...
Step | Notes | User |
---|---|---|
Create new Organization | Create a new organization with the org_id | admin |
Setup new AWX org user | Create a new user specific to the organization, and assign admin permissions to the created organization above. It is a good idea to use a dedicated user for every organization that is deployed through AWX. Note that AWX can be used in a multitenant mode where multiple organizations can be deployed using the same AWX. | admin |
Setup org project | Create a new project named with the org name, use openIDL ansible git URL and the appropriate branch. Source Control Type: Git Source Control URL: https://github.com/openidl-org/openidl-aais-gitops.git Source control Branch: operator-develop Update Revision on Launch: Checked | org user |
Setup inventory | Create a new Inventory named with the org name (bastion-org_id). Add host using the bastion machine address Add a group named ansible_provisioners Add the bastion host to the group | org user |
Create Credentials | Create the credential types as specified below (see credentials table) | admin |
Create AWX job tempaltes | Create the AWX job templates as specified below (see AWX job templates table) | org user |
...
Credential | Description | Definition/Type |
---|---|---|
aws-git-actions | An AWS credential is used to access AWS APIs. The IAM user is created during the AWS provisioning step. This user usually should have access to AWS resources and the provisioned k8s clusters (HLF and applications k8s). The user is usually named and suffixed with git-actions admin. External AWS id is usually git-actions. The user is used by the playbooks to perform the deployment and setup actions. The credential detailed parameters can be found in the terraform state (project <org_id>-<env>-aws-resources; entry: "name": "git_actions_access_key") |
|
aws-terraform | The terraform AWS credential used to provision some resources in AWS like DNS entries. You may find the credentials of the terraform user in terraform state of your project <org_id>-<env>-iam (entry "user": "terraform_user") | The definition type is the same as defined for aws-git-actions. The definition can be re-used when creating the credential by picking the type as created above. |
git-config | Git credentials (used to pull configuration from the private repository) |
|
bastion | Bastion Machine SSH credential. This machine is bootstrapped during the AWS infrastructure provisioning step. It is used as a remote agent for the ansible playbooks. It is the entry point (gateway) to access the AWS infrastructure in order to setup and deploy the network. | Machine - an existing standard credential in AWX |
hds-access | Access information for application HDS DB. This credential is injected by the playbooks to configure the openIDL applications for access to the local carrier HDS database. The ansible playbooks don’t use it to establish a connection to the HDS and perform operations. |
|
fabric-console | Fabric Operator Console access default user/password. Used by the playbooks to inject default user and password for the fabric console deployment. Make sure the generate a strong password as it will secure properly the access to the node HLF managed. The playbooks also use this credential to connect to the console for the purpose of performing operations on the HLF nodes. Take note of that credential as the provided user and password will be required to log in to the fabric operator console. |
|
...
Playbook | Template Name | Credential | Description |
---|---|---|---|
ansible/environment-setup.yaml | <env_id>-<org_id>-environment-setup | aws-git-actions bastion git-config | Install open source tools on the bastion host. Setup the access to the cloud APIs |
ansible/deploy-fabric-ingress.yml | <env_id>-<org_id>-deploy-fabric-ingress | aws-git-actions bastion git-config | Deploy Ingress controllers (classes) and cloud load balancers for the HLF k8s cluster |
ansible/dns-zone-config-blk.yml | <env_id>-<org_id>-dns-config-blk | aws-terraform bastion git-config | Creates DNS entries to the defined domain and routes to the deployed load balancers. Specific to the HLF and Vault endpoints |
ansible/dns-zone-config-apps.yml | <env_id>-<org_id>-dns-config-apps | aws-terraform bastion git-config | Creates DNS entries to the defined domain and routes to the deployed load balancers. Specific to the openIDL application endpoints |
ansible/deploy-vault.yml | <env_id>-<org_id>-deploy-vault | aws-git-actions bastion git-config | Deploy Vault raft cluster for storing HLF identities (application and HLF nodes admins) |
ansible/deploy-fabric-operator.yml | <env_id>-<org_id>-deploy-fabric-operator | aws-git-actions bastion git-config | Deploy HLF fabric operator |
ansible/deploy-fabric-console.yml | <env_id>-<org_id>-deploy-fabric-console | aws-git-actions bastion git-config fabric-console | Deploy HLF operator console |
ansible/deploy-openidl-app-identities.yml | <env_id>-<org_id>-deploy-app-identities | aws-git-actions bastion git-config fabric-console | Registers and enrolls the openidl application identities used to transact on the openidl fabric network |
ansible/deploy-openidl-app-ingress.yml | <env_id>-<org_id>-deploy-app-ingress | aws-git-actions bastion git-config | Deploys the application ingress controller and class. Creates the applications load balancers for the applications k8s cluster. |
ansible/deploy-mongodb.yml | <env_id>-<org_id>-deploy-mongodb | aws-git-actions bastion git-config | Deploys mongoDB as application database |
ansible/deploy-openidl-app-config.yaml | <env_id>-<org_id>-deploy-app-config | aws-git-actions bastion git-config fabric-console hds-access (carrier node) | Generates and deploys the application config as secrets |
ansible/deploy-openidl-app.yaml | <env_id>-<org_id>-deploy-app | aws-git-actions bastion git-config | Deploys the openidl applications |
ansible/chaincode-private-init.yml | <env_id>-<org_id>-chaincode-init | bastion git-config fabric-console | Calls init method of the chaincode deployed on the carrier/analytics private channel |