fixes for k8s deployment automation

Signed-off-by: Shahbaz Nazir <shahbaz@bigchaindb.com>
2024-10-13 13:34:05 +00:00 · 2018-02-27 02:29:44 +01:00 · 2018-02-27 02:29:44 +01:00 · 287ab88012
commit 287ab88012
parent e68c77338e
11 changed files with 108 additions and 101 deletions
--- a/k8s/bigchaindb/bigchaindb-dep.yaml
+++ b/k8s/bigchaindb/bigchaindb-dep.yaml
@ -28,10 +28,7 @@ spec:
              name: vars
              key: mongodb-backend-port
        - name: BIGCHAINDB_DATABASE_BACKEND
-          valueFrom:
+          value: "localmongodb"
            configMapKeyRef:
              name: bdb-config
              key: bdb-db-backend
        - name: BIGCHAINDB_DATABASE_NAME
          valueFrom:
            configMapKeyRef:
@ -104,7 +101,7 @@ spec:
              key: bdb-user
        - name: BIGCHAINDB_START_TENDERMINT
          value: "0"
-        - name: TENDERMINT_HOST
+        - name: BIGCHAINDB_TENDERMINT_HOST
          valueFrom:
            configMapKeyRef:
              name: tendermint-config
--- a/k8s/mongodb/configure_mdb.sh
+++ b/k8s/mongodb/configure_mdb.sh
--- a/k8s/nginx-https/container/nginx.conf.template
+++ b/k8s/nginx-https/container/nginx.conf.template
@ -62,7 +62,7 @@ http {
  # Frontend server for the external clients; acts as HTTPS termination point.
  server {
    listen CLUSTER_FRONTEND_PORT ssl;
-    server_name "CLUSTER_FQDN";
+    server_name "NODE_FQDN";
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/cert.key;
@ -139,7 +139,7 @@ http {
  # when an HTTP request is sent instead of HTTPS.
  server {
    listen 80;
-    server_name "CLUSTER_FQDN";
+    server_name "NODE_FQDN";
    location / {
        add_header Upgrade "TLS/1.2, HTTP/1.1" always;
--- a/k8s/nginx-https/container/nginx.conf.threescale.template
+++ b/k8s/nginx-https/container/nginx.conf.threescale.template
@ -64,7 +64,7 @@ http {
  # Frontend server for the external clients; acts as HTTPS termination point.
  server {
    listen CLUSTER_FRONTEND_PORT ssl;
-    server_name "CLUSTER_FQDN";
+    server_name "NODE_FQDN";
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/cert.key;
@ -141,7 +141,7 @@ http {
  # when an HTTP request is sent instead of HTTPS.
  server {
    listen 80;
-    server_name "CLUSTER_FQDN";
+    server_name "NODE_FQDN";
    location / {
        add_header Upgrade "TLS/1.2, HTTP/1.1" always;
--- a/k8s/nginx-https/container/nginx_entrypoint.bash
+++ b/k8s/nginx-https/container/nginx_entrypoint.bash
@ -7,7 +7,7 @@ secret_token_auth_mode="secret-token"
 # Cluster vars
-cluster_fqdn=`printenv CLUSTER_FQDN`
+node_fqdn=`printenv NODE_FQDN`
 cluster_frontend_port=`printenv CLUSTER_FRONTEND_PORT`
@ -46,14 +46,14 @@ if [[ -z "${cluster_frontend_port:?CLUSTER_FRONTEND_PORT not specified. Exiting!
