m BAF - Hyperledger Automation Framework
- jim mason
Key Points
- Automates deployment for Fabric, Quorum, Corda to Kubernetes
- uses Ansible playbooks with Helm charts
- manages deployments with Docker, Kubernetes on any cloud
- all open-source, few prereqs
References
| Reference_description_with_linked_URLs_______________________________ | Notes_______________________________________________________ |
|---|---|
| https://github.com/hyperledger-labs/blockchain-automation-framework | BAF on github |
| https://www.hyperledger.org/blog/2018/01/23/introducing-hyperledger-labs | Hyperledger Labs |
| https://blockchain-automation-framework.readthedocs.io/en/latest /developer/dev_prereq.html | BAF docs |
| https://github.com/hyperledger-labs | |
| https://wiki.hyperledger.org/display/labs/Blockchain+Automation+Framework | |
Key Use Cases
Supply Chain example for BAF
https://blockchain-automation-framework.readthedocs.io/en/latest/example/supplychain.html
Welcome to the Supply Chain application which allows nodes to track products or goods along their chain of custody, providing everyone along the way with relevant data to their product. The implementation has been done for Hyperledger Fabric and R3 Corda. The two will slightly differ in behavior but follow the same principles. There are two types of items that can be tracked, products and containers. Products are defined as such:
| Field | Description |
|---|---|
| trackingID | which is a predefined unique ID, also a UUID, which is directly extracted from a QR code. |
| participants | List of parties that will be in the chain of custody for the given product (extracted from QR code) |
| custodian | Party details of the current holder of the good.. This is changed to null when items are scanned out of possession and set to new owner upon scanning into possession at next node |
| health | Data from IOT sensors regarding condition of good (might only store min, max, average values which are stored on the local device until custodian changes or something to minimize constant state changes) NOTE: This value is obsolete and not used right now, it'll remain for future updates. |
| productName | Item name extracted from the QR |
| timestamp | Time at which most recent change of hands occurred |
| misc | Other data which is configurable and is being mapped from QR code |
| containerID | ID of any outer containing box. If null, behave normally. If container exists, then custodian should be null and actually be read from the ContainerState |
Note on product schema
- IF no container, need added field — custodian status ... custodied, shipped
- without custodian status - don't know where product is in the chain IF next custodian hasn't recorded it as custodied
- same field should be in ContainerState for containerd products
- some products have other key attributes ( temperature min / max, GPS location etc )
- how is scrap, loss recorded by a Custodian??
- how are route changes handled ?? ( shipper A not available so B added to route ?)
The creator of the product will be marked as its initial custodian. As a custodian, a node is able to package and unpackage goods. Packaging a good stores an item in an existing ContainerState structured as such:
| Field | Description |
|---|---|
| trackingID | which is a predefined unique ID which is directly extracted from a QR code |
| participants | List of parties that will be in the chain of custody for the given product (extracted from QR code) |
| custodian | Party details of the current holder of the good.. This is changed to null when items are scanned out of possession and set to new owner upon scanning into possession at next node |
| health | Data from IOT sensors regarding condition of good (might only store min, max, average values which are stored on the local device until custodian changes or something to minimize constant state changes) NOTE: This value is obsolete and not used right now, it'll remain for future updates. |
| timestamp | Time at which most recent change of hands occurred |
| misc | other data which is configurable and is being mapped from QR code |
| containerID | ID of any outer containing box. If null, behave normally. If container exists, then custodian should be null and actually be read from the ContainerState |
| contents | list of linearIDs for items contained inside |
Products being packaged will have their trackingID added to the contents list of the container. The Product will be updated when its container is updated. If a product is contained it can no longer be handled directly (ie transfer ownership of a single product while still in a container with others).
- this prevents allocation or sale of individual products which is sometimes needed
Any of the participants can scan the QR code to claim custodianship. History can be extracted via transactions stored on the ledger/ within the vault.
As mentioned before, items are identified by their QR code. These codes are meant to be generated about a product and used to interact with a product. The QR will store a parsable JSON body with the following format:
| Field | Description |
|---|---|
| productName | Item name extracted from the QR |
| trackingID | which is a predefined unique ID which is directly extracted from a QR code |
| counterparties | List of parties that will be in the chain of custody for the given product (extracted from QR code) |
| misc | other data which is configurable and is being mapped from QR code |
Also containers are identified by their QR code. These codes are meant to be generated about a container and use to interact with a container. The QR will store a parsable JSON body with the following format:
| Field | Description |
|---|---|
| trackingID | which is a predefined unique ID which is directly extracted from a QR code |
| counterparties | List of parties that will be in the chain of custody for the given product (extracted from QR code) |
| misc | other data which is configurable and is being mapped from QR code |
Prerequisites
- The supplychain application requires that nodes have subject names that include a location field in the x.509 name formatted as such:
L=<lat>/<long>/<city> - Fabric or Corda network of 1 or more organizations
Setup Guide
The setup process has been automated using Ansible scripts, GitOps, and Helm charts. The files have all been provided to use and require the user to populate the network.yaml file accordingly.
