diff --git a/sample-network/README.md b/sample-network/README.md index 5e5713c1..7117dff4 100644 --- a/sample-network/README.md +++ b/sample-network/README.md @@ -40,6 +40,7 @@ For additional cluster options, see the detailed guidelines for: - [fabric-devenv](#vagrant-fabric-devenv): vagrant VM - [IKS](#iks) - [EKS](#eks) +- [self-provisioned Kubernetes on AWS + ECR](#self-provisioned-kubernetes-on-aws--ecr) - [OCP](#ocp) @@ -299,6 +300,44 @@ export TEST_NETWORK_INGRESS_DOMAIN=$(echo $INGRESS_IPADDR | tr -s '.' '-').nip.i For additional guidelines on configuring ingress and DNS, see [Considerations for Kubernetes Distributions](https://cloud.ibm.com/docs/blockchain-sw-252?topic=blockchain-sw-252-deploy-k8#console-deploy-k8-considerations). +### Self-provisioned Kubernetes on AWS + ECR + +- This will push the chaincode images to AWS ECR (private authenticated container registry). +- It will use AWS CLI for ECR related operations like login and push. +- The same image will then be pulled from ECR by the chaincode deployed in `test-network` k8s namespace. + +**Prerequisites**: +- All steps in [#EKS](#eks). +- Make sure the AWS profile is configured with the correct AWS region and credentials for [aws-cli](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html). + - You could use `AmazonEC2ContainerRegistryFullAccess` for relaxed access, but this is not recommended. + - Refer to [ECR related AWS managed policies](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam-awsmanpol.html) for more information. +- ECR repo as exported below under env var `TEST_NETWORK_AWS_ECR_REPO` exists in the correct region. + +And for ECR based container registry, export: + +```sh +export TEST_NETWORK_CHAINCODE_REGISTRY="ecr" +export TEST_NETWORK_AWS_PROFILE="default" +export TEST_NETWORK_AWS_ACCOUNT="999999999999" +export TEST_NETWORK_AWS_ECR_REPO="chaincodes" +``` + +For using this ECR registry with Kubernetes, create a secret in `test-network` namespace within your cluster: + +```sh +export AWS_REGION=$(aws configure get region --profile ${TEST_NETWORK_AWS_PROFILE}) + +kubectl create secret docker-registry regcred \ + --docker-server="${TEST_NETWORK_AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com" \ + --docker-username=AWS \ + --docker-password="$(aws ecr get-login-password --region ${AWS_REGION})" \ + --namespace=test-network +``` + +- Go ahead with the chaincode deployment now. +- Test it out and make sure your cluster can pull images from the registry. + - If not, try mounting the secret as a volume in your deployments manually. + ## Vagrant: fabric-devenv The [fabric-devenv](https://github.com/hyperledgendary/fabric-devenv) project will create a local development Virtual diff --git a/sample-network/network b/sample-network/network index 26fbcdb7..962e72e7 100755 --- a/sample-network/network +++ b/sample-network/network @@ -90,6 +90,11 @@ context CONSOLE_IMAGE_LABEL latest context DEPLOYER_IMAGE ghcr.io/ibm-blockchain/fabric-deployer context DEPLOYER_IMAGE_LABEL latest-amd64 +context AWS_PROFILE default +context AWS_ACCOUNT 999999999999 +context AWS_ECR_REPO chaincodes +context CHAINCODE_REGISTRY default + export FABRIC_OPERATOR_IMAGE=${OPERATOR_IMAGE}:${OPERATOR_IMAGE_LABEL} export FABRIC_CONSOLE_IMAGE=${CONSOLE_IMAGE}:${CONSOLE_IMAGE_LABEL} export FABRIC_DEPLOYER_IMAGE=${DEPLOYER_IMAGE}:${DEPLOYER_IMAGE_LABEL} @@ -141,6 +146,7 @@ function print_help() { . scripts/test_network.sh . scripts/channel.sh . scripts/chaincode.sh +. scripts/aws_ecr.sh # check for kind, kubectl, etc. check_prereqs diff --git a/sample-network/scripts/aws_ecr.sh b/sample-network/scripts/aws_ecr.sh new file mode 100644 index 00000000..1c4b3810 --- /dev/null +++ b/sample-network/scripts/aws_ecr.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +aws_env() { + push_fn "Check AWS CLI access for ${ECR_RESOURCE}" + + AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id --profile ${AWS_PROFILE}) + AWS_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key --profile ${AWS_PROFILE}) + + ECR_USER=AWS + ECR_REGION=$(aws configure get region --profile ${AWS_PROFILE}) + + export ECR_RESOURCE=${AWS_ACCOUNT}.dkr.ecr.${ECR_REGION}.amazonaws.com + + pop_fn +} + +ecr_login() { + # exported variables used: + # AWS_PROFILE + # AWS_ACCOUNT + + aws_env + + push_fn "Login to AWS ECR ${ECR_RESOURCE}" + + aws ecr get-login-password --region ${ECR_REGION} | \ + $CONTAINER_CLI login --username ${ECR_USER} --password-stdin ${ECR_RESOURCE} + + pop_fn +} diff --git a/sample-network/scripts/chaincode.sh b/sample-network/scripts/chaincode.sh index 11475137..81af0a31 100755 --- a/sample-network/scripts/chaincode.sh +++ b/sample-network/scripts/chaincode.sh @@ -17,6 +17,34 @@ # limitations under the License. # +function set_ecr_image_tag() { + # converts local "/" separated image name to an appropriate ECR tag used in AWS_ECR_REPO + # Example: fabric-samples/asset-transfer-basic/chaincode-java:latest -> asset-transfer-basic_java_latest + + local cc_local_image=$1 + ECR_IMAGE_TAG=$(python -c 'import sys; p=sys.argv[1]; p=p.split("/")[-3:]; cc=p[1]; lang=p[-1].split("-")[-1]; tag="latest"; print(f"{cc}_{lang}_{tag}")' ${cc_local_image}) +} + +function ecr_load_image() { + local cc_local_image=$1 + + ecr_login ${AWS_PROFILE} ${AWS_ACCOUNT} + + local aws_ecr="${ECR_RESOURCE}/${AWS_ECR_REPO}" + + set_ecr_image_tag ${cc_local_image} + + CHAINCODE_IMAGE="${aws_ecr}:${ECR_IMAGE_TAG}" + + push_fn "Tag chaincode image for ECR" + $CONTAINER_CLI tag ${cc_local_image} ${CHAINCODE_IMAGE} + pop_fn + + push_fn "Load chaincode image into ECR" + $CONTAINER_CLI push "${CHAINCODE_IMAGE}" + pop_fn +} + # Convenience routine to "do everything" required to bring up a sample CC. function deploy_chaincode() { local cc_name=$1 @@ -33,8 +61,11 @@ function deploy_chaincode() { build_chaincode_image ${cc_folder} ${CHAINCODE_IMAGE} + # push to container registry if [ "${CLUSTER_RUNTIME}" == "kind" ]; then kind_load_image ${CHAINCODE_IMAGE} + elif [ "${CLUSTER_RUNTIME}" == "k3s" ] && [ "${CHAINCODE_REGISTRY}" == "ecr" ]; then + ecr_load_image ${CHAINCODE_IMAGE} fi launch_chaincode ${cc_name} ${CHAINCODE_ID} ${CHAINCODE_IMAGE}