {} 26 | # capabilities: 27 | # drop: 28 | # - ALL 29 | # readOnlyRootFilesystem: true 30 | # runAsNonRoot: true 31 | # runAsUser: 1000 32 | 33 | resources: {} 34 | # We usually recommend not to specify default resources and to leave this as a conscious 35 | # choice for the user. This also increases chances charts run on environments with little 36 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 37 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 38 | # limits: 39 | # cpu: 100m 40 | # memory: 128Mi 41 | # requests: 42 | # cpu: 100m 43 | # memory: 128Mi 44 | 45 | nodeSelector: {} 46 | 47 | tolerations: [] 48 | 49 | affinity: {} 50 | 51 | storageClassShared: cenm-shared 52 | 53 | volumeSizeHsmLibs: 5Gi 54 | 55 | # the folder containing the hsm library files 56 | libFolder: /tmp 57 | 58 | hsmImage: 59 | repository: alpine 60 | tag: latest 61 | pullPolicy: Always 62 | 63 | backoffLimit: 4 64 | 65 | sleepTimeAfterError: 300 66 | -------------------------------------------------------------------------------- /k8s/helm/idman-ip/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /k8s/helm/idman-ip/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: idman-ip 3 | description: A Helm chart for CENM Identity Manager Kubernetes service (public IP allocation) 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 2.0.6 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: '1.6' 22 | -------------------------------------------------------------------------------- /k8s/helm/idman-ip/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 2 | It may take a few minutes for the public IP to be available. You can watch the status of by running this command (and watching column 'EXTERNAL-IP'): 3 | 4 | kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "idman-ip.fullname" . }} 5 | 6 | You can later get public IP address again by running this command: 7 | 8 | kubectl get svc --namespace {{ .Release.Namespace }} {{ include "idman-ip.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}" 9 | 10 | -------------------------------------------------------------------------------- /k8s/helm/idman-ip/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "idman-ip.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "idman-ip.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "idman-ip.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "idman-ip.labels" -}} 38 | app.kubernetes.io/name: {{ include "idman-ip.name" . }} 39 | helm.sh/chart: {{ include "idman-ip.chart" . }} 40 | app.kubernetes.io/instance: {{ .Release.Name }} 41 | app.kubernetes.io/managed-by: {{ .Release.Service }} 42 | {{- end -}} 43 | 44 | {{/* 45 | Create the name of the service account to use 46 | */}} 47 | {{- define "idman-ip.serviceAccountName" -}} 48 | {{- if .Values.serviceAccount.create -}} 49 | {{ default (include "idman-ip.fullname" .) .Values.serviceAccount.name }} 50 | {{- else -}} 51 | {{ default "default" .Values.serviceAccount.name }} 52 | {{- end -}} 53 | {{- end -}} 54 | 55 | {{/* 56 | CENM labels 57 | */}} 58 | {{- define "cenm.labels" -}} 59 | app.kubernetes.io/part-of: cenm 60 | {{- if .Chart.AppVersion }} 61 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 62 | {{- end }} 63 | {{- end -}} 64 | 65 | {{/* 66 | Date/time in formt: YYYY-MM-DD-HH-MM-SS 67 | */}} 68 | {{- define "currentDateTime" -}} 69 | {{- printf "%s" ( now | date "2006-01-02-15-04-05" ) -}} 70 | {{- end -}} 71 | -------------------------------------------------------------------------------- /k8s/helm/idman-ip/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "idman-ip.fullname" . }} 5 | labels: 6 | {{ include "idman-ip.labels" . | indent 4 }} 7 | {{ include "cenm.labels" . | indent 4 }} 8 | spec: 9 | # we need Local policy and healthCheckNodePort set to get rid of logs pollution 10 | {{- if (.Values.healthCheckNodePort) }} 11 | healthCheckNodePort: {{ .Values.healthCheckNodePort }} 12 | {{- end }} 13 | externalTrafficPolicy: Local 14 | type: {{ .Values.service.type }} 15 | ports: 16 | - port: {{ .Values.service.port }} 17 | targetPort: {{ .Values.service.port }} 18 | protocol: TCP 19 | name: main 20 | selector: 21 | app.kubernetes.io/name: idman 22 | app.kubernetes.io/instance: {{ .Values.prefix }}-idman 23 | 24 | -------------------------------------------------------------------------------- /k8s/helm/idman-ip/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for idman-ip. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | nameOverride: "" 6 | fullnameOverride: "" 7 | 8 | service: 9 | type: LoadBalancer 10 | port: 10000 11 | 12 | serviceRevocation: 13 | port: 5053 14 | 15 | healthCheckNodePort: 0 16 | -------------------------------------------------------------------------------- /k8s/helm/idman/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /k8s/helm/idman/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: idman 3 | description: A Helm chart for CENM Identity Manager 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 2.0.6 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: '1.6' 22 | -------------------------------------------------------------------------------- /k8s/helm/idman/files/getZoneToken.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -x 4 | if [ ! -f {{ .Values.idmanJar.configPath }}/token ] 5 | then 6 | EXIT_CODE=1 7 | until [ "${EXIT_CODE}" -eq "0" ] 8 | do 9 | echo "CENM: Attempting to login to {{ .Values.prefix }}-gateway:8080 ..." 10 | java -jar bin/cenm-tool.jar context login -s http://{{ .Values.prefix }}-gateway:8080 -u config-maintainer -p p4ssWord 11 | EXIT_CODE=${?} 12 | if [ "${EXIT_CODE}" -ne "0" ] 13 | then 14 | echo "EXIT_CODE=${EXIT_CODE}" 15 | sleep 5 16 | else 17 | break 18 | fi 19 | done 20 | EXIT_CODE=1 21 | {{ if eq .Values.bashDebug true }} 22 | cat {{ .Values.idmanJar.configPath }}/identitymanager-init.conf 23 | {{ end }} 24 | until [ "${EXIT_CODE}" -eq "0" ] 25 | do 26 | ZONE_TOKEN=$(java -jar bin/cenm-tool.jar identity-manager config set -f={{ .Values.idmanJar.configPath }}/identitymanager-init.conf --zone-token) 27 | EXIT_CODE=${?} 28 | if [ "${EXIT_CODE}" -ne "0" ] 29 | then 30 | echo "EXIT_CODE=${EXIT_CODE}" 31 | sleep 5 32 | else 33 | break 34 | fi 35 | done 36 | echo ${ZONE_TOKEN} 37 | echo ${ZONE_TOKEN} > {{ .Values.idmanJar.configPath }}/token 38 | {{ if eq .Values.bashDebug true }} 39 | cat {{ .Values.idmanJar.configPath }}/token 40 | {{ end }} 41 | java -jar bin/cenm-tool.jar identity-manager config set-admin-address -a={{ .Values.prefix }}-idman-internal:{{ .Values.adminListener.port }} 42 | fi 43 | -------------------------------------------------------------------------------- /k8s/helm/idman/files/identitymanager-init.conf: -------------------------------------------------------------------------------- 1 | 2 | address = "0.0.0.0:{{ .Values.service.port }}" 3 | database { 4 | driverClassName = "{{ .Values.database.driverClassName }}" 5 | jdbcDriver = "{{ .Values.database.jdbcDriver }}" 6 | url = "{{ .Values.database.url }}" 7 | user = "{{ .Values.database.user }}" 8 | password = "{{ .Values.database.password }}" 9 | runMigration = "{{ .Values.database.runMigration }}" 10 | } 11 | 12 | workflows = { 13 | "identity-manager" = { 14 | type = ISSUANCE 15 | updateInterval = 10000 16 | enmListener = { 17 | port = {{ .Values.serviceInternal.port }} 18 | reconnect = true 19 | ssl = { 20 | keyStore = { 21 | location = /opt/cenm/DATA/key-stores/corda-ssl-identity-manager-keys.jks 22 | password = password 23 | } 24 | trustStore = { 25 | location = /opt/cenm/DATA/trust-stores/corda-ssl-trust-store.jks 26 | password = trust-store-password 27 | } 28 | } 29 | } 30 | plugin = { 31 | pluginClass = "com.r3.enmplugins.approveall.ApproveAll" 32 | } 33 | }, 34 | "revocation" = { 35 | type = REVOCATION 36 | crlCacheTimeout = 900000 # every 15 minutes 37 | crlFiles = ["/opt/cenm/DATA/crl-files/tls.crl", "/opt/cenm/DATA/crl-files/root.crl", "/opt/cenm/DATA/crl-files/subordinate.crl"] 38 | enmListener = { 39 | port = {{ .Values.serviceRevocation.port }} 40 | reconnect = true 41 | ssl = { 42 | keyStore = { 43 | location = /opt/cenm/DATA/key-stores/corda-ssl-identity-manager-keys.jks 44 | password = password 45 | } 46 | trustStore = { 47 | location = /opt/cenm/DATA/trust-stores/corda-ssl-trust-store.jks 48 | password = trust-store-password 49 | } 50 | } 51 | } 52 | plugin = { 53 | pluginClass = "com.r3.enmplugins.approveall.ApproveAll" 54 | } 55 | } 56 | } 57 | 58 | authServiceConfig = { 59 | disableAuthentication=false 60 | host="{{ .Values.prefix }}-auth" 61 | port={{ .Values.authPort }} 62 | trustStore = { 63 | location = "/opt/cenm/DATA/trust-stores/corda-ssl-trust-store.jks" 64 | password = "trust-store-password" 65 | } 66 | issuer="http://test" 67 | leeway=5s 68 | } 69 | 70 | adminListener = { 71 | port = {{ .Values.adminListener.port }} 72 | ssl = { 73 | keyStore = { 74 | location = /opt/cenm/DATA/key-stores/corda-ssl-identity-manager-keys.jks 75 | password = password 76 | } 77 | trustStore = { 78 | location = /opt/cenm/DATA/trust-stores/corda-ssl-trust-store.jks 79 | password = trust-store-password 80 | } 81 | } 82 | } -------------------------------------------------------------------------------- /k8s/helm/idman/files/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | {{ if eq .Values.bashDebug true }} 3 | set -x 4 | {{ end }} 5 | 6 | # 7 | # main run 8 | # 9 | if [ -f {{ .Values.idmanJar.path }}/identitymanager.jar ] 10 | then 11 | {{ if eq .Values.bashDebug true }} 12 | sha256sum {{ .Values.idmanJar.path }}/identitymanager.jar 13 | sha256sum {{ .Values.idmanJar.path }}/angel.jar 14 | cat {{ .Values.idmanJar.configPath }}/identitymanager.conf 15 | {{ end }} 16 | echo 17 | echo "CENM: starting Identity Manager process ..." 18 | echo 19 | TOKEN=$(cat {{ .Values.idmanJar.configPath }}/token) 20 | ls -alR 21 | java -jar {{ .Values.idmanJar.path }}/angel.jar \ 22 | --jar-name={{ .Values.idmanJar.path }}/identitymanager.jar \ 23 | --zone-host={{ .Values.prefix }}-zone \ 24 | --zone-port=25000 \ 25 | --token=${TOKEN} \ 26 | --service=IDENTITY_MANAGER \ 27 | --working-dir=etc/ \ 28 | --polling-interval=10 \ 29 | --tls=true \ 30 | --tls-keystore=/opt/cenm/DATA/key-stores/corda-ssl-identity-manager-keys.jks \ 31 | --tls-keystore-password=password \ 32 | --tls-truststore=/opt/cenm/DATA/trust-stores/corda-ssl-trust-store.jks \ 33 | --tls-truststore-password=trust-store-password \ 34 | --verbose 35 | EXIT_CODE=${?} 36 | else 37 | echo "Missing Identity Manager jar file in {{ .Values.idmanJar.path }} directory:" 38 | ls -al {{ .Values.idmanJar.path }} 39 | EXIT_CODE=110 40 | fi 41 | 42 | if [ "${EXIT_CODE}" -ne "0" ] 43 | then 44 | echo 45 | echo "Identity manager failed - exit code: ${EXIT_CODE} (error)" 46 | echo 47 | echo "Going to sleep for the requested {{ .Values.sleepTimeAfterError }} seconds to let you log in and investigate." 48 | echo 49 | sleep {{ .Values.sleepTimeAfterError }} 50 | fi 51 | 52 | echo -------------------------------------------------------------------------------- /k8s/helm/idman/templates/NOTES.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corda/cenm-deployment/4cbbf81ce962a8d8bb6672ca76e1e2dfe7619f72/k8s/helm/idman/templates/NOTES.txt -------------------------------------------------------------------------------- /k8s/helm/idman/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "idman.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "idman.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "idman.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "idman.labels" -}} 38 | helm.sh/chart: {{ include "idman.chart" . }} 39 | {{ include "idman.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end -}} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "idman.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "idman.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end -}} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "idman.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create -}} 59 | {{ default (include "idman.fullname" .) .Values.serviceAccount.name }} 60 | {{- else -}} 61 | {{ default "default" .Values.serviceAccount.name }} 62 | {{- end -}} 63 | {{- end -}} 64 | -------------------------------------------------------------------------------- /k8s/helm/idman/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ .Values.prefix }}-idman-conf 6 | labels: 7 | {{ include "idman.labels" . | nindent 4 }} 8 | data: 9 | run.sh: |+ 10 | {{ tpl (.Files.Get "files/run.sh") . | nindent 4 }} 11 | 12 | getZoneToken.sh: |+ 13 | {{ tpl (.Files.Get "files/getZoneToken.sh") . | nindent 4 }} 14 | 15 | identitymanager-init.conf: |+ 16 | {{ tpl (.Files.Get "files/identitymanager-init.conf") . | nindent 4 }} 17 | -------------------------------------------------------------------------------- /k8s/helm/idman/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ .Values.prefix }}-idman-etc 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | storageClassName: {{ .Values.storageClass }} 10 | resources: 11 | requests: 12 | storage: {{ .Values.volumeSizeIdmanEtc }} 13 | 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: {{ .Values.prefix }}-idman-logs 19 | spec: 20 | accessModes: 21 | - ReadWriteOnce 22 | storageClassName: {{ .Values.storageClass }} 23 | resources: 24 | requests: 25 | storage: {{ .Values.volumeSizeIdmanLogs }} 26 | 27 | --- 28 | apiVersion: v1 29 | kind: PersistentVolumeClaim 30 | metadata: 31 | name: {{ .Values.prefix }}-idman-h2 32 | spec: 33 | accessModes: 34 | - ReadWriteOnce 35 | storageClassName: {{ .Values.storageClass }} 36 | resources: 37 | requests: 38 | storage: {{ .Values.volumeSizeIdmanH2 }} 39 | -------------------------------------------------------------------------------- /k8s/helm/idman/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "idman.fullname" . }}-internal 5 | labels: 6 | {{- include "idman.labels" . | nindent 4 }} 7 | spec: 8 | {{- if .Values.healthCheckNodePort }} 9 | healthCheckNodePort: {{ .Values.healthCheckNodePort }} 10 | {{- end }} 11 | ports: 12 | - port: {{ .Values.serviceInternal.port }} 13 | targetPort: {{ .Values.serviceInternal.port }} 14 | protocol: TCP 15 | name: issuance 16 | - port: {{ .Values.serviceRevocation.port }} 17 | targetPort: {{ .Values.serviceRevocation.port }} 18 | protocol: TCP 19 | name: revocation 20 | - port: {{ .Values.adminListener.port }} 21 | targetPort: {{ .Values.adminListener.port }} 22 | protocol: TCP 23 | name: adminlistener 24 | selector: 25 | {{- include "idman.selectorLabels" . | nindent 4 }} 26 | -------------------------------------------------------------------------------- /k8s/helm/idman/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "idman.serviceAccountName" . }} 6 | labels: 7 | {{- include "idman.