      -z "${bdb_ws_port:?BIGCHAINDB_WS_PORT not specified. Exiting!}" || \
      -z "${dns_server:?DNS_SERVER not specified. Exiting!}" || \
      -z "${health_check_port:?HEALTH_CHECK_PORT not specified. Exiting!}" || \
-      -z "${cluster_fqdn:?CLUSTER_FQDN not specified. Exiting!}" || \
+      -z "${node_fqdn:?NODE_FQDN not specified. Exiting!}" || \
      -z "${tm_pub_key_access_port:?TM_PUB_KEY_ACCESS_PORT not specified. Exiting!}" || \
      -z "${tm_backend_host:?TM_BACKEND_HOST not specified. Exiting!}" || \
      -z "${tm_p2p_port:?TM_P2P_PORT not specified. Exiting!}" ]]; then
  echo "Missing required environment variables. Exiting!"
  exit 1
 else
-  echo CLUSTER_FQDN="$cluster_fqdn"
+  echo NODE_FQDN="$node_fqdn"
  echo CLUSTER_FRONTEND_PORT="$cluster_frontend_port"
  echo DNS_SERVER="$dns_server"
  echo HEALTH_CHECK_PORT="$health_check_port"
@ -83,7 +83,7 @@ else
 fi
 # configure the nginx.conf file with env variables
-sed -i "s|CLUSTER_FQDN|${cluster_fqdn}|g" ${NGINX_CONF_FILE}
+sed -i "s|NODE_FQDN|${node_fqdn}|g" ${NGINX_CONF_FILE}
 sed -i "s|CLUSTER_FRONTEND_PORT|${cluster_frontend_port}|g" ${NGINX_CONF_FILE}
 sed -i "s|MONGODB_BACKEND_HOST|${mongo_backend_host}|g" ${NGINX_CONF_FILE}
 sed -i "s|MONGODB_BACKEND_PORT|${mongo_backend_port}|g" ${NGINX_CONF_FILE}
--- a/k8s/nginx-https/nginx-https-dep.yaml
+++ b/k8s/nginx-https/nginx-https-dep.yaml
@ -25,11 +25,11 @@ spec:
            configMapKeyRef:
              name: vars
              key: cluster-health-check-port
-        - name: CLUSTER_FQDN
+        - name: NODE_FQDN
          valueFrom:
            configMapKeyRef:
              name: vars
-              key: cluster-fqdn
+              key: node-fqdn
        - name: DNS_SERVER
          valueFrom:
            configMapKeyRef:
--- a/k8s/scripts/functions
+++ b/k8s/scripts/functions
@ -38,7 +38,7 @@ function configure_member_cert_gen(){
    echo 'set_var EASYRSA_REQ_OU "MONGO-MEMBER"' >> $1/vars
    echo 'set_var EASYRSA_REQ_EMAIL "dev@bigchaindb.com"' >> $1/vars
    echo "set_var EASYRSA_SSL_CONF \"$1/openssl-1.0.cnf\"" >> $1/vars
-    echo "set_var EASYRSA_PKI \"$1/pki\"" >> member-cert/easy-rsa-3.0.1/easyrsa3/vars
+    echo "set_var EASYRSA_PKI \"$1/pki\"" >> $1/vars
    $1/easyrsa init-pki
    $1/easyrsa --req-cn="$MDB_CN"-"$INDEX" --subject-alt-name=DNS:localhost,DNS:"$MDB_CN"-"$INDEX" gen-req "$MDB_CN"-"$INDEX" nopass
 }
@ -216,17 +216,17 @@ function generate_config_map(){
    mdb_instance_name="$MDB_CN-$INDEX"
    bdb_instance_name="$BDB_CN-$INDEX"
-    tm_instance_name="tm-instance-$INDEX"
+    ngx_instance_name="ngx-instance-$INDEX"
    ngx_instance_name="mdb-instance-$INDEX"
    bdb_user=`cat $1/"$BDB_CN"-"${INDEX}".user`
    mdb_admin_username=$2
-    cluster_fqdn=$3
+    node_fqdn=$3
    tm_seeds=$4
    tm_validators=$5
    tm_validators_power=$6
    tm_genesis_time=$7
    tm_chain_id=$8
    tm_instance_name=$9
    cat > config-map.yaml << EOF
 apiVersion: v1
@ -235,8 +235,8 @@ metadata:
  name: vars
  namespace: default
 data:
-  # cluster-fqdn is the DNS name registered for your HTTPS certificate.
+  # node-fqdn is the DNS name registered for your HTTPS certificate.
