Feature/qkm deploy #628 (#47)

* Added qkm + qkm-postgresql

* Add charts default + ability to disable QKM postgres

* Test is disabled

* Condition on Vault CSR

* Vault default is disabled

* default orchestrate version is 21.1.12

* Update default repo

* Qkm default is false

* Add conditions on charts

* Remove vault operator from charts

* Add qkm related values

* Add new env vars

* Fix Ingresses

* Add migration related env vars

* Map values

* Add qkm values

* Change vault default image

* Remove initContainers part

* Enable vault + qkm

* Enable one agent as sample

* fix azure issue

* Updated common values

* Disable kafka in default

* Update staging profile

* Make kafka conditionnal

* fix missing name on azure

* Let api key file in values

* clean up DB vars

* Make kafka chart conditionnal

* Use env vars for postgres

* Remove hard coded values

* missing username

* Addressed Dario's comment

* Align Vault plugin values

* Remove useless intDb script

* Allow private repo for qkm

* Added overview picture

* Updated default values

* Updated CHANGELOG

* Add qkm api-key sample

* Update Readme with api-keys note

* overview image reviewed

Author: 6l20

CHANGELOG.md

@@ -2,6 +2,16 @@
 
 All notable changes to this project will be documented in this file.
 
+## v6.0.0 (Unreleased)
+
+ * Support latest v21.12.x orchestrate version
+ * Support Hashicorp Vault image with embedded plugin
+ * Remove Key manager and replace it with Quorum Key Manager dependency
+ * Make chart Azure compliant
+ * Updated Ingresses
+ * Made dependencies optional
+
+
 ## v5.1.0 (Unreleased)
 
  * Make Vault, Postgres, Redis Highly Available in Multi-Availability Zones

README.md

@@ -15,6 +15,7 @@ For more information, refer to the [Orchestrate documentation](https://docs.orch
 <H1>Orchestrate-Kubernetes</H1>
 
 - [Codefi Orchestrate](#codefi-orchestrate)
+- [Deployment overview](#overview)
 - [Compatibility](#compatibility)
 - [1. Requirements](#1-requirements)
   - [1.1. CLI tools](#11-cli-tools)
@@ -32,11 +33,20 @@ For more information, refer to the [Orchestrate documentation](https://docs.orch
 
 This repository contains an implementation example on how to deploy Orchestrate and its dependencies using Kubernetes and Helm charts.
 
+# Overview
+
+Below is a high level diagram of what this chart will help you deploy
+
+
+![overview diagram](./img/overview.png "Overview")
+
+
 # Compatibility
 
 | Orchestrate-kubernetes versions | Orchestrate versions          |
 |---------------------------------|-------------------------------|
-| master/HEAD                     | Orchestrate v21.1.x or higher |
+| master/HEAD                     | Orchestrate v21.12.x or higher |
+| v6.0.0                          | Orchestrate v21.12.x or higher |
 | v5.0.0                          | Orchestrate v21.1.x or higher |
 | v4.0.0                          | Orchestrate v2.5.x            |
 | v3.1.0                          | Orchestrate v2.5.x            |
@@ -120,18 +130,23 @@ This repository provides few examples of environment values sets:
 
 Note: All the passwords and usernames of every dependendcies are located in `environments/common.yaml.gotmpl`. Do not forget to change, eventually extract, those values depending on how you want to manage those secrets.
 
+Note: The ./values/api-key/api-keys.csv gives an exemple of what you should use for the Quorum Key Manager api-keys when this mode is enabled, provided values MUST be changed in a Prod environment.
+
 The following tables lists the configurable values for the environments. Some of them are directly configurable bia envronement variable:
 