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /k8s/helm/idman/values.yaml: -------------------------------------------------------------------------------- 1 | ######################################## 2 | ### CENM configuration options ### 3 | ######################################## 4 | 5 | # Display more messages while executing Kubernetes deployment 6 | bashDebug: false 7 | 8 | # Docker images to use by the Identity Manager Service Helm chart 9 | dockerImage: 10 | name: corda/enterprise-identitymanager 11 | tag: 1.6-zulu-openjdk8u392 12 | pullPolicy: Always 13 | 14 | # Docker images to use by CENM CLI Helm chart 15 | dockerImageCli: 16 | name: corda/enterprise-cli 17 | tag: 1.6-zulu-openjdk8u392 18 | pullPolicy: Always 19 | 20 | # Volume size for etc/ directory 21 | volumeSizeIdmanEtc: 1Gi 22 | 23 | # Volume size for logs/ directory 24 | volumeSizeIdmanLogs: 10Gi 25 | 26 | # Volume size for h2/ directory 27 | volumeSizeIdmanH2: 10Gi 28 | 29 | # Configuration for database 30 | database: 31 | driverClassName: "org.h2.Driver" 32 | jdbcDriver: "" 33 | url: "jdbc:h2:file:./h2/identity-manager-persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=0;AUTO_SERVER_PORT=0" 34 | user: "example-db-user" 35 | password: "example-db-password" 36 | runMigration: true 37 | 38 | # Required parameter 39 | acceptLicense: 40 | 41 | # Memory size allocated to the main Identity Manager Service container (in GB) 42 | cordaJarMx: 1 43 | 44 | idmanJar: 45 | # value for java -Xmx parameter 46 | xmx: 1G 47 | # The directory where the Identity Manager Service jar file is stored 48 | path: bin 49 | # The directory where the Signing Service configuration is stored 50 | configPath: etc 51 | 52 | # Sleep time (in seconds) after an error occured 53 | sleepTimeAfterError: 120 54 | 55 | # Auth Service port 56 | authPort: 8081 57 | 58 | # Revocation port 59 | serviceRevocation: 60 | port: 5053 61 | 62 | # Enable container displaying live logs 63 | logsContainersEnabled: true 64 | 65 | ######################################## 66 | ### Kubernetes related settings ### 67 | ######################################## 68 | 69 | # Name of Kubernetes secret storing credentials to Docker registry 70 | imagePullSecrets: 71 | - name: cenm-registry 72 | 73 | nameOverride: "" 74 | fullnameOverride: "" 75 | 76 | serviceAccount: 77 | # Specifies whether a service account should be created 78 | create: true 79 | # Annotations to add to the service account 80 | annotations: {} 81 | # The name of the service account to use. 82 | # If not set and create is true, a name is generated using the fullname template 83 | name: 84 | 85 | podSecurityContext: 86 | runAsUser: 1000 87 | runAsGroup: 1000 88 | fsGroup: 1000 89 | 90 | securityContext: {} 91 | # capabilities: 92 | # drop: 93 | # - ALL 94 | # readOnlyRootFilesystem: true 95 | # runAsNonRoot: true 96 | # runAsUser: 1000 97 | 98 | ### This has been commented out due to a double `service:` block causing incorrect yaml 99 | ### This service key looks like the anomaly wrt the other helm charts so it has been removed 100 | # service: 101 | # type: ClusterIP 102 | # port: 80 103 | 104 | resources: 105 | # We usually recommend not to specify default resources and to leave this as a conscious 106 | # choice for the user. This also increases chances charts run on environments with little 107 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 108 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 109 | limits: 110 | # cpu: 100m 111 | memory: 1Gi 112 | requests: 113 | # cpu: 100m 114 | memory: 1Gi 115 | 116 | nodeSelector: {} 117 | 118 | tolerations: [] 119 | 120 | affinity: {} 121 | 122 | ## Liveness and readiness probe values 123 | ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 124 | ## 125 | livenessProbe: 126 | enabled: false 127 | failureThreshold: 3 128 | initialDelaySeconds: 10 129 | periodSeconds: 10 130 | successThreshold: 1 131 | timeoutSeconds: 1 132 | readinessProbe: 133 | enabled: false 134 | failureThreshold: 3 135 | initialDelaySeconds: 10 136 | periodSeconds: 10 137 | successThreshold: 1 138 | timeoutSeconds: 1 139 | 140 | storageClass: cenm 141 | 142 | # Local policy and healthCheckNodePort are set to get rid of logs pollution 143 | healthCheckNodePort: 0 144 | externalTrafficPolicy: Local 145 | 146 | service: 147 | type: LoadBalancer 148 | port: 10000 149 | 150 | serviceInternal: 151 | type: LoadBalancer 152 | port: 5052 153 | 154 | adminListener: 155 | type: ClusterIP 156 | port: 6000 157 | -------------------------------------------------------------------------------- /k8s/helm/nmap/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /k8s/helm/nmap/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: nmap 3 | description: A Helm chart for CENM Network Map 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 2.0.6 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: '1.6' 22 | -------------------------------------------------------------------------------- /k8s/helm/nmap/files/getZoneToken.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -x 4 | 5 | echo "Waiting for notary-nodeinfo/network-parameters-initial.conf ..." 6 | until [ -f notary-nodeinfo/network-parameters-initial.conf ] 7 | do 8 | sleep 10 9 | done 10 | echo "Waiting for notary-nodeinfo/network-parameters-initial.conf ... done." 11 | 12 | ls -al notary-nodeinfo/network-parameters-initial.conf 13 | cp notary-nodeinfo/network-parameters-initial.conf {{ .Values.nmapJar.configPath }}/ 14 | cat {{ .Values.nmapJar.configPath }}/network-parameters-initial.conf 15 | 16 | cat {{ .Values.nmapJar.configPath }}/networkmap-init.conf 17 | 18 | if [ ! -f {{ .Values.nmapJar.configPath }}/token ] 19 | then 20 | EXIT_CODE=1 21 | until [ "${EXIT_CODE}" -eq "0" ] 22 | do 23 | echo "Trying to login to {{ .Values.prefix }}-gateway:8080 ..." 24 | java -jar bin/cenm-tool.jar context login -s http://{{ .Values.prefix }}-gateway:8080 -u network-maintainer -p p4ssWord 25 | EXIT_CODE=${?} 26 | if [ "${EXIT_CODE}" -ne "0" ] 27 | then 28 | echo "EXIT_CODE=${EXIT_CODE}" 29 | sleep 5 30 | else 31 | break 32 | fi 33 | done 34 | cat ./notary-nodeinfo/network-parameters-initial.conf 35 | ZONE_TOKEN=$(java -jar bin/cenm-tool.jar zone create-subzone \ 36 | --config-file={{ .Values.nmapJar.configPath }}/networkmap-init.conf --network-map-address={{ .Values.prefix }}-nmap-internal:{{ .Values.adminListener.port }} \ 37 | --network-parameters=./notary-nodeinfo/network-parameters-initial.conf --label=Main --label-color='#941213' --zone-token) 38 | echo ${ZONE_TOKEN} 39 | echo ${ZONE_TOKEN} > {{ .Values.nmapJar.configPath }}/token 40 | {{ if eq .Values.bashDebug true }} 41 | cat {{ .Values.nmapJar.configPath }}/token 42 | {{ end }} 43 | fi 44 | -------------------------------------------------------------------------------- /k8s/helm/nmap/files/network-parameters-update-example.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This is example file to update network parameters 3 | # 4 | #minimumPlatformVersion = 1 5 | #maxMessageSize = 10485760 6 | #maxTransactionSize = 10485760 7 | #eventHorizonDays = 1 8 | 9 | # updateDeadline=$(date -u +'%Y-%m-%dT%H:%M:%S.%3NZ' -d "+10 minute") 10 | parametersUpdate { 11 | description = "Update network parameters settings" 12 | updateDeadline = "${updateDeadline}" 13 | } -------------------------------------------------------------------------------- /k8s/helm/nmap/files/networkmap-init.conf: -------------------------------------------------------------------------------- 1 | address = "0.0.0.0:{{ .Values.service.port }}" 2 | pollingInterval = 10000 3 | checkRevocation = "{{ .Values.checkRevocation }}" 4 | 5 | database { 6 | driverClassName = "{{ .Values.database.driverClassName }}" 7 | jdbcDriver = "{{ .Values.database.jdbcDriver }}" 8 | url = "{{ .Values.database.url }}" 9 | user = "{{ .Values.database.user }}" 10 | password = "{{ .Values.database.password }}" 11 | runMigration = "{{ .Values.database.runMigration }}" 12 | } 13 | 14 | enmListener = { 15 | port = {{ .Values.serviceInternal.port }} 16 | ssl = { 17 | keyStore = { 18 | location = "/opt/cenm/DATA/key-stores/corda-ssl-network-map-keys.jks" 19 | password = password 20 | } 21 | trustStore = { 22 | location = "/opt/cenm/DATA/trust-stores/corda-ssl-trust-store.jks" 23 | password = trust-store-password 24 | } 25 | } 26 | } 27 | 28 | identityManager = { 29 | host = {{ .Values.prefix }}-{{ .Values.identityManager.host }} 30 | port = {{ .Values.identityManager.port }} 31 | ssl = { 32 | keyStore = { 33 | location = "/opt/cenm/DATA/key-stores/corda-ssl-network-map-keys.jks" 34 | password = password 35 | } 36 | trustStore = { 37 | location = "/opt/cenm/DATA/trust-stores/corda-ssl-trust-store.jks" 38 | password = trust-store-password 39 | } 40 | } 41 | } 42 | 43 | revocation = { 44 | host = {{ .Values.prefix }}-{{ .Values.identityManager.host }} 45 | port = {{ .Values.revocation.port }} 46 | ssl = { 47 | keyStore = { 48 | location = "/opt/cenm/DATA/key-stores/corda-ssl-network-map-keys.jks" 49 | password = password 50 | } 51 | trustStore = { 52 | location = "/opt/cenm/DATA/trust-stores/corda-ssl-trust-store.jks" 53 | password = trust-store-password 54 | } 55 | } 56 | } 57 | 58 | authObjectId=1 59 | authServiceConfig = { 60 | disableAuthentication=false 61 | host="{{ .Values.prefix }}-auth" 62 | port={{ .Values.authPort }} 63 | trustStore = { 64 | location = "/opt/cenm/DATA/trust-stores/corda-ssl-trust-store.jks" 65 | password = "trust-store-password" 66 | } 67 | issuer="http://test" 68 | leeway=5s 69 | } 70 | 71 | adminListener = { 72 | port = {{ .Values.adminListener.port }} 73 | ssl = { 74 | keyStore = { 75 | location = /opt/cenm/DATA/key-stores/corda-ssl-network-map-keys.jks 76 | password = password 77 | } 78 | trustStore = { 79 | location = /opt/cenm/DATA/trust-stores/corda-ssl-trust-store.jks 80 | password = trust-store-password 81 | } 82 | } 83 | } -------------------------------------------------------------------------------- /k8s/helm/nmap/files/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | {{ if eq .Values.bashDebug true }} 3 | set -x 4 | {{ end }} 5 | 6 | # 7 | # main run 8 | # 9 | if [ -f {{ .Values.nmapJar.path }}/networkmap.jar ] 10 | then 11 | {{ if eq .Values.bashDebug true }} 12 | sha256sum {{ .Values.nmapJar.path }}/networkmap.jar 13 | sha256sum {{ .Values.nmapJar.path }}/angel.jar 14 | cat {{ .Values.nmapJar.configPath }}/networkmap-init.conf 15 | {{ end }} 16 | echo 17 | echo "CENM: starting Network Map process ..." 18 | echo 19 | TOKEN=$(cat {{ .Values.nmapJar.configPath }}/token) 20 | ls -alR 21 | set -x 22 | java -jar {{ .Values.nmapJar.path }}/angel.jar \ 23 | --jar-name={{ .Values.nmapJar.path }}/networkmap.jar \ 24 | --zone-host={{ .Values.prefix }}-zone \ 25 | --zone-port=25000 \ 26 | --token=${TOKEN} \ 27 | --service=NETWORK_MAP \ 28 | --polling-interval=10 \ 29 | --working-dir=etc/ \ 30 | --network-truststore=/opt/cenm/{{ .Values.networkRootTruststore.path }} \ 31 | --truststore-password={{ .Values.networkRootTruststore.password }} \ 32 | --root-alias={{ .Values.rootAlias }} \ 33 | --network-parameters-file=/opt/cenm/etc/network-parameters.conf \ 34 | --tls=true \ 35 | --tls-keystore=/opt/cenm/DATA/key-stores/corda-ssl-network-map-keys.jks \ 36 | --tls-keystore-password=password \ 37 | --tls-truststore=/opt/cenm/DATA/trust-stores/corda-ssl-trust-store.jks \ 38 | --tls-truststore-password=trust-store-password \ 39 | --verbose 40 | EXIT_CODE=${?} 41 | else 42 | echo "Missing Network Map jar file in {{ .Values.nmapJar.path }}/ directory:" 43 | ls -al {{ .Values.nmapJar.path }} 44 | EXIT_CODE=110 45 | fi 46 | 47 | if [ "${EXIT_CODE}" -ne "0" ] 48 | then 49 | HOW_LONG={{ .Values.sleepTimeAfterError }} 50 | echo 51 | echo "Network Map failed - exit code: ${EXIT_CODE} (error)" 52 | echo 53 | echo "Going to sleep for requested ${HOW_LONG} seconds to let you login and investigate." 54 | echo 55 | fi 56 | 57 | sleep ${HOW_LONG} 58 | echo 59 | -------------------------------------------------------------------------------- /k8s/helm/nmap/files/set-network-parameters.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | {{ if eq .Values.bashDebug true }} 3 | set -x 4 | {{ end }} 5 | 6 | echo "Waiting for notary-nodeinfo/network-parameters-initial.conf ..." 7 | if [ ! -f {{ .Values.nmapJar.configPath }}/network-parameters-initial-set-succesfully ] 8 | then 9 | until [ -f notary-nodeinfo/network-parameters-initial.conf ] 10 | do 11 | sleep 1 12 | done 13 | fi 14 | echo "Waiting for notary-nodeinfo/network-parameters-initial.conf ... done." 15 | 16 | ls -al notary-nodeinfo/network-parameters-initial.conf 17 | cp notary-nodeinfo/network-parameters-initial.conf {{ .Values.nmapJar.configPath }}/ 18 | cat {{ .Values.nmapJar.configPath }}/network-parameters-initial.conf 19 | 20 | cat {{ .Values.nmapJar.configPath }}/networkmap-init.conf 21 | 22 | echo "Setting initial network parameters ..." 23 | java -jar {{ .Values.nmapJar.path }}/networkmap.jar \ 24 | -f {{ .Values.nmapJar.configPath }}/networkmap-init.conf \ 25 | --set-network-parameters {{ .Values.nmapJar.configPath }}/network-parameters-initial.conf \ 26 | --network-truststore DATA/trust-stores/network-root-truststore.jks \ 27 | --truststore-password trust-store-password \ 28 | --root-alias cordarootca 29 | 30 | EXIT_CODE=${?} 31 | 32 | if [ "${EXIT_CODE}" -ne "0" ] 33 | then 34 | echo 35 | echo "Network Map: setting network parameters failed - exit code: ${EXIT_CODE} (error)" 36 | echo 37 | echo "Going to sleep for the requested {{ .Values.sleepTimeAfterError }} seconds to let you log in and investigate." 38 | echo 39 | sleep {{ .Values.sleepTimeAfterError }} 40 | else 41 | echo 42 | echo "Network Map: initial network parameters have been set." 43 | echo "No errors." 44 | echo 45 | touch {{ .Values.nmapJar.configPath }}/network-parameters-initial-set-succesfully 46 | echo "# This is a file with _example_ content needed for updating network parameters" > {{ .Values.nmapJar.configPath }}/network-parameters-update-example.conf 47 | cat {{ .Values.nmapJar.configPath }}/network-parameters-initial.conf >> {{ .Values.nmapJar.configPath }}/network-parameters-update-example.conf 48 | cat << EOF >> {{ .Values.nmapJar.configPath }}/network-parameters-update-example.conf 49 | # updateDeadline=\$(date -u +'%Y-%m-%dT%H:%M:%S.