-  cluster-fqdn: "${cluster_fqdn}"
+  node-fqdn: "${node_fqdn}"
  # cluster-frontend-port is the port number on which this node's services
  # are available to external clients.
@ -316,8 +316,8 @@ data:
  # it will use the default cache size; i.e. max((50% RAM - 1GB), 256MB)
  storage-engine-cache-size: ""
-  # POST API authorization mode [threescale | secrete-token]
+  # POST API authorization mode [threescale | secret-token]
-  authorization-mode: "threescale"
+  authorization-mode: "secret-token"
 ---
 apiVersion: v1
@ -403,5 +403,6 @@ metadata:
 data:
  # User name for MongoDB adminuser
  mdb-admin-username: "${mdb_admin_username}"
  mdb-mon-user: ""
 EOF
 }
--- a/k8s/scripts/generate_configs.sh
+++ b/k8s/scripts/generate_configs.sh
@ -4,25 +4,25 @@ set -euo pipefail
 source vars
 source functions
-# base directories for operations
+# Default directory for certificates
-BASE_DIR=$(pwd)
+CERT_DIR="certificates"
 # base variables with default values
 MDB_CN="mdb-instance"
 BDB_CN="bdb-instance"
 MDB_MON_CN="mdb-mon-instance"
 INDEX='0'
 CONFIGURE_CA='true'
 CONFIGURE_MEMBER='true'
 CONFIGURE_CLIENT='true'
 function show_help(){
 cat > /dev/stdout << END
-${0} --index INDEX --mdb-name MONGODB_MEMBER_COMMON_NAME
+${0} --cert-dir - Name of directory containing certificates:- default ${CERT_DIR}
 --bdb-name BIGCHAINDB_INSTANCE_COMMON_NAME
 --mdb-mon-name MONGODB_MONITORING_INSTNACE_COMMON_NAME [--help]
 OPTIONAL ARGS:
 --mdb-cn - Common name of MongoDB instance:- default ${MDB_CN}
 --bdb-cn - Common name of BigchainDB instance:- default ${BDB_CN}
 --mdb-mon-cn - Common name of MongoDB monitoring agent:- default ${MDB_MON_CN}
 --dir - Absolute path of base directory:- default ${BASE_DIR}
 --help - show help
 EXAMPLES
- "Generate Certificates for first node(index=1) in the cluster i.e. MongoDB instance: mdb-instance,"
+- "Generate configs"
-  "BigchainDB instance: bdb-instance, MongoDB monitoring agent: mdb-mon-instance"
+  ./generate_configs.sh --cert-dir ${CERT_DIR}
  ./cert_gen.sh --index 1 --mdb-cn mdb-instance --bdb-cn bdb-instance \
  --mdb-mon-cn mdb-mon-instance
 END
 }
@ -30,24 +30,8 @@ END
 while [[ $# -gt 0 ]]; do
    arg="$1"
    case $arg in
-        --index)
+        --cert-dir)
-            INDEX="$2"
+            CERT_DIR="$2"
            shift
        ;;
        --mdb-cn)
            MDB_CN="$2"
            shift
        ;;
        --bdb-cn)
            BDB_CN="$2"
            shift
        ;;
        --mdb-mon-cn)
            MDB_MON_CN="$2"
            shift
        ;;
        --dir)
            BASE_DIR="$2"
            shift
        ;;
        --help)
@ -62,6 +46,16 @@ while [[ $# -gt 0 ]]; do
    shift
 done
 # sanity checks
 if [[ -z "${CERT_DIR}" ]] ; then