 | Parameter                                      | Description                                                                | Default                                                     |
 |------------------------------------------------|----------------------------------------------------------------------------|-------------------------------------------------------------|
 | `orchestrate.namespace`                        | Namespace where Orchestrate will be deployed (env `ORCHESTRATE_NAMESPACE`) | `orchestrate`                                               |
+| `orchestrate.chart.name`                        | This deployment orchestrate chart (env `ORCHESTRATE_CHART`) | `consensys/orchestrate`                                               |
+| `orchestrate.chart.version`                        | Namespace where Orchestrate will be deployed (env `ORCHESTRATE_CHART_VERSION`) | `1.0.6`                                               |
 | `orchestrate.global.imageCredentials.registry` | Docker registry where Orchestrate images are stored (env `REGISTRY_URL`)   | `docker.consensys.net`                                      |
 | `orchestrate.global.imageCredentials.username` | [REQUIRED] Username of the registry (env `REGISTRY_USERNAME`)              |                                                             |
 | `orchestrate.global.imageCredentials.password` | [REQUIRED] Password of the registry (env `REGISTRY_PASSWORD`)              |                                                             |
 | `orchestrate.global.image.repository`          | Path to Orchestrate image (env `ORCHESTRATE_REPOSITORY`)                   | `docker.consensys.net/priv/orchestrate` |
 | `orchestrate.global.image.tag`                 | Orchestrate image tag (env `ORCHESTRATE_TAG`)                              | `v21.1.2`                                                   |
 | `orchestrate.api`                              | Orchestrate API values                                                     |                                                             |
-| `orchestrate.keyManager`                       | Orchestrate Key Manager values                                             |                                                             |
+| `orchestrate.keyManager`                       | Orchestrate Key Manager values, for usage with version 21.1.X                                             |                                                             |
+| `orchestrate.qkm`                       | Orchestrate Key Manager values, for usage with version 21.10.X                                             |                                                             |
 | `orchestrate.txListener`                       | Orchestrate Tx Listener values                                             | `nil`                                                       |
 | `orchestrate.txSender`                         | Orchestrate Tx Sender values                                               | `nil`                                                       |
 | `orchestrate.test.image.repository`            | Path to Orchestrate test image (env `TEST_REPOSITORY`)                     | `nil`                                                       |
@@ -150,13 +165,14 @@ For more information about Vault Operator, please see https://github.com/banzaic
 |-----------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------|
 | `vault.namespace`     | Namespace where Hashicop Vault will be deployed (env `VAULT_NAMESPACE`)            | `orchestrate`                                                      |
 | `vault.replicaCount`  | Number of Vault instance                                                           | `1`                                                                |
-| `vault.plugin.tag`    | Orchestrate Hashicorp Vault Plugin tag (env `VAULT_PLUGIN_TAG`)                    | `v0.0.9`                                                           |
-| `vault.plugin.sha256` | Orchestrate Hashicorp Vault Plugin SHA256 checksum  (env `VAULT_PLUGIN_SHA256SUM`) | `4919a7fcf66fe98b459e6a46f9233aae9fc2f224ccbb6a44049e2f608b9eebf5` |
+| `vault.plugin.tag`    | Orchestrate Hashicorp Vault Plugin tag (env `VAULT_PLUGIN_TAG`)                    | `v1.1.3`                                                           |
+| `vault.plugin.sha256` | Orchestrate Hashicorp Vault Plugin SHA256 checksum  (env `VAULT_PLUGIN_SHA256SUM`) | `e084800c61749a9c7b51f6e91bb89ab6d5a2678cdb707eaa73f9bef0cf73fc61` |
 
 For more information about values defined in values/vault.yaml.gotmpl, please see https://github.com/banzaicloud/bank-vaults/tree/master/operator/deploy and https://github.com/banzaicloud/bank-vaults/tree/master/charts/vault
 
 | Parameter                             | Description                                                                                                                                                                                                                                                               | Default  |
 |---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
+| `kafka.enabled`                     | Use to enable or disable the kafka deployment, might be replaced by an existin EventHub on Azure for instance                                                                                                                                                                                        | `true`      |
 | `kafka.namespace`                     | Namespace where Kafka and Zookeeper Vault will be deployed (env `KAFKA_NAMESPACE`)                                                                                                                                                                                        | `1`      |
 | `kafka.replicaCount`                  | Number of Kafka instance nodes                                                                                                                                                                                                                                            | `1`      |
 | `kafka.numPartitions`                 | The default number of log partitions per topic                                                                                                                                                                                                                            | `1`      |
@@ -230,9 +246,25 @@ For more information about values defined in values/postgresql.yaml.gotmpl, plea
 |--------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
 | `domainName` | (Option) Domain name registered to the ingress controller of your kubernetes cluster. If not empty Orchestrate API will be exposed to {{orchestrate.namespace}}.{{domainName}}. If the observability stack is enabled grafana.{{domainName}} and prometheus.{{domainName}} will be exposed too (env `DOMAIN_NAME`) | ``      |
 