%3NZ' -d "+10 minute") 50 | parametersUpdate { 51 | description = "Update network parameters settings" 52 | updateDeadline = "[updateDeadline]" 53 | } 54 | EOF 55 | 56 | fi 57 | 58 | exit ${EXIT_CODE} 59 | -------------------------------------------------------------------------------- /k8s/helm/nmap/templates/NOTES.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corda/cenm-deployment/4cbbf81ce962a8d8bb6672ca76e1e2dfe7619f72/k8s/helm/nmap/templates/NOTES.txt -------------------------------------------------------------------------------- /k8s/helm/nmap/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "nmap.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "nmap.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "nmap.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "nmap.labels" -}} 38 | helm.sh/chart: {{ include "nmap.chart" . }} 39 | {{ include "nmap.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end -}} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "nmap.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "nmap.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end -}} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "nmap.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create -}} 59 | {{ default (include "nmap.fullname" .) .Values.serviceAccount.name }} 60 | {{- else -}} 61 | {{ default "default" .Values.serviceAccount.name }} 62 | {{- end -}} 63 | {{- end -}} 64 | -------------------------------------------------------------------------------- /k8s/helm/nmap/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ .Values.prefix }}-nmap-conf 6 | labels: 7 | {{ include "nmap.labels" . | nindent 4 }} 8 | data: 9 | run.sh: |+ 10 | {{ tpl (.Files.Get "files/run.sh") . | nindent 4 }} 11 | 12 | getZoneToken.sh: |+ 13 | {{ tpl (.Files.Get "files/getZoneToken.sh") . | nindent 4 }} 14 | 15 | set-network-parameters.sh: |+ 16 | {{ tpl (.Files.Get "files/set-network-parameters.sh") . | nindent 4 }} 17 | 18 | networkmap-init.conf: |+ 19 | {{ tpl (.Files.Get "files/networkmap-init.conf") . | nindent 4 }} 20 | 21 | network-parameters-update-example.conf: |+ 22 | {{ tpl (.Files.Get "files/network-parameters-update-example.conf") . | nindent 4 }} 23 | -------------------------------------------------------------------------------- /k8s/helm/nmap/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: {{ .Values.prefix }}-nmap-etc 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | storageClassName: {{ .Values.storageClass }} 11 | resources: 12 | requests: 13 | storage: {{ .Values.volumeSizeNmapEtc }} 14 | 15 | --- 16 | apiVersion: v1 17 | kind: PersistentVolumeClaim 18 | metadata: 19 | name: {{ .Values.prefix }}-nmap-logs 20 | spec: 21 | accessModes: 22 | - ReadWriteOnce 23 | storageClassName: {{ .Values.storageClass }} 24 | resources: 25 | requests: 26 | storage: {{ .Values.volumeSizeNmapLogs }} 27 | 28 | --- 29 | apiVersion: v1 30 | kind: PersistentVolumeClaim 31 | metadata: 32 | name: {{ .Values.prefix }}-nmap-h2 33 | spec: 34 | accessModes: 35 | - ReadWriteOnce 36 | storageClassName: {{ .Values.storageClass }} 37 | resources: 38 | requests: 39 | storage: {{ .Values.volumeSizeNmapH2 }} 40 | -------------------------------------------------------------------------------- /k8s/helm/nmap/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "nmap.fullname" . }} 5 | labels: 6 | {{- include "nmap.labels" . | nindent 4 }} 7 | spec: 8 | # we need Local policy and healthCheckNodePort set to get rid of logs pollution 9 | {{- if (.Values.healthCheckNodePort) }} 10 | healthCheckNodePort: {{ .Values.healthCheckNodePort }} 11 | {{- end }} 12 | {{- if .Values.externalTrafficPolicy }} 13 | externalTrafficPolicy: {{ .Values.externalTrafficPolicy }} 14 | {{- end }} 15 | type: {{ .Values.service.type }} 16 | ports: 17 | - port: {{ .Values.service.port }} 18 | targetPort: {{ .Values.service.port }} 19 | protocol: TCP 20 | name: http 21 | selector: 22 | {{- include "nmap.selectorLabels" . | nindent 4 }} 23 | 24 | --- 25 | apiVersion: v1 26 | kind: Service 27 | metadata: 28 | name: {{ include "nmap.fullname" . }}-internal 29 | labels: 30 | {{- include "nmap.labels" . | nindent 4 }} 31 | spec: 32 | ports: 33 | - port: {{ .Values.serviceInternal.port }} 34 | targetPort: {{ .Values.serviceInternal.port }} 35 | protocol: TCP 36 | name: http 37 | - port: {{ .Values.adminListener.port }} 38 | targetPort: {{ .Values.adminListener.port }} 39 | protocol: TCP 40 | name: adminlistener 41 | selector: 42 | # app.kubernetes.io/name: {{ include "nmap.name" . }} 43 | {{- include "nmap.selectorLabels" . | nindent 4 }} 44 | 45 | -------------------------------------------------------------------------------- /k8s/helm/nmap/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "nmap.serviceAccountName" . }} 6 | labels: 7 | {{- include "nmap.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /k8s/helm/nmap/values.yaml: -------------------------------------------------------------------------------- 1 | ######################################## 2 | ### CENM configuration options ### 3 | ######################################## 4 | 5 | # Display more messages while executing Kubernetes deployment 6 | bashDebug: false 7 | 8 | # Volume size for etc/ directory 9 | volumeSizeNmapEtc: 1Gi 10 | 11 | # Volume size for logs/ directory 12 | volumeSizeNmapLogs: 10Gi 13 | 14 | # Volume size for h2/ directory 15 | volumeSizeNmapH2: 10Gi 16 | 17 | # Docker images to use for the Network Map Service Helm chart 18 | dockerImage: 19 | repository: corda/enterprise-networkmap 20 | tag: 1.6-zulu-openjdk8u392 21 | pullPolicy: Always 22 | 23 | dockerImageCli: 24 | repository: corda/enterprise-cli 25 | tag: 1.6-zulu-openjdk8u392 26 | pullPolicy: Always 27 | 28 | # Required parameter 29 | acceptLicense: 30 | 31 | nmapJar: 32 | # Value for java -Xmx memory settings 33 | xmx: 1G 34 | # The directory where the Network Map Service .jar file is stored 35 | path: bin 36 | # The directory where the Network Map Service configuration is stored 37 | configPath: etc 38 | 39 | # Configuration for database 40 | database: 41 | driverClassName: "org.h2.Driver" 42 | jdbcDriver: "" 43 | url: "jdbc:h2:file:./h2/networkmap-persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=0;AUTO_SERVER_PORT=0" 44 | user: "example-db-user" 45 | password: "example-db-password" 46 | runMigration: true 47 | 48 | checkRevocation: true 49 | 50 | # Sleep time (in seconds) after an error occured 51 | sleepTimeAfterError: 120 52 | 53 | # Port for Auth Service 54 | authPort: 8081 55 | 56 | # Path and password to access file required for the Angel Service 57 | networkRootTruststore: 58 | path: DATA/trust-stores/network-root-truststore.jks 59 | password: trust-store-password 60 | 61 | # Path and password to access file required for the Angel Service 62 | rootAlias: cordarootca 63 | 64 | # Enable container displaying live logs 65 | logsContainersEnabled: true 66 | 67 | ######################################## 68 | ### Kubernetes related settings ### 69 | ######################################## 70 | 71 | # Name of Kubernetes secret storing credentials to Docker registry 72 | imagePullSecrets: 73 | - name: cenm-registry 74 | 75 | nameOverride: "" 76 | fullnameOverride: "" 77 | 78 | serviceAccount: 79 | # Specifies whether a service account should be created 80 | create: true 81 | # Annotations to add to the service account 82 | annotations: {} 83 | # The name of the service account to use. 84 | # If not set and create is true, a name is generated using the fullname template 85 | name: 86 | 87 | podSecurityContext: 88 | runAsUser: 1000 89 | runAsGroup: 1000 90 | fsGroup: 1000 91 | 92 | securityContext: {} 93 | # capabilities: 94 | # drop: 95 | # - ALL 96 | # readOnlyRootFilesystem: true 97 | # runAsNonRoot: true 98 | # runAsUser: 1000 99 | 100 | resources: 101 | # We usually recommend not to specify default resources and to leave this as a conscious 102 | # choice for the user. This also increases chances charts run on environments with little 103 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 104 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 105 | limits: 106 | # cpu: 100m 107 | memory: 1Gi 108 | requests: 109 | # cpu: 100m 110 | memory: 1Gi 111 | 112 | nodeSelector: {} 113 | 114 | tolerations: [] 115 | 116 | affinity: {} 117 | 118 | storageClass: cenm 119 | 120 | healthCheckNodePort: 0 121 | 122 | service: 123 | type: LoadBalancer 124 | port: 10000 125 | 126 | serviceInternal: 127 | type: LoadBalancer 128 | port: 5050 129 | 130 | identityManager: 131 | host: idman-internal 132 | port: 5052 133 | 134 | revocation: 135 | port: 5053 136 | 137 | ## Liveness and readiness probes values 138 | ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 139 | ## 140 | livenessProbe: 141 | enabled: false 142 | failureThreshold: 3 143 | initialDelaySeconds: 60 144 | periodSeconds: 10 145 | successThreshold: 1 146 | timeoutSeconds: 1 147 | readinessProbe: 148 | enabled: false 149 | failureThreshold: 3 150 | initialDelaySeconds: 60 151 | periodSeconds: 10 152 | successThreshold: 1 153 | timeoutSeconds: 1 154 | 155 | adminListener: 156 | type: ClusterIP 157 | port: 6000 158 | 159 | externalTrafficPolicy: 160 | -------------------------------------------------------------------------------- /k8s/helm/notary-ip/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /k8s/helm/notary-ip/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: notary-ip 3 | description: A Helm chart for CENM Notary Kubernetes service (public IP allocation) 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 2.0.6 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: 4.11.1 22 | -------------------------------------------------------------------------------- /k8s/helm/notary-ip/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 2 | It may take a few minutes for the public IP to be available. You can watch the status of by running this command (and watching column 'EXTERNAL-IP'): 3 | 4 | kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "notary-ip.fullname" . }} 5 | 6 | You can later get public IP address again by running this command: 7 | 8 | kubectl get svc --namespace {{ .Release.Namespace }} {{ include "notary-ip.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}" 9 | 10 | -------------------------------------------------------------------------------- /k8s/helm/notary-ip/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "notary-ip.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "notary-ip.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "notary-ip.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "notary-ip.labels" -}} 38 | app.kubernetes.io/name: {{ include "notary-ip.name" . }} 39 | helm.sh/chart: {{ include "notary-ip.chart" . }} 40 | app.kubernetes.io/instance: {{ .Release.Name }} 41 | app.kubernetes.io/managed-by: {{ .Release.Service }} 42 | {{- end -}} 43 | 44 | {{/* 45 | Create the name of the service account to use 46 | */}} 47 | {{- define "notary-ip.serviceAccountName" -}} 48 | {{- if .Values.serviceAccount.create -}} 49 | {{ default (include "notary-ip.fullname" .) .Values.serviceAccount.name }} 50 | {{- else -}} 51 | {{ default "default" .Values.serviceAccount.name }} 52 | {{- end -}} 53 | {{- end -}} 54 | 55 | {{/* 56 | CENM labels 57 | */}} 58 | {{- define "cenm.labels" -}} 59 | app.kubernetes.io/part-of: cenm 60 | {{- if .Chart.AppVersion }} 61 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 62 | {{- end }} 63 | {{- end -}} 64 | 65 | {{/* 66 | Date/time in formt: YYYY-MM-DD-HH-MM-SS 67 | */}} 68 | {{- define "currentDateTime" -}} 69 | {{- printf "%s" ( now | date "2006-01-02-15-04-05" ) -}} 70 | {{- end -}} 71 | -------------------------------------------------------------------------------- /k8s/helm/notary-ip/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "notary-ip.fullname" . }} 5 | labels: 6 | {{ include "notary-ip.labels" . | indent 4 }} 7 | {{ include "cenm.labels" . | indent 4 }} 8 | spec: 9 | # we need Local policy and healthCheckNodePort set to get rid of logs pollution 10 | {{- if (.Values.healthCheckNodePort) }} 11 | healthCheckNodePort: {{ .Values.healthCheckNodePort }} 12 | {{- end }} 13 | externalTrafficPolicy: Local 14 | type: {{ .Values.service.type }} 15 | ports: 16 | - port: {{ .Values.service.p2pPort }} 17 | targetPort: {{ .Values.service.p2pPort }} 18 | protocol: TCP 19 | name: p2pport 20 | - port: {{ .Values.service.sshdPort }} 21 | targetPort: {{ .Values.service.sshdPort }} 22 | protocol: TCP 23 | name: ssh 24 | selector: 25 | app.kubernetes.io/name: notary 26 | app.kubernetes.io/instance: {{ .Values.prefix }}-notary 27 | -------------------------------------------------------------------------------- /k8s/helm/notary-ip/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for notary-ip. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | nameOverride: "" 6 | fullnameOverride: "" 7 | 8 | service: 9 | type: LoadBalancer 10 | p2pPort: 10002 11 | sshdPort: 2222 12 | 13 | healthCheckNodePort: 0 14 | -------------------------------------------------------------------------------- /k8s/helm/notary/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /k8s/helm/notary/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: notary 3 | description: A Helm chart for Corda Notary (OS) 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 2.0.6 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: 4.11.1 22 | -------------------------------------------------------------------------------- /k8s/helm/notary/files/create-network-parameters-file.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | {{ if eq .Values.bashDebug true }} 3 | set -x 4 | pwd 5 | cat -n etc/notary.conf 6 | {{ end }} 7 | 8 | # we need just the filename without full path as this is going to be mounted under different directory in NM 9 | nodeInfoFile=$(basename $(ls additional-node-infos/nodeInfo*)) 10 | export nodeInfoFile 11 | echo ${nodeInfoFile} 12 | 13 | # we create temp file and rename it to prevent race condition between Notary and Networkmap (case when this file got created but still was empty) 14 | envsubst <<"EOF" > additional-node-infos/network-parameters-initial.conf.tmp 15 | notaries : [ 16 | { 17 | notaryNodeInfoFile: "notary-nodeinfo/${nodeInfoFile}" 18 | validating = false 19 | } 20 | ] 21 | minimumPlatformVersion = {{ .Values.mpv }} 22 | maxMessageSize = 10485760 23 | maxTransactionSize = 10485760 24 | eventHorizonDays = 1 25 | EOF 26 | 27 | mv additional-node-infos/network-parameters-initial.conf.tmp additional-node-infos/network-parameters-initial.conf 28 | cat additional-node-infos/network-parameters-initial.conf 29 | echo -------------------------------------------------------------------------------- /k8s/helm/notary/files/notary-initial-registration.