Orchestrate v21.12.X introduces major architectural and deployement changes including:
- Keymanager has been removed in favor of a separate new key manager aka quorum-key-manager
It is recommended to rely on the latest chart available here https://github.com/ConsenSys/orchestrate-helm. Check the releases, so you can pick up the current latest version, this deployment should rely on it.
Now that the keyManager feature is separated from orchestrate you will need to install the quorum-key-manager using its own chart which you will find here https://github.com/ConsenSys/quorum-key-manager-helm
Following project also provides a deployment which you can use either directly or as an inspiration https://github.com/ConsenSys/quorum-key-manager-kubernetes
You will have to get your configuration file ready before deployment, this configuration comes in the form of a yaml file called manifests file, you may need to rely on the documentation to have it well understood and formated. Samples are also provided with the project.
You also should follow the given procedure to have the manifests well encoded.
Make sure your quorum-key-manager is reachable either from the k8s service or via tha ingress if you use that option. Orchestrate will need the new KEY_MANAGER_URLenv var to reach it.
Quorum key manager might be configured using the following mechanisms :
- OIDC: Choose this in combination with your OIDC IDP server config.
- TLS: TLS based authentication of client, use this with your certificates management policy and tools.
- API-KEY: A set of keys that must be defined by yourself, relying on a file based source that you should edit. (see the available sample given in quorum key manager project)
In case you wish to use Hashicorp Vault as a secure store for your keys it is recommended that you use our adapted image here https://hub.docker.com/r/consensys/quorum-hashicorp-vault-plugin
This image is set as the default one in the current deployment.
You will need to provide the following env vars :
AUTH_JWT_ISSUER_URL : your access token issuer url
AUTH_JWT_AUDIENCE : the current audience of your token
AUTH_JWT_ORCHESTRATE_CLAIMS : the path to orchestrate claims within the token
You will need to provide
KEY_MANAGER_CLIENT_TLS_CERT : < path to client cert >
KEY_MANAGER_CLIENT_TLS_KEY : < path to client key >
You will need to provide
KEY_MANAGER_API_KEY: the encoded API-KEY value that you have provisioned within your quorum key manager instance
Once you have gathered all your helm values and the above mentionned env vars you may proceed with the upgrade, either using the above mentionned kubernetes helmfile chart or your favorite helm tool.
If your cluster does not have a TTL controler you could need to delete the migration Job which will remain in your namespace.
You may easily find it with :
kubectl get jobs -n $ORCHESTRATE_NAMESPACE
Then deleted with :
kubectl delete Job orchestrate-api-migrate-job-XXXX -n $ORCHESTRATE_NAMESPACE