+
+Values below are useful when deploying orchestrate with version 21.10.X, having possibly a Quorum Key Manager running independently
+
+| Parameter                  | Description                                                           | Default       |
+|----------------------------|-----------------------------------------------------------------------|---------------|
+| `qkm.enabled`              | If true, Quorum Key Manager will be deployed                          | `true`        |
+| `qkm.url`                  | Url where Quorum Key Manager may be reached (env `QKM_URL`)           | `http://quorumkeymanager.orchestrate` |
+| `qkm.namespace`            | Namespace where Quorum Key Manager is deployed (env `QKM_NAMESPACE`)  | `orchestrate` |
+| `qkm.orchestrate.storeName`| Initial and existing eth-account name used by orchestrate             | `eth-accounts` |
+| `qkm.orchestrate.apiKey`   | Existing apiKey used by orchestrate to authenticate                   | `YWRtaW4tdXNlcg==` |
+| `qkm.chart.name`           | Helm chart of your Quorum Key Manager deployment                      | `consensys/quorumkeymanager` |
+| `qkm.chart.version`        | Helm chart version of your Quorum Key Manager deployment              | `1.1.1` |
+| `qkm.port`                 | Port of the Quorum Key Manager service                                | `8080`       |
+
+For more information about values defined in values/qkm.yaml.gotmpl, please refer to https://github.com/ConsenSys/quorum-key-manager-helm
+
 # 3. Hashicorp Vault
 
-This helmfiles deploys [Hashicorp's Vault](https://www.vaultproject.io/) with integrated storage with raft with [Bank-Vaults](https://github.com/banzaicloud/bank-vaults). We deploy first the Vault operator, then the following ressources contained in `values/vault.yaml`:
+This helmfiles optionally deploys [Hashicorp's Vault](https://www.vaultproject.io/) with integrated storage with raft with [Bank-Vaults](https://github.com/banzaicloud/bank-vaults). We deploy first the Vault operator, then the following ressources contained in `values/vault.yaml`:
 - Vault CRD's, including [Vault policy](https://www.vaultproject.io/docs/concepts/policies), [Vault authentication](https://www.vaultproject.io/docs/concepts/auth), and [Orchestrate Hashicorp Vault Plugin](https://github.com/ConsenSys/orchestrate-hashicorp-vault-plugin)
 
 [Vault policy](https://www.vaultproject.io/docs/concepts/policies)
@@ -274,6 +306,8 @@ This helmfiles deploys [Hashicorp's Vault](https://www.vaultproject.io/) with in
 - Service Account
 - RBAC configuration
 
+Note that it is highly recommended to use the `consensys/quorum-hashicorp-vault-plugin` image when deplying a Vault ressource.
+
 # 4. Observability
 
 This helmfile could deploy [Prometheus Operator](https://github.com/coreos/prometheus-operator) and [Prometheus](https://prometheus.io/) based on the [Kube-Prometheus Helm chart](https://github.com/bitnami/charts/tree/master/bitnami/kube-prometheus). It also deploys Grafana with default dashboards for Orchestrate, Kubernetes, Golang, Kafka, Postgres, Redis, and Hashicorp Vault
@@ -295,4 +329,5 @@ kubectl port-forward --namespace $OBSERVABILITY_NAMESPACE svc/grafana 3000:80
 