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | {{ if eq .Values.bashDebug true }} 3 | set -x 4 | pwd 5 | cat -n etc/notary.conf 6 | {{ end }} 7 | 8 | NETWORK_ROOT_TRUSTSTORE=DATA/trust-stores/network-root-truststore.jks 9 | 10 | # 11 | # either download network-root-truststore.jks from specified URL ... 12 | # 13 | {{ if .Values.jksSource }} 14 | curl {{ .Values.jksSource }} -o ${NETWORK_ROOT_TRUSTSTORE} 15 | {{ end }} 16 | 17 | # 18 | # ... or wait for network-root-truststore.jks to be available 19 | # 20 | while true 21 | do 22 | if [ ! -f ${NETWORK_ROOT_TRUSTSTORE} ] 23 | then 24 | sleep 10 25 | else 26 | echo 27 | echo "md5/sha256 of ${NETWORK_ROOT_TRUSTSTORE}: " 28 | md5sum ${NETWORK_ROOT_TRUSTSTORE} | awk '{print $1}' | xargs printf " md5sum: %65s\n" 29 | sha256sum ${NETWORK_ROOT_TRUSTSTORE} | awk '{print $1}' | xargs printf "sha256sum: %65s\n" 30 | echo 31 | echo 32 | break 33 | fi 34 | done 35 | 36 | # 37 | # we start CENM services up almost in parallel so wait until idman port is open 38 | # 39 | server=$(echo {{ .Values.prefix }}-{{ .Values.networkServices.doormanURL }} | sed 's/\(.*\):\(.*\)/\1/' ) 40 | port=$(echo {{ .Values.networkServices.doormanURL }} | sed 's/\(.*\):\(.*\)/\2/' ) 41 | printf "Identity Manager server:%s\n" "${server}" 42 | printf " Identity Manager port:%s\n" "${port}" 43 | timeout 10m bash -c 'until printf "" 2>>/dev/null >>/dev/tcp/$0/$1; do echo "Waiting for Identity Manager to be accessible ..."; sleep 5; done' ${server} ${port} 44 | 45 | # two main reason for endless loop: 46 | # - repeat in case IdMan is temporarily not available (real life experience ...) 47 | # - kubernetes monitoring: pod stuck in initContainer stage - helps with monitoring 48 | while true 49 | do 50 | if [ ! -f certificates/nodekeystore.jks ] || [ ! -f certificates/sslkeystore.jks ] || [ ! -f certificates/truststore.jks ] 51 | then 52 | sleep 30 # guards against "Failed to find the request with id: ... in approved or done requests. This might happen when the Identity Manager was restarted during the approval process." 53 | echo 54 | echo "Notary: running initial registration ..." 55 | echo 56 | java -Dcapsule.jvm.args='-Xmx{{ .Values.cordaJarMx }}G' -jar {{ .Values.jarPath }}/corda.jar \ 57 | initial-registration \ 58 | --config-file={{ .Values.configPath }}/notary.conf \ 59 | --log-to-console \ 60 | --network-root-truststore ${NETWORK_ROOT_TRUSTSTORE} \ 61 | --network-root-truststore-password trust-store-password 62 | EXIT_CODE=${?} 63 | echo 64 | echo "Initial registration exit code: ${EXIT_CODE}" 65 | echo 66 | else 67 | echo 68 | echo "Notary: already registered to Identity Manager - skipping initial registration." 69 | echo 70 | EXIT_CODE="0" 71 | break 72 | fi 73 | done 74 | 75 | if [ "${EXIT_CODE}" -ne "0" ] 76 | then 77 | echo 78 | echo "Notary initial registration failed - exit code: ${EXIT_CODE} (error)" 79 | echo 80 | echo "Going to sleep for the requested {{ .Values.sleepTimeAfterError }} seconds to let you log in and investigate." 81 | echo 82 | sleep {{ .Values.sleepTimeAfterError }} 83 | fi 84 | echo 85 | -------------------------------------------------------------------------------- /k8s/helm/notary/files/notary.conf: -------------------------------------------------------------------------------- 1 | networkServices { 2 | doormanURL="http://{{ .Values.prefix }}-{{ .Values.networkServices.doormanURL }}" 3 | networkMapURL="http://{{ .Values.prefix }}-{{ .Values.networkServices.networkMapURL }}" 4 | } 5 | 6 | dataSourceProperties { 7 | dataSource { 8 | password = "{{ .Values.dataSourceProperties.dataSource.password }}" 9 | url = "{{ .Values.dataSourceProperties.dataSource.url }}" 10 | user = "{{ .Values.dataSourceProperties.dataSource.user }}" 11 | } 12 | dataSourceClassName = "{{ .Values.dataSourceProperties.dataSourceClassName }}" 13 | } 14 | 15 | notary { 16 | validating = "{{ .Values.notary.validating }}" 17 | serviceLegalName = "O=Initial notary service for {{ .Values.prefix | upper }} environment,L=Zurich,C=CH" 18 | } 19 | 20 | devMode = {{ .Values.devMode }} 21 | emailAddress : "devops@r3.com" 22 | myLegalName : "O=Initial notary for {{ .Values.prefix | upper }} environment,L=Zurich,C=CH" 23 | p2pAddress : "{{ required "Public IP address required (add --set notaryPublicIP=x.x.x.x to your helm command)" .Values.notaryPublicIP }}:{{ .Values.p2pPort }}" 24 | rpcSettings { 25 | address="{{ .Values.rpcSettingsAddress }}:{{ .Values.rpcSettingsAddressPort }}" 26 | adminAddress="{{ .Values.rpcSettingsAdminAddress }}:{{ .Values.rpcSettingsAdminAddressPort }}" 27 | standAloneBroker="{{ .Values.rpcSettingsStandAloneBroker }}" 28 | useSsl="{{ .Values.rpcSettingsUseSsl }}" 29 | } 30 | 31 | rpcUsers=[ 32 | { 33 | username="{{ .Values.rpcUsers.username }}" 34 | password="{{ .Values.rpcUsers.password }}" 35 | permissions=[ 36 | ALL 37 | ] 38 | } 39 | ] 40 | 41 | sshd { 42 | port={{ .Values.sshdPort }} 43 | } -------------------------------------------------------------------------------- /k8s/helm/notary/files/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | {{ if eq .Values.bashDebug true }} 3 | set -x 4 | {{ end }} 5 | 6 | # 7 | # main run 8 | # 9 | if [ -f {{ .Values.jarPath }}/corda.jar ] 10 | then 11 | {{ if eq .Values.bashDebug true }} 12 | sha256sum {{ .Values.jarPath }}/corda.jar 13 | {{ end }} 14 | echo 15 | echo "CENM: starting Notary node ..." 16 | echo 17 | java -jar {{ .Values.jarPath }}/corda.jar -f {{ .Values.configPath }}/notary.conf 18 | EXIT_CODE=${?} 19 | else 20 | echo "Missing notary jar file in {{ .Values.jarPath }} directory:" 21 | ls -al {{ .Values.jarPath }} 22 | EXIT_CODE=110 23 | fi 24 | 25 | if [ "${EXIT_CODE}" -ne "0" ] 26 | then 27 | HOW_LONG={{ .Values.sleepTimeAfterError }} 28 | echo 29 | echo "Notary failed - exit code: ${EXIT_CODE} (error)" 30 | echo 31 | echo "Going to sleep for requested ${HOW_LONG} seconds to let you login and investigate." 32 | echo 33 | sleep ${HOW_LONG} 34 | fi 35 | 36 | echo -------------------------------------------------------------------------------- /k8s/helm/notary/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "notary.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "notary.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "notary.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "notary.labels" -}} 38 | helm.sh/chart: {{ include "notary.chart" . }} 39 | {{ include "notary.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end -}} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "notary.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "notary.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end -}} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "notary.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create -}} 59 | {{ default (include "notary.fullname" .) .Values.serviceAccount.name }} 60 | {{- else -}} 61 | {{ default "default" .Values.serviceAccount.name }} 62 | {{- end -}} 63 | {{- end -}} 64 | -------------------------------------------------------------------------------- /k8s/helm/notary/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ .Values.prefix }}-notary-conf 6 | labels: 7 | {{ include "notary.labels" . | nindent 4 }} 8 | data: 9 | run.sh: |+ 10 | {{ tpl (.Files.Get "files/run.sh") . | nindent 4 }} 11 | 12 | notary-initial-registration.sh: |+ 13 | {{ tpl (.Files.Get "files/notary-initial-registration.sh") . | nindent 4 }} 14 | 15 | create-network-parameters-file.sh: |+ 16 | {{ tpl (.Files.Get "files/create-network-parameters-file.sh") . | nindent 4 }} 17 | 18 | notary.conf: |+ 19 | {{ tpl (.Files.Get "files/notary.conf") . | nindent 4 }} 20 | -------------------------------------------------------------------------------- /k8s/helm/notary/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ .Values.prefix }}-notary-etc 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | storageClassName: {{ .Values.storageClass }} 10 | resources: 11 | requests: 12 | storage: {{ .Values.volumeSizeNotaryEtc }} 13 | 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: {{ .Values.prefix }}-notary-nodeinfo 19 | spec: 20 | accessModes: 21 | - ReadWriteMany 22 | storageClassName: {{ .Values.storageClassShared }} 23 | resources: 24 | requests: 25 | storage: {{ .Values.volumeSizeNotaryNodeinfo }} 26 | 27 | --- 28 | apiVersion: v1 29 | kind: PersistentVolumeClaim 30 | metadata: 31 | name: {{ .Values.prefix }}-notary-certificates 32 | spec: 33 | accessModes: 34 | - ReadWriteOnce 35 | storageClassName: {{ .Values.storageClass }} 36 | resources: 37 | requests: 38 | storage: {{ .Values.volumeSizeNotaryCertificate }} 39 | 40 | --- 41 | apiVersion: v1 42 | kind: PersistentVolumeClaim 43 | metadata: 44 | name: {{ .Values.prefix }}-notary-logs 45 | spec: 46 | accessModes: 47 | - ReadWriteOnce 48 | storageClassName: {{ .Values.storageClass }} 49 | resources: 50 | requests: 51 | storage: {{ .Values.volumeSizeNotaryLogs }} 52 | 53 | --- 54 | apiVersion: v1 55 | kind: PersistentVolumeClaim 56 | metadata: 57 | name: {{ .Values.prefix }}-notary-h2 58 | spec: 59 | accessModes: 60 | - ReadWriteOnce 61 | storageClassName: {{ .Values.storageClass }} 62 | resources: 63 | requests: 64 | storage: {{ .Values.volumeSizeNotaryH2 }} 65 | -------------------------------------------------------------------------------- /k8s/helm/notary/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "notary.fullname" . }} 5 | labels: 6 | {{- include "notary.labels" . | nindent 4 }} 7 | spec: 8 | # we need healthCheckNodePort set to get rid of logs pollution 9 | {{- if (.Values.healthCheckNodePort) }} 10 | healthCheckNodePort: {{ .Values.healthCheckNodePort }} 11 | {{- end }} 12 | ports: 13 | - port: {{ .Values.p2pPort }} 14 | targetPort: {{ .Values.p2pPort }} 15 | protocol: TCP 16 | name: http 17 | - port: {{ .Values.sshdPort }} 18 | targetPort: {{ .Values.sshdPort }} 19 | protocol: TCP 20 | name: ssh 21 | selector: 22 | {{- include "notary.selectorLabels" . | nindent 4 }} 23 | -------------------------------------------------------------------------------- /k8s/helm/notary/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "notary.serviceAccountName" . }} 6 | labels: 7 | {{- include "notary.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /k8s/helm/notary/values.yaml: -------------------------------------------------------------------------------- 1 | ######################################## 2 | ### CENM configuration options ### 3 | ######################################## 4 | 5 | # Display more messages while executing Kubernetes deployment 6 | bashDebug: false 7 | 8 | # Docker images to use by the Notary Helm chart 9 | dockerImage: 10 | name: corda/enterprise-notary 11 | tag: 4.11.1-zulu-openjdk8u392 12 | pullPolicy: Always 13 | 14 | # Volume size for Notary bin/ directory 15 | volumeSizeNotaryBin: 2Gi 16 | 17 | # Volume size for Notary etc/ directory 18 | volumeSizeNotaryEtc: 10Mi 19 | 20 | # Volume size for Notary nodeinfo/ directory 21 | volumeSizeNotaryNodeinfo: 1Mi 22 | 23 | # Volume size for Notary certificate/ directory 24 | volumeSizeNotaryCertificate: 5Mi 25 | 26 | # Volume size for Notary logs/ directory 27 | volumeSizeNotaryLogs: 10Gi 28 | 29 | # Volume size for Notary h2/ directory 30 | volumeSizeNotaryH2: 10Gi 31 | 32 | # p2p port used to communicate with Corda nodes 33 | p2pPort: 10002 34 | 35 | # Memory size allocated to the main Notary container (in GB) 36 | cordaJarMx: 3 37 | 38 | # devMode 39 | devMode: false 40 | 41 | # ssh port for Notary 42 | sshdPort: 2222 43 | 44 | # Directory for the CENM service .jar file 45 | jarPath: bin 46 | 47 | # Directory for the CENM service configuration file(s) 48 | configPath: etc 49 | 50 | # Sleep time (in seconds) after an error occured 51 | sleepTimeAfterError: 120 52 | 53 | # URL where the network-root-truststore.jks is or would be available from 54 | jksSource: "" 55 | 56 | # Url for Identity Manager and Network Map services 57 | networkServices: 58 | doormanURL: idman-ip:10000 59 | networkMapURL: nmap:10000 60 | 61 | # Minimum platform version 62 | mpv: 3 63 | 64 | # Database configuration 65 | dataSourceProperties: 66 | dataSource: 67 | password: "ziAscD0MJnj4n4xkFWY6XuMBuw9bvYC7" 68 | url: "jdbc:h2:file:./h2/notary-persistence;DB_CLOSE_ON_EXIT=FALSE;WRITE_DELAY=0;LOCK_TIMEOUT=10000" 69 | user: "sa" 70 | dataSourceClassName: "org.h2.jdbcx.JdbcDataSource" 71 | 72 | # Type of Notary 73 | notary: 74 | validating: false 75 | 76 | # Public IP for Notary (required parameter) 77 | notaryPublicIP: 78 | 79 | # RPC setting for Notary 80 | rpcSettingsAddress: "0.0.0.0" 81 | rpcSettingsAddressPort: 10003 82 | rpcSettingsAdminAddress: "localhost" 83 | rpcSettingsAdminAddressPort: 10770 84 | rpcSettingsStandAloneBroker: false 85 | rpcSettingsUseSsl: false 86 | 87 | # Username/password for the built-in ssh service 88 | rpcUsers: 89 | username: notary 90 | password: notaryP 91 | 92 | ######################################## 93 | ### Kubernetes related settings ### 94 | ######################################## 95 | 96 | # Name of Kubernetes secret storing credentials to Docker registry 97 | imagePullSecrets: 98 | - name: cenm-registry 99 | 100 | nameOverride: "" 101 | fullnameOverride: "" 102 | 103 | serviceAccount: 104 | # Specifies whether a service account should be created 105 | create: true 106 | # Annotations to add to the service account 107 | annotations: {} 108 | # The name of the service account to use. 109 | # If not set and create is true, a name is generated using the fullname template 110 | name: 111 | 112 | podSecurityContext: 113 | runAsUser: 1000 114 | runAsGroup: 1000 115 | fsGroup: 1000 116 | 117 | securityContext: {} 118 | # capabilities: 119 | # drop: 120 | # - ALL 121 | # readOnlyRootFilesystem: true 122 | # runAsNonRoot: true 123 | # runAsUser: 1000 124 | 125 | service: 126 | type: ClusterIP 127 | port: 80 128 | 129 | resources: 130 | # We usually recommend not to specify default resources and to leave this as a conscious 131 | # choice for the user. This also increases chances charts run on environments with little 132 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 133 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 134 | limits: 135 | # cpu: 100m 136 | memory: 2Gi 137 | requests: 