The playbooks are as listed:
- platforms\r3-corda\configuration\deploy_cordapps.yaml
- platforms\hyperledger-fabric\configuration\chaincode-install-instantiate.yaml
- examples\supplychain-app\configuration\deploy-supplychain-app.yaml
These playbooks make use of several roles defined within
- create/corda/api_components
- create/corda/api_values
- create/fabric/api_components
- create/fabric/api_values
- create/frontend
They are responsible for creating the helm release files for the platform specfic rest service, the nodejs api abstraction layer, and the front end.
Jenkinsfiles have also been provided to automate the execution of these playbooks and other additional steps:
- buildFrontendImages.jenkinsfile - Build images for frontend and pushes to the desired container repository
- buildImages.Jenkinsfile - Build images for rest server and nodejs application
- deployChaincode.Jenkinsfile or deployCorDapps.Jenkinsfile - Follows the necessary steps to deploy the platforms smartcontracts to the existing network
- deployApp.Jenkinsfile - Uses ansible playbooks to create helm releases which GitOps uses to deploy the rest server, nodejs app, and frontend images.
The jenkins pipelines can automate the execution of the ansible playbooks as well as pass in any values that are not to be hardcoded in the network.yaml file
Generating QR code
Products and containers are identified by their QR code. These codes need to be generated for interacting with products and contianers. A module for generating QR is provided along with this sample. The QR generating module can be found on the location:
smaple-home/generate/qr
Module for generating QR code is divided into two sections. The first section is generating QR code for the product. Codes from the first section are meant to be generated about a product and are used to interact with the product.
Following are the required fields in the QR Code generation form for the products along with the format:
| Field | Format | Description |
|---|---|---|
| Product Name | string | Name of the Product |
| Tracking ID | string | A predefined unique ID for product |
| Type | string | Must match asset in /public , for misc argument |
| Product Details | JSON key:value format | Used for misc argument, eg {"name":"Expensive Dextrose"} |
| Counter Parties | CSV, no spaces | Counter parties should be of the format that the DLT network can identify. E.g. For Corda, these are the Node OUs, and for Fabric, these are the subjects of Anchor Peers. |
The second section is provided for generating the QR code for the containers. Codes from this section are meant to be generated about a container and used to interact with a container.
Following are the required fields in the QR Code generation form for the containers along with the format:
| Field | Format | Description |
|---|---|---|
| Name | string | Name of the Container |
| Tracking ID | String | A predefined unique ID for container |
| Type | string | Must match asset in /public , for misc argument |
| Counter Parties | CSV, no spaces | Counter parties should be of the format that the DLT network can identify. E.g. For Corda, these are the Node OUs, and for Fabric, these are the subjects of Anchor Peers. |
Key Concepts
https://blockchain-automation-framework.readthedocs.io/en/latest/index.html
What is the Blockchain Automation Framework?
The Blockchain Automation Framework is an automation framework for delivering consistent production ready DLT networks on cloud based infrastructures.
The Blockchain Automation Framework (BAF) provides 3 key features:
- Security: BAF provides a secure environment for DLT development. BAF has best practices of key management and other security features available by default.
- Scalability: BAF has a scalable network implementation, a user can easily scale the environment and resources according to his/her needs.
- Acceleration: BAF will help in providing a blockchain solution that drives acceleration up to deployment providing an oppourtunity to participate in those deliveries and drive more services.
Blockchain Automation Framework makes use of Ansible, Helm, and Kubernetes to deploy production DLT networks. Specifically, it makes use of Ansible for configuration of the network by DevOps Engineers. It then uses Helm charts as instructions for deploying the necessary components to Kubernetes. Kubernetes was chosen to allow for Blockchain Automation Framework to deploy the DLT networks to any cloud that supports Kubernetes.
Blockchain Automation Framework currently supports Corda, Hyperledger Fabric, Hyperledger Indy and Quorum. It is the intention to add support for Hyperledger Besu and Corda Enterprise in the near future. Other DLT platforms can easily be added.
Getting Started
To get started with the framework quickly, follow our Getting Started guidelines.
Detailed operator and developer documentation is available on our ReadTheDocs site.