 ## 5.1. From Orchestrate v2.5.X to v21.1.X
 
-[Read the steps to upgrade Orchestrate v2.5.X to v21.1.X](docs/upgrades/v21-1-X.md)
+[Read the steps to upgrade Orchestrate v2.5.X to v21.1.X](docs/upgrades/v21-1-X.md)
+

environments/common.yaml.gotmpl

@@ -1,26 +1,33 @@
 ---
 {{ $defaultNamespace := "orchestrate" }}
-{{ $tag := "v21.1.3" }}
+{{ $defaultOrchestrateChart := "consensys/orchestrate" }}
+{{ $defaultQkmChart := "consensys/quorumkeymanager" }}
+{{ $defaultOrchestrateChartVersion := "2.0.0" }}
+{{ $defaultQkmChartVersion := "1.1.5" }}
+{{ $defaultNamespace := "orchestrate" }}
+{{/* $tag := "v21.10.1-alpha.3" */}}
+{{ $tag := "v21.12.1" }}
+{{ $qkmTag := "v21.12.1" }}
 
 orchestrate:
   namespace: {{ env "ORCHESTRATE_NAMESPACE" | default $defaultNamespace  }}
+  chart: 
+    name: {{ env "ORCHESTRATE_CHART" | default $defaultOrchestrateChart  }}
+    version: {{ env "ORCHESTRATE_CHART_VERSION" | default $defaultOrchestrateChartVersion  }}
 
   global:
     imageCredentials:
       registry: {{ env "REGISTRY_URL" | default "docker.consensys.net" }}
       username: {{ requiredEnv "REGISTRY_USERNAME" }}
       password: {{ requiredEnv "REGISTRY_PASSWORD" }}
     image:
-      repository: {{ env "ORCHESTRATE_REPOSITORY" | default "docker.consensys.net/priv/orchestrate" }}
+      repository: {{ env "ORCHESTRATE_REPOSITORY" | default "consensys/orchestrate" }}
       tag: {{ env "ORCHESTRATE_TAG" | default $tag | quote }}
     environment: {}
     environmentSecrets: {}
 
   api:
-    environment: {}
-    environmentSecrets: {}
-
-  keyManager:
+    enabled: true
     environment: {}
     environmentSecrets: {}
 
@@ -31,17 +38,36 @@ orchestrate:
   txSender:
     environment: {}
     environmentSecrets: {}
+  
+  migrate:
+    environment: {}
+    environmentSecrets: {}
+
+  
+  auth:
+    jwt:
+      issuerUrl: https://consensys.eu.auth0.com
+      audience: https://orchestrate.consensys.net
+      claims: https://api.orchestrate.network
 
 vaultOperator:
+  enabled: false
   namespace: {{ env "VAULT_OPERATOR_NAMESPACE" | default "vault-operator" }}
 
 vault:
+  enabled: true
+  replicaCount: 1
   namespace: {{ env "VAULT_NAMESPACE" | default ( env "ORCHESTRATE_NAMESPACE" | default $defaultNamespace ) }}
   plugin:
-    tag: {{ env "VAULT_PLUGIN_TAG" | default "v0.0.9" }}
-    sha256: {{ env "VAULT_PLUGIN_SHA256SUM" | default "4919a7fcf66fe98b459e6a46f9233aae9fc2f224ccbb6a44049e2f608b9eebf5" }}
+    name: {{ env "VAULT_PLUGIN_NAME" | default "quorum" }}
+    tag: {{ env "VAULT_PLUGIN_TAG" | default "v1.1.3" }}
+    sha256: {{ env "VAULT_PLUGIN_SHA256SUM" | default "e084800c61749a9c7b51f6e91bb89ab6d5a2678cdb707eaa73f9bef0cf73fc61" }}
+    filename: {{ env "VAULT_PLUGIN_FILENAME" | default "quorum-hashicorp-vault-plugin" }}
+  envs:
+    - VAULT_ADDR: "http://localhost:8200"
 
 kafka:
+  enabled: true
   namespace: {{ env "KAFKA_NAMESPACE" | default "kafka" }}
   auth:
     enabled: true
@@ -66,9 +92,11 @@ redis:
 postgresql:
   enabled: true
   namespace: {{ env "POSTGRES_NAMESPACE" | default ( env "ORCHESTRATE_NAMESPACE" | default $defaultNamespace ) }}
-  username: api
-  password: such-secret
-  database: api
+  host: {{ env "POSTGRES_HOST" | default "postgresql" }}
+  port: 5432
+  username: {{ env "POSTGRES_USER" | default "api"}}
+  password: {{ env "POSTGRES_PWD" | default "such-secret" }}
+  database: {{ env "POSTGRES_DB" | default "api" }}
 
 postgresqlHA:
   enabled: false
@@ -79,10 +107,84 @@ postgresqlHA:
     database: api
     repmgrPassword: such-secret
 