138 | # cpu: 100m 139 | memory: 2Gi 140 | 141 | nodeSelector: {} 142 | 143 | tolerations: [] 144 | 145 | affinity: {} 146 | 147 | ## Liveness and readiness probe values 148 | ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 149 | ## 150 | livenessProbe: 151 | enabled: false 152 | failureThreshold: 5 153 | initialDelaySeconds: 120 154 | periodSeconds: 10 155 | successThreshold: 1 156 | timeoutSeconds: 1 157 | readinessProbe: 158 | enabled: false 159 | failureThreshold: 5 160 | initialDelaySeconds: 60 161 | periodSeconds: 10 162 | successThreshold: 1 163 | timeoutSeconds: 1 164 | 165 | 166 | storageClassShared: cenm-shared 167 | storageClass: cenm 168 | 169 | healthCheckNodePort: 0 170 | -------------------------------------------------------------------------------- /k8s/helm/pki/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /k8s/helm/pki/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: pki 3 | description: A Helm chart for CENM PKI Tool 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 2.0.6 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: '1.6' 22 | -------------------------------------------------------------------------------- /k8s/helm/pki/files/pki.conf: -------------------------------------------------------------------------------- 1 | # https://docs.cenm.r3.com/pki-tool.html#certificate-templates 2 | # defaultPassword = "password" 3 | 4 | keyStores = { 5 | "identity-manager-key-store" = { 6 | type = LOCAL 7 | file = "./DATA/key-stores/identity-manager-key-store.jks" 8 | password = "key-password" 9 | } 10 | "network-map-key-store" = { 11 | type = LOCAL 12 | file = "./DATA/key-stores/network-map-key-store.jks" 13 | password = "key-password" 14 | } 15 | "subordinate-key-store" = { 16 | type = LOCAL 17 | file = "./DATA/key-stores/subordinate-key-store.jks" 18 | password = "key-password" 19 | } 20 | "root-key-store" = { 21 | type = LOCAL 22 | file = "./DATA/key-stores/root-key-store.jks" 23 | password = "key-password" 24 | } 25 | "tls-crl-signer-key-store" = { 26 | type = LOCAL 27 | file = "./DATA/key-stores/tls-crl-signer-key-store.jks" 28 | password = "key-password" 29 | } 30 | "corda-ssl-network-map-keys" = { 31 | type = LOCAL 32 | file = "./DATA/key-stores/corda-ssl-network-map-keys.jks" 33 | password = "password" 34 | }, 35 | "corda-ssl-identity-manager-keys" = { 36 | type = LOCAL 37 | file = "./DATA/key-stores/corda-ssl-identity-manager-keys.jks" 38 | password = "password" 39 | }, 40 | "corda-ssl-signer-keys" = { 41 | type = LOCAL 42 | file = "./DATA/key-stores/corda-ssl-signer-keys.jks" 43 | password = "password" 44 | }, 45 | "corda-ssl-auth-keys" = { 46 | type = LOCAL 47 | file = "./DATA/key-stores/corda-ssl-auth-keys.jks" 48 | password = "password" 49 | }, 50 | "corda-ssl-root-keys" = { 51 | type = LOCAL 52 | file = "./DATA/key-stores/corda-ssl-root-keys.jks" 53 | password = "password" 54 | } 55 | } 56 | certificatesStores = { 57 | "network-root-trust-store" = { 58 | file = "./DATA/trust-stores/network-root-truststore.jks" 59 | password = "trust-store-password" 60 | } 61 | "corda-ssl-trust-store" = { 62 | file = "./DATA/trust-stores/corda-ssl-trust-store.jks" 63 | password = "trust-store-password" 64 | } 65 | } 66 | certificates = { 67 | "tlscrlsigner" = { 68 | key = { 69 | type = LOCAL 70 | includeIn = ["tls-crl-signer-key-store"] 71 | algorithm = "ECDSA_SECP256R1_SHA256" 72 | password = "key-password" 73 | } 74 | isSelfSigned = true 75 | keyUsages = [CRL_SIGN] 76 | keyPurposes = [SERVER_AUTH, CLIENT_AUTH] 77 | validDays = 7300 78 | issuesCertificates = true 79 | subject = {{ .Values.pki.certificates.tlscrlsigner.subject | quote }} 80 | includeIn = ["network-root-trust-store"] 81 | crl = { 82 | crlDistributionUrl = "http://{{ required "Public IP address required (add --set idmanPublicIP=x.x.x.x to your helm command)" .Values.idmanPublicIP }}:{{ .Values.idmanPort }}/certificate-revocation-list/tls" 83 | indirectIssuer = true 84 | issuer = {{ .Values.pki.certificates.tlscrlsigner.crl.issuer | quote }} 85 | file = "./DATA/crl-files/tls.crl" 86 | } 87 | }, 88 | "cordarootca" = { 89 | key = { 90 | type = LOCAL 91 | includeIn = ["root-key-store"] 92 | algorithm = "ECDSA_SECP256R1_SHA256" 93 | password = "key-password" 94 | } 95 | isSelfSigned = true 96 | keyUsages = [DIGITAL_SIGNATURE, KEY_CERT_SIGN, CRL_SIGN] 97 | keyPurposes = [SERVER_AUTH, CLIENT_AUTH] 98 | validDays = 7300 99 | issuesCertificates = true 100 | subject = {{ .Values.pki.certificates.cordarootca.subject | quote }} 101 | includeIn = ["network-root-trust-store"] 102 | crl = { 103 | crlDistributionUrl = "http://{{ required "Public IP address required (add --set idmanPublicIP=x.x.x.x to your helm command)" .Values.idmanPublicIP }}:{{ .Values.idmanPort }}/certificate-revocation-list/root" 104 | file = "./DATA/crl-files/root.crl" 105 | } 106 | }, 107 | "subordinateca" = { 108 | key = { 109 | type = LOCAL 110 | includeIn = ["subordinate-key-store"] 111 | algorithm = "ECDSA_SECP256R1_SHA256" 112 | password = "key-password" 113 | } 114 | isSelfSigned = false 115 | signedBy = "cordarootca" 116 | keyUsages = [DIGITAL_SIGNATURE, KEY_CERT_SIGN, CRL_SIGN] 117 | keyPurposes = [SERVER_AUTH, CLIENT_AUTH] 118 | validDays = 7300 119 | issuesCertificates = true 120 | subject = {{ .Values.pki.certificates.subordinateca.subject | quote }} 121 | crl = { 122 | crlDistributionUrl = "http://{{ required "Public IP address required (add --set idmanPublicIP=x.x.x.x to your helm command)" .Values.idmanPublicIP }}:{{ .Values.idmanPort }}/certificate-revocation-list/subordinate" 123 | file = "./DATA/crl-files/subordinate.crl" 124 | } 125 | }, 126 | "identitymanagerca" = { 127 | key = { 128 | type = LOCAL 129 | includeIn = ["identity-manager-key-store"] 130 | algorithm = "ECDSA_SECP256R1_SHA256" 131 | password = "key-password" 132 | } 133 | isSelfSigned = false 134 | signedBy = "subordinateca" 135 | keyUsages = [DIGITAL_SIGNATURE, KEY_CERT_SIGN, CRL_SIGN] 136 | keyPurposes = [SERVER_AUTH, CLIENT_AUTH] 137 | validDays = 7300 138 | role = DOORMAN_CA 139 | issuesCertificates = true 140 | subject = {{ .Values.pki.certificates.identitymanagerca.subject | quote }} 141 | }, 142 | "networkmap" = { 143 | key = { 144 | type = LOCAL 145 | includeIn = ["network-map-key-store"] 146 | algorithm = "ECDSA_SECP256R1_SHA256" 147 | password = "key-password" 148 | } 149 | isSelfSigned = false 150 | signedBy = "subordinateca" 151 | keyUsages = [DIGITAL_SIGNATURE, KEY_CERT_SIGN, CRL_SIGN] 152 | keyPurposes = [SERVER_AUTH, CLIENT_AUTH] 153 | validDays = 7300 154 | role = NETWORK_MAP 155 | issuesCertificates = false 156 | subject = {{ .Values.pki.certificates.networkmap.subject | quote }} 157 | }, 158 | "::CORDA_SSL_ROOT" { 159 | key = { 160 | type = LOCAL 161 | includeIn = ["corda-ssl-identity-manager-keys"] 162 | algorithm = "ECDSA_SECP256R1_SHA256" 163 | password = "password" 164 | } 165 | crl = { 166 | crlDistributionUrl = "http://{{ required "Public IP address required (add --set idmanPublicIP=x.x.x.x to your helm command)" .Values.idmanPublicIP }}:{{ .Values.idmanPort }}/certificate-revocation-list/ssl" 167 | file = "./DATA/crl-files/ssl.crl" 168 | } 169 | }, 170 | "::CORDA_SSL_IDENTITY_MANAGER", 171 | "::CORDA_SSL_NETWORK_MAP", 172 | "::CORDA_SSL_SIGNER", 173 | "::CORDA_SSL_AUTH_SERVICE" 174 | } 175 | -------------------------------------------------------------------------------- /k8s/helm/pki/files/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | {{ if eq .Values.bashDebug true }} 3 | set -x 4 | {{ end }} 5 | 6 | # 7 | # main run 8 | # 9 | echo "Waiting for /opt/cenm/HSM/HSM-LOAD-DONE ..." 10 | until [ -f /opt/cenm/HSM/HSM-LOAD-DONE ] 11 | do 12 | sleep 2 13 | done 14 | 15 | if [ -f {{ .Values.pkiJar.path }}/pkitool.jar ] 16 | then 17 | {{ if eq .Values.bashDebug true }} 18 | sha256sum {{ .Values.pkiJar.path }}/pkitool.jar 19 | {{ if eq .Values.bashDebug true }} 20 | cat {{ .Values.pkiJar.configPath }}/{{ .Values.pkiJar.configFile }} 21 | {{ end }} 22 | {{ end }} 23 | echo 24 | echo "CENM: starting PKI Tool process ..." 25 | echo 26 | echo "time java -Xmx{{ .Values.pkiJar.xmx }} -jar {{ .Values.pkiJar.path }}/pkitool.jar --config-file {{ .Values.pkiJar.configPath }}/{{ .Values.pkiJar.configFile }}" 27 | time java -Xmx{{ .Values.pkiJar.xmx }} -jar {{ .Values.pkiJar.path }}/pkitool.jar --config-file {{ .Values.pkiJar.configPath }}/{{ .Values.pkiJar.configFile }} 28 | EXIT_CODE=${?} 29 | else 30 | echo "Missing PKI Tool jar file in {{ .Values.pkiJar.path }} directory:" 31 | ls -al {{ .Values.pkiJar.path }} 32 | EXIT_CODE=110 33 | fi 34 | 35 | if [ "${EXIT_CODE}" -ne "0" ] 36 | then 37 | HOW_LONG={{ .Values.sleepTimeAfterError }} 38 | echo 39 | echo "PKI Tool failed - exit code: ${EXIT_CODE} (error)" 40 | echo 41 | echo "Going to sleep for requested ${HOW_LONG} seconds to let you login and investigate." 42 | echo 43 | else 44 | touch ./DATA/PKITOOL-DONE 45 | ls -al ./DATA/ 46 | HOW_LONG=0 47 | fi 48 | 49 | sleep ${HOW_LONG} 50 | echo -------------------------------------------------------------------------------- /k8s/helm/pki/templates/NOTES.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corda/cenm-deployment/4cbbf81ce962a8d8bb6672ca76e1e2dfe7619f72/k8s/helm/pki/templates/NOTES.txt -------------------------------------------------------------------------------- /k8s/helm/pki/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "pki.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "pki.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "pki.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "pki.labels" -}} 38 | helm.sh/chart: {{ include "pki.chart" . }} 39 | {{ include "pki.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end -}} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "pki.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "pki.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end -}} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "pki.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create -}} 59 | {{ default (include "pki.fullname" .) .Values.serviceAccount.name }} 60 | {{- else -}} 61 | {{ default "default" .Values.serviceAccount.name }} 62 | {{- end -}} 63 | {{- end -}} 64 | -------------------------------------------------------------------------------- /k8s/helm/pki/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ .Values.prefix }}-pki-conf 7 | labels: 8 | {{ include "pki.labels" . | nindent 4 }} 9 | data: 10 | run.sh: |+ 11 | {{ tpl (.Files.Get "files/run.sh") . | nindent 4 }} 12 | 13 | pki.conf: |+ 14 | {{ tpl (.Files.Get "files/pki.conf") . | nindent 4 }} 15 | 16 | pki-azure.conf: |+ 17 | {{ tpl (.Files.Get "files/pki-azure.conf") . | nindent 4 }} 18 | -------------------------------------------------------------------------------- /k8s/helm/pki/templates/job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: {{ include "pki.fullname" . }} 5 | spec: 6 | backoffLimit: {{ .Values.backoffLimit }} 7 | template: 8 | spec: 9 | {{- with .Values.imagePullSecrets }} 10 | imagePullSecrets: 11 | {{- toYaml . | nindent 8 }} 12 | {{- end }} 13 | securityContext: 14 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 15 | containers: 16 | - name: main 17 | securityContext: 18 | {{- toYaml .Values.securityContext | nindent 12 }} 19 | image: "{{ .Values.pkiImage.repository }}:{{ .Values.pkiImage.tag }}" 20 | imagePullPolicy: {{ .Values.pkiImage.pullPolicy }} 21 | command: ["/bin/bash", "-c"] 22 | args: 23 | - |- 24 | cp CM-FILES/pki.conf etc/pki.conf 25 | cp CM-FILES/pki-azure.conf etc/pki-azure.conf 26 | cp CM-FILES/run.sh bin/run.sh 27 | chmod +x bin/run.sh 28 | mkdir DATA/key-stores DATA/trust-stores DATA/crl-files 29 | bin/run.sh 30 | resources: 31 | {{- toYaml .Values.resources | nindent 12 }} 32 | volumeMounts: 33 | - name: pki-certs-keys 34 | mountPath: /opt/cenm/DATA 35 | - name: pki-etc 36 | mountPath: /opt/cenm/etc 37 | - name: hsm-libs 38 | mountPath: /opt/cenm/HSM 39 | - name: pki-conf 40 | mountPath: /opt/cenm/CM-FILES/pki.conf 41 | subPath: pki.conf 42 | - name: pki-conf 43 | mountPath: /opt/cenm/CM-FILES/pki-azure.conf 44 | subPath: pki-azure.conf 45 | - name: pki-conf 46 | mountPath: /opt/cenm/CM-FILES/run.sh 47 | subPath: run.sh 48 | restartPolicy: OnFailure 49 | volumes: 50 | - name: pki-conf 51 | configMap: 52 | name: {{ .Values.prefix }}-pki-conf 53 | - name: pki-etc 54 | persistentVolumeClaim: 55 | claimName: {{ .Values.prefix }}-pki-etc 56 | - name: pki-certs-keys 57 | persistentVolumeClaim: 58 | claimName: {{ .Values.prefix }}-pki-certs-keys 59 | - name: hsm-libs 60 | persistentVolumeClaim: 61 | claimName: {{ .Values.prefix }}-hsm-libs 62 | {{- with .Values.nodeSelector }} 63 | nodeSelector: 64 | {{- toYaml . | nindent 8 }} 65 | {{- end }} 66 | {{- with .Values.affinity }} 67 | affinity: 68 | {{- toYaml . | nindent 8 }} 69 | {{- end }} 70 | {{- with .Values.tolerations }} 71 | tolerations: 72 | {{- toYaml . | nindent 8 }} 73 | {{- end }} 74 | -------------------------------------------------------------------------------- /k8s/helm/pki/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ .Values.prefix }}-pki-certs-keys 6 | spec: 7 | accessModes: 8 | - ReadWriteMany 9 | storageClassName: {{ .Values.storageClassShared }} 10 | resources: 11 | requests: 12 | storage: {{ .Values.volumeSizePkiCertsKeys }} 13 | 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: {{ .Values.prefix }}-pki-etc 19 | spec: 20 | accessModes: 21 | - ReadWriteOnce 22 | storageClassName: {{ .Values.storageClass }} 23 | resources: 24 | requests: 25 | storage: {{ .Values.volumeSizePkiEtc }} 26 | -------------------------------------------------------------------------------- /k8s/helm/pki/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "pki.serviceAccountName" . }} 6 | labels: 7 | {{- include "pki.