The documentation can also be built locally be following instructions in the docs folder.
Hyperledger Fabric
For Hyperledger Fabric, we use the official Docker containers provided by that project. A number of different Ansible scripts will allow you to either create a new network (across clouds) or join an existing network.
- Introduction
- Release notes
- Key Concepts
- Getting Started
- Operations Guides
- Developer Guide
- Sample Usage
- Roadmap
- Architecture Reference
- Commands Reference
- Frequently Asked Questions
- Glossary
- Contributing
- Maintainers for the Blockchain Automation Framework
BAF key features
- The Blockchain Automation Framework deployment scripts can be reused across cloud providers like AWS, Azure, GCP, and OpenShift
- Can deploy networks and smart contracts across different DLT platforms
- Supports heterogeneous deployments in a multi-cloud, multi-owner model where each node is completely owned and managed by separate organizations
- Bring Your Own Infrastructure (BYOI) - You provide GIT, Kubernetes cluster(s), and Hashicorp Vault services provisioned to meet your specific requirements and enterprise standards
- No network size limit
- Specify only the number of organizations and the number of nodes per organization in a network.yaml file uniquely designed in the Blockchain Automation Framework for a new DLT network set-up and its future maintainance
- Provides an example supply chain application which runs on multiple DLT platforms that can be used as a reference pattern for how to safely abstract application logic from the underlying DLT platform
BAF Attributes
Multi-Cloud service providers support
The Blockchain Automation Framework’s scripts do not stick to any one of the Cloud service provider. On the contrary, they can be used on any Cloud platform as long as all the prerequisites are met.
Multi-DLT platforms support
The Blockchain Automation Framework supports an environment of multi-clusters for the spin-up of a DLT network (e.g. Hyperledger Fabric or R3 Corda). Regardless of unique components (e.g. channels and orderers in Fabric, and Doorman, Notary in Corda) designed in each platform which makes the DLT ecosystems be heterogeneous, the Blockchain Automation Framework does remove this complexity and challenge by leveraing a uniquely-designed network.yaml file, which enables set-up of a DLT network on either platform to be consistent.
No dependency on managed K8s services
Setting up a DLT network does not depend on a managed K8s services, which means non-managed K8s clusters can be used to make a DLT network set-up happen.
One touch/command deployment
A single Ansible playbook called site.yaml can spin up an entire DLT network and a substantial amount of time can be reduced which is involved in configuring and managing the network components of a Corda or Fabric DLT network.
Security through Vault
HashiCorp Vault is used to provide identity-based security. When it comes to managing secrets with machines in a multi-cloud environment, the dynamic nature of HashiCorp Vault becomes very useful. Vault enables the Blockchain Automation Framework to securely store and tightly control access to tokens, passwords, certificates, and encryption keys for protecting machines, applications, and sensitive data.
Sharing a Network.yaml file without disclosing any confidentiality
The Blockchain Automation Framework allows an organization to use a configured network.yaml file to set up an initial DLT network and a first node in the network, and allows this file to be shared by new organizations that will have to join this DLT network to reuse this network.yaml file, but without revealing any confidential data of the first
building blocks used in the Blockchain Automation Framework’s architecture design.
Ansible
- ansible: it is the simplistic command line tool that enables a user to quickly achieve simple IT tasks, e.g. list one or more local/remote machines’ information.
- ansible-playbook: it is an advanced command line that will run one or more Ansible playbooks (i.e. YAML files that have all the steps configured to achieve one or more complex tasks). Ansible roles are defined to group relavant configurations together that can be resuable in multi playbooks.
- ansible-galaxy: it is an advanced command line that can run existing Ansible roles predefined by other users in the Ansible community.
Kubernetes Services
Container
A Docker Container is an ephermeral running process that have all the necessary package dependencies within it. It differentiates from a Docker Image that is a multi-layered file. A container is much more light-weighted, standalone and resuable compared to a Virtual Machine (VM).
Cluster
A cluster of containers is grouped by one or more running containers serving different purposes with their duplicates that can ensure high availability of services. One example of a cluster is Docker Swarm.
Kubernetes
Kubernetes (K8s) is an open-source system for automating deployment, scaling and maintaining containerized applications. Kubernetes provisions more advanced configurations and features to set up a cluster compared to Docker Swarm, which make it a very strong candidate in any production-scale environments.
Managed Kubernetes Services
The open-source K8s services requires technicians to set up an underlying infrastructure and all initial K8s clusters, but the setting-up process is normally time-consuming and error-prone. This is why K8s is well known for its deep learning curves. To alleviate this complex process for users, many Cloud service providers such as AWS, Azure and GCP have provisioned their own Managed K8s Services.