    echo "Missing required argument CERT_DIR"
    exit 1
 fi
 # Create BASE_DIR
 BASE_DIR="$(pwd)/${CERT_DIR}"
 mkdir -p "${BASE_DIR}"
 BASE_CA_DIR="${BASE_DIR}"/bdb-cluster-ca
 BASE_MEMBER_CERT_DIR="${BASE_DIR}"/member-cert
 BASE_CLIENT_CERT_DIR="${BASE_DIR}"/client-cert
@ -69,34 +63,28 @@ BASE_EASY_RSA_PATH='easy-rsa-3.0.1/easyrsa3'
 BASE_K8S_DIR="${BASE_DIR}"/k8s
 BASE_USERS_DIR="$BASE_DIR"/users
-# sanity checks
+# # Configure Root CA
-if [[ -z "${INDEX}" ]] ; then
+# mkdir $BASE_CA_DIR
-    echo "Missing required arguments"
+# configure_common $BASE_CA_DIR
-    exit 1
+# configure_root_ca $BASE_CA_DIR/$BASE_EASY_RSA_PATH
 fi
 # Configure Root CA
 mkdir $BASE_CA_DIR
 configure_common $BASE_CA_DIR
 configure_root_ca $BASE_CA_DIR/$BASE_EASY_RSA_PATH
-# Configure Member Request/Key generation
+# # Configure Member Request/Key generation
-mkdir $BASE_MEMBER_CERT_DIR
+# mkdir $BASE_MEMBER_CERT_DIR
-configure_common $BASE_MEMBER_CERT_DIR
+# configure_common $BASE_MEMBER_CERT_DIR
-configure_member_cert_gen $BASE_MEMBER_CERT_DIR/$BASE_EASY_RSA_PATH
+# configure_member_cert_gen $BASE_MEMBER_CERT_DIR/$BASE_EASY_RSA_PATH
-# Configure Client Request/Key generation
+# # Configure Client Request/Key generation
-mkdir $BASE_CLIENT_CERT_DIR
+# mkdir $BASE_CLIENT_CERT_DIR
-configure_common $BASE_CLIENT_CERT_DIR
+# configure_common $BASE_CLIENT_CERT_DIR
-configure_client_cert_gen $BASE_CLIENT_CERT_DIR/$BASE_EASY_RSA_PATH
+# configure_client_cert_gen $BASE_CLIENT_CERT_DIR/$BASE_EASY_RSA_PATH
-import_requests $BASE_CA_DIR/$BASE_EASY_RSA_PATH
+# import_requests $BASE_CA_DIR/$BASE_EASY_RSA_PATH
-sign_requests $BASE_CA_DIR/$BASE_EASY_RSA_PATH
+# sign_requests $BASE_CA_DIR/$BASE_EASY_RSA_PATH
-make_pem_files $BASE_CA_DIR/$BASE_EASY_RSA_PATH $BASE_K8S_DIR
+# make_pem_files $BASE_CA_DIR/$BASE_EASY_RSA_PATH $BASE_K8S_DIR
-convert_b64 $BASE_K8S_DIR $BASE_CA_DIR/$BASE_EASY_RSA_PATH $BASE_CLIENT_CERT_DIR/$BASE_EASY_RSA_PATH
+# convert_b64 $BASE_K8S_DIR $BASE_CA_DIR/$BASE_EASY_RSA_PATH $BASE_CLIENT_CERT_DIR/$BASE_EASY_RSA_PATH
-get_users $BASE_USERS_DIR $BASE_CA_DIR/$BASE_EASY_RSA_PATH
+# get_users $BASE_USERS_DIR $BASE_CA_DIR/$BASE_EASY_RSA_PATH
 generate_secretes_no_threescale $BASE_K8S_DIR $SECRET_TOKEN $HTTPS_CERT_KEY_FILE_NAME $HTTPS_CERT_CHAIN_FILE_NAME $MDB_ADMIN_PASSWORD
-generate_config_map $BASE_USERS_DIR $MDB_ADMIN_USER $CLUSTER_FQDN $TM_SEEDS $TM_VALIDATORS $TM_VALIDATOR_POWERS $TM_GENESIS_TIME $TM_CHAIN_ID
+generate_config_map $BASE_USERS_DIR $MDB_ADMIN_USER $NODE_FQDN $TM_SEEDS $TM_VALIDATORS $TM_VALIDATOR_POWERS $TM_GENESIS_TIME $TM_CHAIN_ID $TM_INSTANCE_NAME
--- a/k8s/scripts/vars
+++ b/k8s/scripts/vars
@ -1,23 +1,41 @@
-CLUSTER_FQDN="test.bigchaindb.com"
+# DNS name of the bigchaindb node