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /k8s/helm/pki/values.yaml: -------------------------------------------------------------------------------- 1 | ######################################## 2 | ### CENM configuration options ### 3 | ######################################## 4 | 5 | # Display more messages while executing Kubernetes deployment 6 | bashDebug: false 7 | 8 | # Volume size for Certificates and Keys 9 | volumeSizePkiCertsKeys: 1Gi 10 | 11 | # Volume size for etc/ directory (where the pki.conf file is stored) 12 | volumeSizePkiEtc: 1Gi 13 | 14 | # Docker images to use by the PKI Helm chart 15 | pkiImage: 16 | repository: corda/enterprise-pkitool 17 | tag: 1.6-zulu-openjdk8u392 18 | pullPolicy: Always 19 | 20 | pkiJar: 21 | # value for Java -Xmx 22 | xmx: 1G 23 | # The directory where Signer jar is stored 24 | path: bin 25 | # The directory where the Signing Service configuration is stored 26 | configPath: etc 27 | # which config file to use 28 | configFile: pki.conf 29 | 30 | 31 | # Parameters related to the PKI Tool configuration file 32 | pki: 33 | keyStores: 34 | keyVaultUrl: "https://vault.vault.azure.net" 35 | credentials: 36 | keyStorePassword: "" 37 | keyStoreAlias: "1" 38 | clientId: "abcdefgh-1234-5678-9012-123456789012" 39 | certificates: 40 | tlscrlsigner: 41 | subject: "CN=Test TLS Signer Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" 42 | crl: 43 | issuer: "CN=Corda TLS Signer Certificate, OU=Corda, O=R3 HoldCo LLC, L=New York, C=US" 44 | cordarootca: 45 | subject: "CN=Test Root CA Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" 46 | subordinateca: 47 | subject: "CN=Test Subordinate CA Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" 48 | identitymanagerca: 49 | subject: "CN=Test Identity Manager Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" 50 | networkmap: 51 | subject: "CN=Test Network Map Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" 52 | 53 | 54 | # Sleep time (in seconds) after an error occured 55 | sleepTimeAfterError: 300 56 | 57 | # Identity Manager Service port (encoded in certs) 58 | idmanPort: 10000 59 | 60 | 61 | ######################################## 62 | ### Kubernetes related settings ### 63 | ######################################## 64 | 65 | # Name of Kubernetes secret storing credentials to Docker registry 66 | imagePullSecrets: 67 | - name: cenm-registry 68 | 69 | nameOverride: "" 70 | fullnameOverride: "" 71 | 72 | serviceAccount: 73 | # Specifies whether a service account should be created 74 | create: true 75 | # Annotations to add to the service account 76 | annotations: {} 77 | # The name of the service account to use 78 | # If not set and create is true, a name is generated using the fullname template 79 | name: 80 | 81 | podSecurityContext: 82 | runAsUser: 1000 83 | runAsGroup: 1000 84 | fsGroup: 1000 85 | 86 | securityContext: {} 87 | # capabilities: 88 | # drop: 89 | # - ALL 90 | # readOnlyRootFilesystem: true 91 | # runAsNonRoot: true 92 | # runAsUser: 1000 93 | 94 | resources: 95 | # We usually recommend not to specify default resources and to leave this as a conscious 96 | # choice for the user. This also increases chances charts run on environments with little 97 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 98 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 99 | limits: 100 | # cpu: 100m 101 | memory: 1Gi 102 | requests: 103 | # cpu: 100m 104 | memory: 1Gi 105 | 106 | nodeSelector: {} 107 | 108 | tolerations: [] 109 | 110 | affinity: {} 111 | 112 | # The number of retries before the PKI Job is considered as failed 113 | backoffLimit: 4 114 | 115 | storageClassShared: cenm-shared 116 | storageClass: cenm 117 | -------------------------------------------------------------------------------- /k8s/helm/signer/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /k8s/helm/signer/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: signer 3 | description: A Helm chart for CENM Signer 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 2.0.6 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: '1.6' 22 | -------------------------------------------------------------------------------- /k8s/helm/signer/files/getZoneToken.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ ! -f {{ .Values.signerJar.configPath }}/token ] 4 | then 5 | EXIT_CODE=1 6 | until [ "${EXIT_CODE}" -eq "0" ] 7 | do 8 | echo "Trying to login to {{ .Values.prefix }}-gateway:8080 ..." 9 | java -jar bin/cenm-tool.jar context login -s http://{{ .Values.prefix }}-gateway:8080 -u config-maintainer -p p4ssWord 10 | EXIT_CODE=${?} 11 | echo "EXIT_CODE=${EXIT_CODE}" 12 | sleep 5 13 | done 14 | 15 | java -jar bin/cenm-tool.jar signer config set-admin-address -a={{ .Values.prefix }}-signer:{{ .Values.adminListener.port }} 16 | fi 17 | -------------------------------------------------------------------------------- /k8s/helm/signer/files/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | {{ if eq .Values.bashDebug true }} 3 | set -x 4 | {{ end }} 5 | 6 | # 7 | # main run 8 | # 9 | echo "Waiting for /opt/cenm/HSM/HSM-LOAD-DONE ..." 10 | until [ -f /opt/cenm/HSM/HSM-LOAD-DONE ] 11 | do 12 | sleep 2 13 | done 14 | 15 | if [ -f {{ .Values.signerJar.path }}/signer.jar ] 16 | then 17 | {{ if eq .Values.bashDebug true }} 18 | sha256sum {{ .Values.signerJar.path }}/signer.jar 19 | cat {{ .Values.signerJar.configPath }}/{{ .Values.signerJar.configFile }} 20 | {{ end }} 21 | echo 22 | echo "CENM: starting Signer process ..." 23 | echo 24 | java -Xmx{{ .Values.signerJar.xmx }} -jar {{ .Values.signerJar.path }}/signer.jar --config-file {{ .Values.signerJar.configPath }}/{{ .Values.signerJar.configFile }} 25 | EXIT_CODE=${?} 26 | else 27 | echo "Missing Signer jar file in {{ .Values.signerJar.path }} directory:" 28 | ls -al {{ .Values.signerJar.path }} 29 | EXIT_CODE=110 30 | fi 31 | 32 | if [ "${EXIT_CODE}" -ne "0" ] 33 | then 34 | HOW_LONG={{ .Values.sleepTimeAfterError }} 35 | echo 36 | echo "Signer failed - exit code: ${EXIT_CODE} (error)" 37 | echo 38 | echo "Going to sleep for requested ${HOW_LONG} seconds to let you login and investigate." 39 | echo 40 | fi 41 | 42 | sleep ${HOW_LONG} 43 | echo -------------------------------------------------------------------------------- /k8s/helm/signer/files/signer-azure.conf: -------------------------------------------------------------------------------- 1 | hsmLibraries = [ 2 | { 3 | type = AZURE_KEY_VAULT_HSM 4 | jars = ["/opt/cenm/HSM/azure-keyvault-with-deps.jar"] 5 | }, 6 | ] 7 | 8 | ############################################# 9 | # All individual keys used in signing tasks # 10 | ############################################# 11 | signingKeys = { 12 | "cordaidentitymanagerca" = { 13 | alias = "identitymanagerca" 14 | type = AZURE_KEY_VAULT_HSM 15 | keyStore = { 16 | keyVaultUrl = "{{ .Values.signingKeys.keyStore.keyVaultUrl }}" 17 | protection = "SOFTWARE" 18 | }, 19 | credentials { 20 | keyStorePath = "/opt/cenm/HSM/out.pkcs12" 21 | keyStorePassword = "{{ .Values.signingKeys.credentials.keyStorePassword }}" 22 | keyStoreAlias = "{{ .Values.signingKeys.credentials.keyStoreAlias }}" 23 | clientId = "{{ .Values.signingKeys.credentials.clientId }}" 24 | } 25 | certificateStore = { 26 | file = "./DATA/trust-stores/certificate-store.jks" 27 | password = "trust-store-password" 28 | } 29 | }, 30 | "cordanetworkmap" = { 31 | alias = "networkmap" 32 | type = AZURE_KEY_VAULT_HSM 33 | keyStore = { 34 | keyVaultUrl = "{{ .Values.signingKeys.keyStore.keyVaultUrl }}" 35 | protection = "SOFTWARE" 36 | }, 37 | credentials { 38 | keyStorePath = "/opt/cenm/HSM/out.pkcs12" 39 | keyStorePassword = "{{ .Values.signingKeys.credentials.keyStorePassword }}" 40 | keyStoreAlias = "{{ .Values.signingKeys.credentials.keyStoreAlias }}" 41 | clientId = "{{ .Values.signingKeys.credentials.clientId }}" 42 | } 43 | certificateStore = { 44 | file = "./DATA/trust-stores/certificate-store.jks" 45 | password = "trust-store-password" 46 | } 47 | } 48 | } 49 | 50 | ################################################### 51 | # Signing tasks to be run (manually or scheduled) # 52 | ################################################### 53 | signers = { 54 | "CSR" = { 55 | type = CSR 56 | signingKeyAlias = "cordaidentitymanagerca" 57 | crlDistributionPoint = "http://{{ required "Public IP address required (add --set idmanPublicIP=x.x.x.x to your helm command)" .Values.idmanPublicIP }}:{{ .Values.idmanPort }}/certificate-revocation-list/doorman" 58 | validDays = 7300 # 20 year certificate expiry 59 | schedule { 60 | interval = {{ .Values.signers.CSR.schedule.interval }} 61 | } 62 | serviceLocation = [ 63 | { 64 | host = {{ .Values.prefix }}-{{ .Values.serviceLocations.identityManager.host }} 65 | port = {{ .Values.serviceLocations.identityManager.port }} 66 | ssl = { 67 | keyStore = { 68 | location = "./DATA/key-stores/corda-ssl-signer-keys.jks" 69 | password = password 70 | } 71 | trustStore = { 72 | location = "./DATA/trust-stores/corda-ssl-trust-store.jks" 73 | password = trust-store-password 74 | } 75 | validate = true 76 | } 77 | } 78 | ] 79 | }, 80 | "CRL" = { 81 | type = CRL 82 | signingKeyAlias = "cordaidentitymanagerca" 83 | crlDistributionPoint = "http://{{ required "Public IP address required (add --set idmanPublicIP=x.x.x.x to your helm command)" .Values.idmanPublicIP }}:{{ .Values.idmanPort }}/certificate-revocation-list/doorman" 84 | # updatePeriod = 86400000 # 1 day CRL expiry 85 | updatePeriod = 604800000 # 1 week CRL expiry 86 | schedule { 87 | interval = {{ .Values.signers.CRL.schedule.interval }} 88 | } 89 | serviceLocation = [ 90 | { 91 | host = {{ .Values.prefix }}-{{ .Values.serviceLocations.identityManager.host }} 92 | port = {{ .Values.serviceLocations.revocation.port }} 93 | ssl = { 94 | keyStore = { 95 | location = "./DATA/key-stores/corda-ssl-signer-keys.jks" 96 | password = password 97 | } 98 | trustStore = { 99 | location = "./DATA/trust-stores/corda-ssl-trust-store.jks" 100 | password = trust-store-password 101 | } 102 | validate = true 103 | } 104 | } 105 | ] 106 | }, 107 | "NetworkMap" = { 108 | type = NETWORK_MAP 109 | signingKeyAlias = "cordanetworkmap" 110 | schedule { 111 | interval = {{ .Values.signers.NetworkMap.schedule.interval }} 112 | } 113 | serviceLocation = [ 114 | { 115 | host = {{ .Values.prefix }}-{{ .Values.serviceLocations.networkMap.host }} 116 | port = {{ .Values.serviceLocations.networkMap.port }} 117 | ssl = { 118 | keyStore = { 119 | location = "./DATA/key-stores/corda-ssl-signer-keys.jks" 120 | password = password 121 | } 122 | trustStore = { 123 | location = "./DATA/trust-stores/corda-ssl-trust-store.jks" 124 | password = trust-store-password 125 | } 126 | validate = true 127 | } 128 | } 129 | ] 130 | }, 131 | "NetworkParameters" = { 132 | type = NETWORK_PARAMETERS 133 | signingKeyAlias = "cordanetworkmap" 134 | schedule { 135 | interval = {{ .Values.signers.NetworkParameters.schedule.interval }} 136 | } 137 | serviceLocation = [ 138 | { 139 | host = {{ .Values.prefix }}-{{ .Values.serviceLocations.networkMap.host }} 140 | port = {{ .Values.serviceLocations.networkMap.port }} 141 | ssl = { 142 | keyStore = { 143 | location = "./DATA/key-stores/corda-ssl-signer-keys.jks" 144 | password = password 145 | } 146 | trustStore = { 147 | location = "./DATA/trust-stores/corda-ssl-trust-store.jks" 148 | password = trust-store-password 149 | } 150 | validate = true 151 | } 152 | } 153 | ] 154 | } 155 | } 156 | 157 | authServiceConfig = { 158 | disableAuthentication = false 159 | host="{{ .Values.prefix }}-auth" 160 | port={{ .Values.authService.port }} 161 | trustStore = { 162 | location = "./DATA/trust-stores/corda-ssl-trust-store.jks" 163 | password = trust-store-password 164 | } 165 | issuer="http://test" 166 | leeway=5s 167 | } 168 | 169 | adminListener = { 170 | port = {{ .Values.adminListener.port }} 171 | ssl = { 172 | keyStore = { 173 | location = ./DATA/key-stores/corda-ssl-identity-manager-keys.jks 174 | password = password 175 | } 176 | trustStore = { 177 | location = ./DATA/trust-stores/corda-ssl-trust-store.jks 178 | password = trust-store-password 179 | } 180 | } 181 | } 182 | -------------------------------------------------------------------------------- /k8s/helm/signer/files/signer.conf: -------------------------------------------------------------------------------- 1 | 2 | ############################################# 3 | # All individual keys used in signing tasks # 4 | ############################################# 5 | signingKeys = { 6 | "cordaidentitymanagerca" = { 7 | alias = "identitymanagerca" 8 | type = LOCAL 9 | password = "key-password" 10 | keyStore { 11 | file = "./DATA/key-stores/identity-manager-key-store.jks" 12 | password = "key-password" 13 | } 14 | }, 15 | "cordanetworkmap" = { 16 | alias = "networkmap" 17 | type = LOCAL 18 | password = "key-password" 19 | keyStore { 20 | file = "./DATA/key-stores/network-map-key-store.jks" 21 | password = "key-password" 22 | } 23 | } 24 | } 25 | 26 | ################################################### 27 | # Signing tasks to be run (manually or scheduled) # 28 | ################################################### 29 | signers = { 30 | "CSR" = { 31 | type = CSR 32 | signingKeyAlias = "cordaidentitymanagerca" 33 | crlDistributionPoint = "http://{{ required "Public IP address required (add --set idmanPublicIP=x.x.x.x to your helm command)" .Values.idmanPublicIP }}:{{ .Values.idmanPort }}/certificate-revocation-list/doorman" 34 | validDays = 7300 # 20 year certificate expiry 35 | schedule { 36 | interval = {{ .Values.signers.CSR.schedule.interval }} 37 | } 38 | serviceLocation = [ 39 | { 40 | host = {{ .Values.prefix }}-{{ .Values.serviceLocations.identityManager.host }} 41 | port = {{ .Values.serviceLocations.identityManager.port }} 42 | ssl = { 43 | keyStore = { 44 | location = "./DATA/key-stores/corda-ssl-signer-keys.jks" 45 | password = password 46 | } 47 | trustStore = { 48 | location = "./DATA/trust-stores/corda-ssl-trust-store.jks" 49 | password = trust-store-password 50 | } 51 | validate = true 52 | } 53 | } 54 | ] 55 | }, 56 | "CRL" = { 57 | type = CRL 58 | signingKeyAlias = "cordaidentitymanagerca" 59 | crlDistributionPoint = "http://{{ required "Public IP address required (add --set idmanPublicIP=x.x.x.x to your helm command)" .Values.idmanPublicIP }}:{{ .Values.idmanPort }}/certificate-revocation-list/doorman" 60 | # updatePeriod = 86400000 # 1 day CRL expiry 61 | updatePeriod = 604800000 # 1 week CRL expiry 62 | schedule { 63 | interval = {{ .Values.signers.CRL.schedule.interval }} 64 | } 65 | serviceLocation = [ 66 | { 67 | host = {{ .Values.prefix }}-{{ .Values.serviceLocations.identityManager.host }} 68 | port = {{ .Values.serviceLocations.revocation.port }} 69 | ssl = { 70 | keyStore = { 71 | location = "./DATA/key-stores/corda-ssl-signer-keys.jks" 72 | password = password 73 | } 74 | trustStore = { 75 | location = "./DATA/trust-stores/corda-ssl-trust-store.jks" 76 | password = trust-store-password 77 | } 78 | validate = true 79 | } 80 | } 81 | ] 82 | }, 83 | "NetworkMap" = { 84 | type = NETWORK_MAP 85 | signingKeyAlias = "cordanetworkmap" 86 | schedule { 87 | interval = {{ .Values.signers.NetworkMap.schedule.interval }} 88 | } 89 | serviceLocation = [ 90 | { 91 | host = {{ .Values.prefix }}-{{ .Values.serviceLocations.networkMap.host }} 92 | port = {{ .Values.serviceLocations.networkMap.port }} 93 | ssl = { 94 | keyStore = { 95 | location = "./DATA/key-stores/corda-ssl-signer-keys.jks" 96 | password = password 97 | } 98 | trustStore = { 99 | location = "./DATA/trust-stores/corda-ssl-trust-store.jks" 100 | password = trust-store-password 101 | } 102 | validate = true 103 | } 104 | } 105 | ] 106 | }, 107 | "NetworkParameters" = { 108 | type = NETWORK_PARAMETERS 109 | signingKeyAlias = "cordanetworkmap" 110 | schedule { 111 | interval = {{ .Values.signers.NetworkParameters.schedule.interval }} 112 | } 113 | serviceLocation = [ 114 | { 115 | host = {{ .Values.prefix }}-{{ .Values.serviceLocations.networkMap.host }} 116 | port = {{ .Values.serviceLocations.networkMap.port }} 117 | ssl = { 118 | keyStore = { 119 | location = "./DATA/key-stores/corda-ssl-signer-keys.jks" 120 | password = password 121 | } 122 | trustStore = { 123 | location = "./DATA/trust-stores/corda-ssl-trust-store.jks" 124 | password = trust-store-password 125 | } 126 | validate = true 127 | } 128 | } 129 | ] 130 | } 131 | } 132 | 133 | authServiceConfig = { 134 | disableAuthentication = false 135 | host="{{ .Values.prefix }}-auth" 136 | port={{ .Values.authService.port }} 137 | trustStore = { 138 | location = "./DATA/trust-stores/corda-ssl-trust-store.jks" 139 | password = trust-store-password 140 | } 141 | issuer="http://test" 142 | leeway=5s 143 | } 144 | 145 | adminListener = { 146 | port = {{ .Values.adminListener.port }} 147 | ssl = { 148 | keyStore = { 149 | location = ./DATA/key-stores/corda-ssl-identity-manager-keys.jks 150 | password = password 151 | } 152 | trustStore = { 153 | location = ./DATA/trust-stores/corda-ssl-trust-store.jks 154 | password = trust-store-password 155 | } 156 | } 157 | } -------------------------------------------------------------------------------- /k8s/helm/signer/templates/NOTES.