+qkm:
+  enabled: true
+  url: "http://quorum-key-manager-quorumkeymanager:8080"
+  proto: https
+  fullname: "quorumkeymanager"
+  orchestrate:
+    storeName: "eth-accounts"
+    apiKey: {{ env "QKM_API_KEY" | default "NmwyMCB3YXMgaGVyZQ==" }}
+  port: 8080
+  namespace: {{ env "QKM_NAMESPACE" | default $defaultNamespace  }}
+  chart:
+    name: {{ env "QKM_CHART" | default $defaultQkmChart  }}
+    version: {{ env "QKM_CHART_VERSION" | default $defaultQkmChartVersion  }}
+
+  image:
+    repository: {{ env "QKM_REPOSITORY" | default "docker.io/consensys/quorum-key-manager" }}
+    tag: {{ env "QKM_TAG" | default $qkmTag | quote }}
+    pullPolicy: Always
+
+  b64Manifests: {{ requiredEnv "B64_MANIFESTS" }}
+
+  environment: {}
+  environmentSecrets: {}
+
+  postgresql:
+    tls:
+      enabled: false
+    host: {{ env "QKM_POSTGRES_HOST" | default "qkm-postgresql" }}
+    port: 5432
+    database: {{ env "QKM_POSTGRES_DB" | default "qkmDB" }}
+    username: {{ env "QKM_POSTGRES_USER" | default "qkm" }}
+    password: {{ env "QKM_POSTGRES_PWD" | default "qkmDBPwd" }}
+
+  auth:
+    apikey:
+      enabled: true
+      file: "/apikey/api-keys.csv"
+    oidc:
+      enabled: false
+      ca: {{ env "QKM_AUTH_OIDC_CA" }}
+      pubKey: {{ env "QKM_AUTH_OIDC_PUB_KEY" }}
+      issuer: {{ env "QKM_AUTH_OIDC_ISSUER_URL" }}
+    tls:
+      enabled: false
+      cacert: {{ env "QKM_AUTH_TLS_CA"}}
+      secretName: {{ env "QKM_AUTH_TLS_SECRET_NAME" }}
+
+  storage:
+    existingPvc: {{ env "QKM_STORAGE_EXISTING_PVC" | default "" }}
+    nfs:
+      enabled: true
+      driver: {{ env "QKM_STORAGE_NFS_DRIVER" }}
+      provisioner: {{ env "QKM_STORAGE_NFS_PROVISIONER" }}
+      fsID: {{ env "QKM_STORAGE_NFS_FS_ID" }}
+  
+  vault:
+    tls:
+      enabled: false
+    agents: {}
+
+  sync:
+    enabled: false
+    storeName: {{ env "QKM_SYNC_STORE_NAME" | default "" }}
+
+postgresql-qkm:
+    enabled: {{ env "DEPLOY_QKM_PG" | default true }}
+
 observability:
   namespace: {{ env "OBSERVABILITY_NAMESPACE" | default "observability" }}
   grafana:
     user: admin
     password: frenchfries
 
-domainName: {{ env "DOMAIN_NAME" }}
+domainName: {{ env "DOMAIN_NAME" }}
+
+
+
+test:
+ enabled: false
+ report:
+    enabled: true

environments/default.yaml

@@ -1,7 +1,8 @@
 observability:
-  enabled: true
+  enabled: false
 
 kafka:
+  enabled: false
   logRetentionHours: 1
   resources:
     requests:
@@ -15,4 +16,3 @@ zookeeper:
       memory: "512Mi"
     limits:
       memory: "1Gi"
-

environments/qa.yaml

@@ -8,7 +8,7 @@ orchestrate:
       AUTH_API_KEY: with-key
 
 observability:
-  enabled: true
+  enabled: false
 
 kafka:
   numPartitions: 3