-SECRET_TOKEN="test" 
+NODE_FQDN="test-node.bigchaindb.com"
 HTTPS_CERT_KEY_FILE_NAME="https_key"
 HTTPS_CERT_CHAIN_FILE_NAME="https_cert_chain"
-# base variables with default values
+# Secret token used for authorization of
-MDB_CN="mdb-instance"
+# POST requests to the bigchaindb node
-BDB_CN="bdb-instance"
+SECRET_TOKEN="test-secret"
 MDB_MON_CN="mdb-mon-instance"
 INDEX='1'
 CONFIGURE_CA=''
 CONFIGURE_MEMBER=''
 CONFIGURE_CLIENT=''
 MDB_ADMIN_PASSWORD=''
 MDB_ADMIN_USER=''
 # Absolute path for the SSL certificate key
 HTTPS_CERT_KEY_FILE_NAME="</path/to/https.key>"
-# Tendermint data
+# Absolute path for the SSL certificate chain
-TM_SEEDS='123,4565'
+HTTPS_CERT_CHAIN_FILE_NAME="</path/to/https.pem>"
-TM_VALIDATORS='11234,1234'
+
-TM_VALIDATOR_POWERS='1,1'
+# MongoDB Admin user credentials
-TM_GENESIS_TIME='11324'
+MDB_ADMIN_USER='adminUser'
-TM_CHAIN_ID='test-id'
+MDB_ADMIN_PASSWORD='superstrongpassword'
 # Tendermint instance name of the bigchaindb
 # node. This name should be unique
 TM_INSTANCE_NAME='tm-instance-0'
 # Comma sperated list of initial peers in the
 # network.
 TM_SEEDS='tm-instance-0,tm-instance-1,tm-instance-2'
 # Comma separated list of validators in the
 # network
 TM_VALIDATORS='tm-instance-0,tm-instance-1,tm-instance-2'
 # Comma separated list of voting
 # power of all validators. Make sure
 # order and number of powers corresponds
 # to TM_VALIDATORS
 TM_VALIDATOR_POWERS='10,10,10'
 # Offical time of blockchain start
 TM_GENESIS_TIME='0001-01-01T00:00:00Z'
 # Blockchain ID must be unique for
 # every blockchain
 TM_CHAIN_ID='test-chain-rwcPML'
--- a/k8s/tendermint/tendermint-ext-conn-svc.yaml
+++ b/k8s/tendermint/tendermint-ext-conn-svc.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  # Name of tendermint instance you are trying to connect to
-  # e.g. tm-instance-0
+  # name: "tm-instance-0"
  name: "<remote-tendermint-host>"
  namespace: default
 spec:
@ -13,5 +13,8 @@ spec:
    name: p2p
  - port: 46657
    name: pubkey
  type: ExternalName
  # FQDN of remote cluster/NGINX instance
  #externalName: "nginx-instance-for-tm-instance-0.westeurope.cloudapp.azure.com"
  externalName: "<dns-name-remote-nginx>"
--- a/k8s/tendermint/tendermint_container/tendermint_entrypoint.bash
+++ b/k8s/tendermint/tendermint_container/tendermint_entrypoint.bash
@ -69,7 +69,7 @@ for i in "${!VALS_ARR[@]}"; do
  # wait until validator generates priv/pub key pair
  set +e
  echo Validator: "${VALS_ARR[$i]}"
-  echo Validator Power: "${VALS_POWERS_ARR[$i]}"
+  echo Validator Power: "${VAL_POWERS_ARR[$i]}"
  echo "http://${VALS_ARR[$i]}:$tm_pub_key_access_port/pub_key.json"
  curl -s --fail "http://${VALS_ARR[$i]}:$tm_pub_key_access_port/pub_key.json" > /dev/null
  ERR=$?