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corda/cenm-deployment/4cbbf81ce962a8d8bb6672ca76e1e2dfe7619f72/k8s/helm/signer/templates/NOTES.txt -------------------------------------------------------------------------------- /k8s/helm/signer/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "signer.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "signer.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "signer.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "signer.labels" -}} 38 | helm.sh/chart: {{ include "signer.chart" . }} 39 | {{ include "signer.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end -}} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "signer.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "signer.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end -}} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "signer.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create -}} 59 | {{ default (include "signer.fullname" .) .Values.serviceAccount.name }} 60 | {{- else -}} 61 | {{ default "default" .Values.serviceAccount.name }} 62 | {{- end -}} 63 | {{- end -}} 64 | -------------------------------------------------------------------------------- /k8s/helm/signer/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ .Values.prefix }}-signer-conf 7 | labels: 8 | {{ include "signer.labels" . | nindent 4 }} 9 | data: 10 | run.sh: |+ 11 | {{ tpl (.Files.Get "files/run.sh") . | nindent 4 }} 12 | 13 | signer.conf: |+ 14 | {{ tpl (.Files.Get "files/signer.conf") . | nindent 4 }} 15 | 16 | getZoneToken.sh: |+ 17 | {{ tpl (.Files.Get "files/getZoneToken.sh") . | nindent 4 }} 18 | 19 | signer-azure.conf: |+ 20 | {{ tpl (.Files.Get "files/signer-azure.conf") . | nindent 4 }} 21 | -------------------------------------------------------------------------------- /k8s/helm/signer/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "signer.fullname" . }} 5 | labels: 6 | {{- include "signer.labels" . | nindent 4 }} 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | {{- include "signer.selectorLabels" . | nindent 6 }} 12 | template: 13 | metadata: 14 | labels: 15 | {{- include "signer.selectorLabels" . | nindent 8 }} 16 | spec: 17 | {{- with .Values.imagePullSecrets }} 18 | imagePullSecrets: 19 | {{- toYaml . | nindent 8 }} 20 | {{- end }} 21 | serviceAccountName: {{ include "signer.serviceAccountName" . }} 22 | securityContext: 23 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 24 | initContainers: 25 | - name: init-token 26 | env: 27 | - name: ACCEPT_LICENSE 28 | value: "{{required "You must accept the license agreement to use this software." .Values.acceptLicense }}" 29 | securityContext: 30 | {{- toYaml .Values.securityContext | nindent 12 }} 31 | image: "{{ required "signer[cli]: missing value for .Values.dockerImageCli.repository" .Values.dockerImageCli.repository }}:{{ required "signer[cli]: missing value for .Values.dockerImageCli.tag" .Values.dockerImageCli.tag }}" 32 | imagePullPolicy: {{ .Values.dockerImageCli.pullPolicy }} 33 | command: ["/bin/bash", "-c"] 34 | args: 35 | - |- 36 | [ ! -f etc/signer.conf ] && cp CM/signer.conf etc/ 37 | [ ! -f etc/signer-azure.conf ] && cp CM/signer-azure.conf etc/ 38 | cp CM/*.sh bin/ 39 | chmod +x bin/* 40 | bin/getZoneToken.sh 41 | resources: 42 | {{- toYaml .Values.resources | nindent 12 }} 43 | volumeMounts: 44 | - name: signer-etc 45 | mountPath: /opt/cenm/etc 46 | - name: signer-conf 47 | mountPath: /opt/cenm/CM/getZoneToken.sh 48 | subPath: getZoneToken.sh 49 | - name: signer-conf 50 | mountPath: /opt/cenm/CM/signer.conf 51 | subPath: signer.conf 52 | - name: signer-conf 53 | mountPath: /opt/cenm/CM/signer-azure.conf 54 | subPath: signer-azure.conf 55 | containers: 56 | - name: main 57 | securityContext: 58 | {{- toYaml .Values.securityContext | nindent 12 }} 59 | image: "{{ .Values.signerImage.repository }}:{{ .Values.signerImage.tag }}" 60 | imagePullPolicy: {{ .Values.signerImage.pullPolicy }} 61 | command: ["/bin/bash", "-c"] 62 | args: 63 | - |- 64 | cp -p CM/*.sh bin/ 65 | chmod +x bin/* 66 | bin/run.sh 67 | {{- if .Values.livenessProbe.enabled }} 68 | livenessProbe: 69 | tcpSocket: 70 | port: {{ .Values.adminListener.port }} 71 | initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} 72 | periodSeconds: {{ .Values.livenessProbe.periodSeconds }} 73 | timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} 74 | successThreshold: {{ .Values.livenessProbe.successThreshold }} 75 | failureThreshold: {{ .Values.livenessProbe.failureThreshold }} 76 | {{- end }} 77 | {{- if .Values.readinessProbe.enabled }} 78 | readinessProbe: 79 | tcpSocket: 80 | port: {{ .Values.adminListener.port }} 81 | initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} 82 | periodSeconds: {{ .Values.readinessProbe.periodSeconds }} 83 | timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} 84 | successThreshold: {{ .Values.readinessProbe.successThreshold }} 85 | failureThreshold: {{ .Values.readinessProbe.failureThreshold }} 86 | {{- end }} 87 | resources: 88 | {{- toYaml .Values.resources | nindent 12 }} 89 | volumeMounts: 90 | - name: pki-certs-keys 91 | mountPath: /opt/cenm/DATA 92 | - name: hsm-libs 93 | mountPath: /opt/cenm/HSM 94 | - name: signer-etc 95 | mountPath: /opt/cenm/etc 96 | - name: signer-logs 97 | mountPath: /opt/cenm/logs 98 | - name: signer-conf 99 | mountPath: /opt/cenm/CM/run.sh 100 | subPath: run.sh 101 | - name: signer-conf 102 | mountPath: /opt/cenm/CM/signer.conf 103 | subPath: signer.conf 104 | - name: signer-conf 105 | mountPath: /opt/cenm/CM/signer-azure.conf 106 | subPath: signer-azure.conf 107 | {{- if .Values.logsContainersEnabled }} 108 | - name: logs-signer 109 | securityContext: 110 | {{- toYaml .Values.securityContext | nindent 12 }} 111 | image: "{{ .Values.signerImage.repository }}:{{ .Values.signerImage.tag }}" 112 | imagePullPolicy: {{ .Values.signerImage.pullPolicy }} 113 | command: ["/bin/bash", "-c"] 114 | args: 115 | - |- 116 | cd /opt/cenm/ 117 | while true; do tail -f logs/signing-service/*.log 2>/dev/null ; sleep 5; done 118 | # in case sth went wrong just wait indefinitely ... 119 | tail -f /dev/null 120 | volumeMounts: 121 | - name: signer-logs 122 | mountPath: /opt/cenm/logs 123 | resources: 124 | {{- toYaml .Values.resources | nindent 12 }} 125 | {{- end }} 126 | volumes: 127 | - name: pki-certs-keys 128 | persistentVolumeClaim: 129 | claimName: {{ .Values.prefix }}-pki-certs-keys 130 | - name: hsm-libs 131 | persistentVolumeClaim: 132 | claimName: {{ .Values.prefix }}-hsm-libs 133 | - name: signer-etc 134 | persistentVolumeClaim: 135 | claimName: {{ .Values.prefix }}-signer-etc 136 | - name: signer-logs 137 | persistentVolumeClaim: 138 | claimName: {{ .Values.prefix }}-signer-logs 139 | - name: signer-conf 140 | configMap: 141 | name: {{ .Values.prefix }}-signer-conf 142 | {{- with .Values.nodeSelector }} 143 | nodeSelector: 144 | {{- toYaml . | nindent 8 }} 145 | {{- end }} 146 | {{- with .Values.affinity }} 147 | affinity: 148 | {{- toYaml . | nindent 8 }} 149 | {{- end }} 150 | {{- with .Values.tolerations }} 151 | tolerations: 152 | {{- toYaml . | nindent 8 }} 153 | {{- end }} 154 | -------------------------------------------------------------------------------- /k8s/helm/signer/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ .Values.prefix }}-signer-etc 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | storageClassName: {{ .Values.storageClass }} 10 | resources: 11 | requests: 12 | storage: {{ .Values.volumeSizeSignerEtc }} 13 | 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: {{ .Values.prefix }}-signer-logs 19 | spec: 20 | accessModes: 21 | - ReadWriteOnce 22 | storageClassName: {{ .Values.storageClass }} 23 | resources: 24 | requests: 25 | storage: {{ .Values.volumeSizeSignerLogs }} 26 | -------------------------------------------------------------------------------- /k8s/helm/signer/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "signer.fullname" . }} 5 | labels: 6 | {{- include "signer.labels" . | nindent 4 }} 7 | spec: 8 | {{- if .Values.healthCheckNodePort }} 9 | healthCheckNodePort: {{ .Values.healthCheckNodePort }} 10 | {{- end }} 11 | {{- if .Values.externalTrafficPolicy }} 12 | externalTrafficPolicy: {{ .Values.externalTrafficPolicy }} 13 | {{- end }} 14 | type: {{ .Values.adminListener.type }} 15 | ports: 16 | - port: {{ .Values.adminListener.port }} 17 | targetPort: {{ .Values.adminListener.port }} 18 | protocol: TCP 19 | name: adminlistener 20 | selector: 21 | {{- include "signer.selectorLabels" . | nindent 4 }} 22 | -------------------------------------------------------------------------------- /k8s/helm/signer/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "signer.serviceAccountName" . }} 6 | labels: 7 | {{- include "signer.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /k8s/helm/signer/values.yaml: -------------------------------------------------------------------------------- 1 | ######################################## 2 | ### CENM configuration options ### 3 | ######################################## 4 | 5 | # Display more messages while executing Kubernetes deployment 6 | bashDebug: false 7 | 8 | # Docker images to use by the Signing Service Helm chart 9 | signerImage: 10 | repository: corda/enterprise-signer 11 | tag: 1.6-zulu-openjdk8u392 12 | pullPolicy: Always 13 | 14 | dockerImageCli: 15 | repository: corda/enterprise-cli 16 | tag: 1.6-zulu-openjdk8u392 17 | pullPolicy: Always 18 | 19 | # Volume size for the etc/ directory 20 | volumeSizeSignerEtc: 1Mi 21 | 22 | # Volume size for the logs/ directory 23 | volumeSizeSignerLogs: 10Gi 24 | 25 | signerJar: 26 | # Value for java -Xmx 27 | xmx: 1G 28 | # The directory where the Signing Service .jar file is stored 29 | path: bin 30 | # The directory where the Signing Service configuration is stored 31 | configPath: etc 32 | # Which config file to use 33 | configFile: signer.conf 34 | 35 | # Required parameter 36 | acceptLicense: 37 | 38 | signers: 39 | CSR: 40 | schedule: 41 | interval: 1m 42 | CRL: 43 | schedule: 44 | interval: 1d 45 | NetworkMap: 46 | schedule: 47 | interval: 1m 48 | NetworkParameters: 49 | schedule: 50 | interval: 1m 51 | 52 | signingKeys: 53 | keyStore: 54 | keyVaultUrl: "https://vault.vault.azure.net" 55 | credentials: 56 | keyStorePassword: "" 57 | keyStoreAlias: "1" 58 | clientId: "abcdefgh-1234-5678-9012-123456789012" 59 | 60 | pki: 61 | certificates: 62 | tlscrlsigner: 63 | subject: "CN=Test TLS Signer Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" 64 | crl: 65 | issuer: "CN=Corda TLS Signer Certificate, OU=Corda, O=R3 HoldCo LLC, L=New York, C=US" 66 | cordarootca: 67 | subject: "CN=Test Root CA Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" 68 | subordinateca: 69 | subject: "CN=Test Subordinate CA Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" 70 | identitymanagerca: 71 | subject: "CN=Test Identity Manager Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" 72 | networkmap: 73 | subject: "CN=Test Network Map Service Certificate, OU=HQ, O=HoldCo LLC, L=New York, C=US" 74 | 75 | # Sleep time (in seconds) after an error occured 76 | sleepTimeAfterError: 120 77 | 78 | # Enable container displaying live logs 79 | logsContainersEnabled: true 80 | 81 | ######################################## 82 | ### Kubernetes related settings ### 83 | ######################################## 84 | 85 | # Name of Kubernetes secret storing credentials to Docker registry 86 | imagePullSecrets: 87 | - name: cenm-registry 88 | 89 | nameOverride: "" 90 | fullnameOverride: "" 91 | 92 | serviceAccount: 93 | # Specifies whether a service account should be created 94 | create: true 95 | # Annotations to add to the service account 96 | annotations: {} 97 | # The name of the service account to use. 98 | # If not set and create is true, a name is generated using the fullname template 99 | name: 100 | 101 | podSecurityContext: 102 | runAsUser: 1000 103 | runAsGroup: 1000 104 | fsGroup: 1000 105 | 106 | securityContext: 107 | # capabilities: 108 | # drop: 109 | # - ALL 110 | # readOnlyRootFilesystem: true 111 | runAsUser: 1000 112 | runAsGroup: 1000 113 | runAsNonRoot: true 114 | allowPrivilegeEscalation: false 115 | 116 | resources: 117 | # We usually recommend not to specify default resources and to leave this as a conscious 118 | # choice for the user. This also increases chances charts run on environments with little 119 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 120 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 121 | limits: 122 | # cpu: 100m 123 | memory: 1Gi 124 | requests: 125 | # cpu: 100m 126 | memory: 1Gi 127 | 128 | nodeSelector: {} 129 | 130 | tolerations: [] 131 | 132 | affinity: {} 133 | 134 | ## Liveness and readiness probe values 135 | ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes 136 | ## 137 | livenessProbe: 138 | enabled: false 139 | failureThreshold: 3 140 | initialDelaySeconds: 10 141 | periodSeconds: 10 142 | successThreshold: 1 143 | timeoutSeconds: 1 144 | readinessProbe: 145 | enabled: false 146 | failureThreshold: 3 147 | initialDelaySeconds: 10 148 | periodSeconds: 10 149 | successThreshold: 1 150 | timeoutSeconds: 1 151 | 152 | storageClass: cenm 153 | 154 | # Local policy and healthCheckNodePort are set to get rid of logs pollution 155 | healthCheckNodePort: 0 156 | 157 | serviceLocations: 158 | identityManager: 159 | host: idman-internal 160 | port: 5052 161 | networkMap: 162 | host: nmap-internal 163 | port: 5050 164 | revocation: 165 | port: 5053 166 | 167 | # Required parameter 168 | idmanPublicIP: 169 | 170 | idmanPort: 10000 171 | 172 | authService: 173 | port: 8081 174 | 175 | adminListener: 176 | type: ClusterIP 177 | port: 6000 178 | 179 | externalTrafficPolicy: 180 | -------------------------------------------------------------------------------- /k8s/helm/zone/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /k8s/helm/zone/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: zone 3 | description: A Helm chart for CENM zone 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 2.0.6 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: '1.6' 22 | -------------------------------------------------------------------------------- /k8s/helm/zone/files/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # main run 5 | # 6 | if [ -f {{ .Values.zoneJar.path }}/zone.jar ] 7 | then 8 | echo 9 | echo "CENM: starting up zone process ..." 