The Blockchain Automation Framework leverages Kubernetes’s various features for deploying a DLT network along with other required services in one or more K8s clusters. All the current functions have been tested on Amazon K8s Services (AKS) as a managed K8s service, but in theory they should work on a non-managed K8s service as well.
Ambassador
Ambassador is an open-source microservices API gateway designed for K8s.
The Blockchain Automation Framework uses Ambassador to route traffic amongst multiple K8s clusters. For each K8s cluster, an Ambassador Loadbalancer Service will be created to sit inside it. A user has to manually use a DNS server (e.g. AWS Route53) to map the public IP of the Ambassador Service to a DNS name for each cluster. Optionally, you can configure External-DNS on the cluster and map the routes automatically. Automatic updation of routes via External DNS is supported from BAF 0.3.0.0 onwards.
A simplistic view of how Ambassador works is as follows: If a pod in Cluster1 wants to reach a target pod in Cluster2, it will just use the Domain address or IP in Cluster2 and then Cluster2 Ambassador will route the traffic to the target pod in Cluster2.
NOTE: If only one cluster is used in a DLT network, Ambassador may not be needed, but it will still be installed (if chosen).
HAProxy Ingress
HAProxy Ingress is another way of routing traffic from outside your cluster to services within the cluster. This is implemented in BAF Fabric from Release 0.3.0.0 onwards as we were unable to configure Ambassador to do ssl-passthrough for GRPC.
in BAF, HAProxy Ingress does the same thing as Ambassador does i.e. it routes traffic amongst multiple K8s clusters. For each K8s cluster, an HAProxy Ingress Loadbalancer Service will be created to sit inside it. A user has to manually use a DNS server (e.g. AWS Route53) to map the public IP of the HAProxy Service to a DNS name for each cluster. Optionally, you can configure External-DNS on the cluster and map the routes automatically. Automatic updation of routes via External DNS is supported from BAF 0.3.0.0 onwards.
NOTE: If only one cluster is used in a DLT network, HAProxy may not be needed, but it will still be installed (if chosen).
Helm
Essentially, Helm is a package manager for K8s. Helm Charts are configuration files designed for K8s to help define, install and upgrade complex K8s applications.
Helm brings below features:
- Predictable deployments.
- Maintains “Bill of Materials” of all the pods that work together to deliver the application.
- Keeps (forces) a team to stay synchronised.
- Strong version control.
- Easier testing and QA.
- Rollbacks on an application level, not just an one-off pod level.
The Blockchain Automation Framework uses Helm Charts for designing and configuring the architecture of each DLT platform for its own network set-up.
Hashicorp Vault - certificate management
HashiCorp Vault provisions a secure approach to store and gain secret information such as tokens, passwords and certificates.
The Blockchain Automation Framework relies on Vaults for managing certificates used in each node of a DLT network during the lifecycle of a deployment, and it is a prerequisite that the Vault is installed and unsealed prior to deployment of a DLT network.
Installation
There are two approaches to installing Vault:
- Using a precompiled binary
- Installing from source
Downloading a precompiled binary is easiest and provides downloads over TLS along with SHA256 sums to verify the binary. Hashicorp also distributes a PGP signature with the SHA256 sums that should be verified.
Securing RPC Communication with TLS Encryption
Securing your cluster with TLS encryption is an important step for production deployments. The recomended tool for vault certificate management is Consul. Hashicorp Consul is a networking tool that provides a fully featured service-mesh control plane, service discovery, configuration, and segmentation.
Consul supports using TLS to verify the authenticity of servers and clients. To enable TLS, Consul requires that all servers have certificates that are signed by a single Certificate Authority (CA). Clients should also have certificates that are authenticated with the same CA.
After generating the necessary client and server certificates, the values.yaml file tls field can be populated with the ca.cert certificates. Populating this field will enable or disable TLS for vault communication if a value present.
The latest documentation on generating tls material with consul can be found at: https://learn.hashicorp.com/consul/security-networking/certificates
Gitops
GitOps introduces an approach that can make K8s cluster management easier and also guarantee the latest application delivery is on time.
The Blockchain Automation Framework uses Weavework’s Flux for the implementation of GitOps and executes an Ansible role called setup/flux defined in its GitHub repo that will
- Scan for existing SSH Hosts
- Install Tiller on cluster
- Authorize client machine as per kube.yaml
- Add weavework flux repository in helm local repository
- Install flux
Potential Value Opportunities
Potential Challenges
Performance
Candidate Solutions
Step-by-step guide for Example
sample code block