10 | echo 11 | set -x 12 | java -jar {{ .Values.zoneJar.path }}/zone.jar \ 13 | --user "{{ .Values.database.user }}" \ 14 | --password "{{ .Values.database.password }}" \ 15 | --url "{{ .Values.database.url }}" \ 16 | --driver-class-name "{{ .Values.database.driverClassName }}" \ 17 | --jdbc-driver "{{ .Values.database.jdbcDriver }}" \ 18 | --enm-listener-port "{{ .Values.listenerPort.enm }}" \ 19 | --admin-listener-port "{{ .Values.listenerPort.admin }}" \ 20 | --auth-host "{{ .Values.prefix }}-{{ .Values.authService.host }}" \ 21 | --auth-port "{{ .Values.authService.port }}" \ 22 | --auth-trust-store-location ./DATA/trust-stores/corda-ssl-trust-store.jks \ 23 | --auth-trust-store-password trust-store-password \ 24 | --auth-issuer "http://test" \ 25 | --auth-leeway 5 \ 26 | --run-migration="{{ .Values.database.runMigration }}" \ 27 | --tls=true \ 28 | --tls-keystore=./DATA/key-stores/corda-ssl-identity-manager-keys.jks \ 29 | --tls-keystore-password=password \ 30 | --tls-truststore=./DATA/trust-stores/corda-ssl-trust-store.jks \ 31 | --tls-truststore-password=trust-store-password \ 32 | --verbose 33 | EXIT_CODE=${?} 34 | else 35 | echo "Missing zone jar file in {{ .Values.zoneJar.path }} directory:" 36 | ls -al {{ .Values.zoneJar.path }} 37 | EXIT_CODE=110 38 | fi 39 | -------------------------------------------------------------------------------- /k8s/helm/zone/templates/NOTES.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/corda/cenm-deployment/4cbbf81ce962a8d8bb6672ca76e1e2dfe7619f72/k8s/helm/zone/templates/NOTES.txt -------------------------------------------------------------------------------- /k8s/helm/zone/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "zone.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "zone.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "zone.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "zone.labels" -}} 38 | helm.sh/chart: {{ include "zone.chart" . }} 39 | {{ include "zone.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end -}} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "zone.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "zone.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end -}} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "zone.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create -}} 59 | {{ default (include "zone.fullname" .) .Values.serviceAccount.name }} 60 | {{- else -}} 61 | {{ default "default" .Values.serviceAccount.name }} 62 | {{- end -}} 63 | {{- end -}} 64 | -------------------------------------------------------------------------------- /k8s/helm/zone/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ .Values.prefix }}-zone-conf 7 | labels: 8 | {{ include "zone.labels" . | nindent 4 }} 9 | data: 10 | run.sh: |+ 11 | {{ tpl (.Files.Get "files/run.sh") . | nindent 4 }} 12 | 13 | -------------------------------------------------------------------------------- /k8s/helm/zone/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "zone.fullname" . }} 5 | labels: 6 | {{- include "zone.labels" . | nindent 4 }} 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | {{- include "zone.selectorLabels" . | nindent 6 }} 12 | template: 13 | metadata: 14 | labels: 15 | {{- include "zone.selectorLabels" . | nindent 8 }} 16 | spec: 17 | {{- with .Values.imagePullSecrets }} 18 | imagePullSecrets: 19 | {{- toYaml . | nindent 8 }} 20 | {{- end }} 21 | serviceAccountName: {{ include "zone.serviceAccountName" . }} 22 | securityContext: 23 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 24 | initContainers: 25 | - name: init-waitforpki 26 | env: 27 | - name: ACCEPT_LICENSE 28 | value: "{{required "You must accept the license agreement to use this software." .Values.acceptLicense }}" 29 | securityContext: 30 | {{- toYaml .Values.securityContext | nindent 12 }} 31 | image: "{{ required "zone[waitforpki]: missing value for .Values.image.repository" .Values.image.repository }}:{{ required "zone[waitforpki]: missing value for .Values.image.tag" .Values.image.tag }}" 32 | imagePullPolicy: {{ .Values.image.pullPolicy }} 33 | command: ["/bin/sh", "-c"] 34 | args: 35 | - |- 36 | echo "Waiting for ./DATA/PKITOOL-DONE ..." 37 | until [ -f ./DATA/PKITOOL-DONE ] 38 | do 39 | sleep 5 40 | done 41 | ls -al ./DATA/PKITOOL-DONE 42 | echo "Waiting for ./DATA/PKITOOL-DONE ... done." 43 | resources: 44 | {{- toYaml .Values.resources | nindent 12 }} 45 | volumeMounts: 46 | - name: pki-certs-keys 47 | mountPath: /opt/cenm/DATA 48 | containers: 49 | - name: main 50 | securityContext: 51 | {{- toYaml .Values.securityContext | nindent 12 }} 52 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 53 | imagePullPolicy: {{ .Values.image.pullPolicy }} 54 | command: ["/bin/bash", "-c"] 55 | args: 56 | - |- 57 | cp CM-FILES/run.sh bin/run.sh 58 | bash bin/run.sh 59 | volumeMounts: 60 | - name: pki-certs-keys 61 | mountPath: /opt/cenm/DATA 62 | - name: zone-conf 63 | mountPath: /opt/cenm/CM-FILES/run.sh 64 | subPath: run.sh 65 | - name: zone-logs 66 | mountPath: /opt/cenm/logs 67 | - name: zone-h2 68 | mountPath: /opt/cenm/h2 69 | resources: 70 | {{- toYaml .Values.resources | nindent 12 }} 71 | {{- if .Values.logsContainersEnabled }} 72 | - name: logs-zone 73 | securityContext: 74 | {{- toYaml .Values.securityContext | nindent 12 }} 75 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 76 | imagePullPolicy: {{ .Values.image.pullPolicy }} 77 | command: ["/bin/bash", "-c"] 78 | args: 79 | - |- 80 | cd /opt/cenm/ 81 | while true; do tail -f logs/zone-service/*.log 2>/dev/null ; sleep 5; done 82 | # in case sth went wrong just wait indefinitely ... 83 | tail -f /dev/null 84 | volumeMounts: 85 | - name: zone-logs 86 | mountPath: /opt/cenm/logs 87 | resources: 88 | {{- toYaml .Values.resources | nindent 12 }} 89 | {{- end }} 90 | volumes: 91 | - name: pki-certs-keys 92 | persistentVolumeClaim: 93 | claimName: {{ .Values.prefix }}-pki-certs-keys 94 | - name: zone-conf 95 | configMap: 96 | name: {{ .Values.prefix }}-zone-conf 97 | - name: zone-h2 98 | persistentVolumeClaim: 99 | claimName: {{ .Values.prefix }}-zone-h2 100 | - name: zone-logs 101 | persistentVolumeClaim: 102 | claimName: {{ .Values.prefix }}-zone-logs 103 | {{- with .Values.nodeSelector }} 104 | nodeSelector: 105 | {{- toYaml . | nindent 8 }} 106 | {{- end }} 107 | {{- with .Values.affinity }} 108 | affinity: 109 | {{- toYaml . | nindent 8 }} 110 | {{- end }} 111 | {{- with .Values.tolerations }} 112 | tolerations: 113 | {{- toYaml . | nindent 8 }} 114 | {{- end }} 115 | -------------------------------------------------------------------------------- /k8s/helm/zone/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ .Values.prefix }}-zone-h2 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | storageClassName: {{ .Values.storageClass }} 10 | resources: 11 | requests: 12 | storage: {{ .Values.volumeSizeZoneH2 }} 13 | 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: {{ .Values.prefix }}-zone-logs 19 | spec: 20 | accessModes: 21 | - ReadWriteOnce 22 | storageClassName: {{ .Values.storageClass }} 23 | resources: 24 | requests: 25 | storage: {{ .Values.volumeSizeZoneLogs }} 26 | -------------------------------------------------------------------------------- /k8s/helm/zone/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "zone.fullname" . }} 5 | labels: 6 | {{- include "zone.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.listenerPort.enm }} 11 | targetPort: {{ .Values.listenerPort.enm }} 12 | protocol: TCP 13 | name: enm 14 | - port: {{ .Values.listenerPort.admin }} 15 | targetPort: {{ .Values.listenerPort.admin }} 16 | protocol: TCP 17 | name: admin 18 | selector: 19 | {{- include "zone.selectorLabels" . | nindent 4 }} 20 | -------------------------------------------------------------------------------- /k8s/helm/zone/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "zone.serviceAccountName" . }} 6 | labels: 7 | {{- include "zone.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /k8s/helm/zone/values.yaml: -------------------------------------------------------------------------------- 1 | ######################################## 2 | ### CENM configuration options ### 3 | ######################################## 4 | 5 | # Display more messages while executing Kubernetes deployment 6 | bashDebug: false 7 | 8 | image: 9 | repository: corda/enterprise-zone 10 | tag: 1.6-zulu-openjdk8u392 11 | pullPolicy: Always 12 | 13 | # Database configuration 14 | database: 15 | driverClassName: "org.h2.Driver" 16 | jdbcDriver: "" 17 | url: "jdbc:h2:file:./h2/zone-persistence;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=10000;WRITE_DELAY=0;AUTO_SERVER_PORT=0" 18 | user: "example-db-user" 19 | password: "example-db-password" 20 | runMigration: true 21 | 22 | # Required parameter 23 | acceptLicense: 24 | 25 | # Volume size for h2/ directory 26 | volumeSizeZoneH2: 1Gi 27 | 28 | # Volume size for logs/ directory 29 | volumeSizeZoneLogs: 5Gi 30 | 31 | zoneJar: 32 | # value for java -Xmx 33 | xmx: 1G 34 | # The directory where the Signing Service .jar file is stored 35 | path: bin 36 | # The directory where the Signing Service configuration is stored 37 | configPath: etc 38 | 39 | # Definition of the Auth Service 40 | authService: 41 | host: auth 42 | port: 8081 43 | 44 | # Sleep time (in seconds) after an error occured 45 | sleepTimeAfterError: 120 46 | 47 | # Enable container displaying live logs 48 | logsContainersEnabled: true 49 | 50 | ######################################## 51 | ### Kubernetes related settings ### 52 | ######################################## 53 | 54 | # Name of Kubernetes secret storing credentials to Docker registry 55 | imagePullSecrets: 56 | - name: cenm-registry 57 | 58 | nameOverride: "" 59 | fullnameOverride: "" 60 | 61 | serviceAccount: 62 | # Specifies whether a service account should be created 63 | create: true 64 | # Annotations to add to the service account 65 | annotations: {} 66 | # The name of the service account to use. 67 | # If not set and create is true, a name is generated using the fullname template 68 | name: 69 | 70 | podSecurityContext: 71 | runAsUser: 1000 72 | runAsGroup: 1000 73 | fsGroup: 1000 74 | 75 | securityContext: {} 76 | # capabilities: 77 | # drop: 78 | # - ALL 79 | # readOnlyRootFilesystem: true 80 | # runAsNonRoot: true 81 | # runAsUser: 1000 82 | 83 | service: 84 | type: ClusterIP 85 | port: 80 86 | 87 | resources: 88 | # We usually recommend not to specify default resources and to leave this as a conscious 89 | # choice for the user. This also increases chances charts run on environments with little 90 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 91 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 92 | limits: 93 | # cpu: 100m 94 | memory: 1Gi 95 | requests: 96 | # cpu: 100m 97 | memory: 1Gi 98 | 99 | nodeSelector: {} 100 | 101 | tolerations: [] 102 | 103 | affinity: {} 104 | 105 | listenerPort: 106 | enm: "25000" 107 | admin: "12345" 108 | 109 | storageClass: cenm 110 | -------------------------------------------------------------------------------- /k8s/storage-class-aws.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: StorageClass 3 | apiVersion: storage.k8s.io/v1 4 | metadata: 5 | name: cenm 6 | provisioner: kubernetes.io/aws-ebs 7 | parameters: 8 | type: gp2 9 | fsType: ext4 10 | allowVolumeExpansion: true 11 | volumeBindingMode: WaitForFirstConsumer 12 | 13 | --- 14 | kind: StorageClass 15 | apiVersion: storage.k8s.io/v1 16 | metadata: 17 | name: cenm-shared 18 | provisioner: aws.io/aws-efs 19 | allowVolumeExpansion: true 20 | -------------------------------------------------------------------------------- /k8s/storage-class-azure.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: storage.k8s.io/v1 3 | kind: StorageClass 4 | metadata: 5 | name: cenm 6 | provisioner: kubernetes.io/azure-disk 7 | parameters: 8 | kind: Managed 9 | skuName: Standard_LRS 10 | cachingmode: None 11 | # mountOptions: 12 | # - dir_mode=0777 13 | # - file_mode=0777 14 | # - uid=1000 15 | # - gid=1000 16 | # - mfsymlinks 17 | # - nobrl 18 | # - cache=none 19 | allowVolumeExpansion: true 20 | volumeBindingMode: WaitForFirstConsumer 21 | 22 | --- 23 | apiVersion: storage.k8s.io/v1 24 | kind: StorageClass 25 | metadata: 26 | name: cenm-shared 27 | provisioner: kubernetes.io/azure-file 28 | parameters: 29 | skuName: Standard_LRS 30 | mountOptions: 31 | - dir_mode=0777 32 | - file_mode=0777 33 | - uid=1000 34 | - gid=1000 35 | - mfsymlinks 36 | - nobrl 37 | - cache=none 38 | allowVolumeExpansion: true --------------------------------------------------------------------------------