 Okay. We are live. Hello, everyone. Welcome. Good morning. Good afternoon. It's a pleasure to see you again on the second workshop from the workshop series Hyperledger Bevel. Today we'll talk about HashiCorp fold for Hyperledger Bevel. The Hyperledger Bevel workshop series is a great opportunity to learn about this exciting new technology something. Don't mute out, register to another session to be the final. I'll drop a link to the next event in the chat. And please welcome Sonik Roy, who is our speaker and he's also a technical architect at Accenture and technical architect and a minor of Hyperledger Bevel. And he will talk, say everything about it, Bevel. And please welcome Sonik. Could you start? Yeah. Hi, hi, everyone. Hello. So welcome to the second session of this workshop series. We had the first one last week. And then we have the last one, third and last one, I think in two days where, you know, you have the details on the chat. So yeah, so Bevel workshop series Hyperledger Bevel is the newest Hyperledger project. And so this session is today's session will be about deploying HashiCorp vault. And the previous session was about deploying the Kubernetes cluster. So just on a, I don't know if we can raise hands or something here, like everyone who is here has will be working along, again, this is a hands on workshop. So you're expected to run the commands as we go along. Everyone who is here as a participant is are able to have their own Kubernetes cluster are able to access their clusters, just a show of hands or I don't know if it is possible or yes, in the chat. Okay, so yeah, this is just the antitrust policy notice for the recording and the live session. So yeah, so for those who said no, this is one of the prerequisites for this session. You may watch the recording, it's on YouTube on how do you do the Kubernetes cluster manage Kubernetes cluster deployment, it should be fairly easy. If you're using, you know, like managed cluster. So this one is for deploying vault on that same Kubernetes cluster. So that's the question for everyone's, you know, you can answer on the chat is what is what is vault in general when you hear the term vault, what do you understand? Or in plain and simple English, what is what is vault? So guys, you can answer in the chat. Okay, got some good answers. Yes, so in in general, I think whoever has given the generic answer, it was yeah, Mahesh saying a place to keep things securely. Yeah, a secret store Alex saying that yeah, that is that is correct. In general sense, a vault is is where you you store things securely like in your home, you have a vault for example. So when when it comes to software, we have, we have a vault which is which is used for storing, storing secrets and credentials. So it is not a credential management thing. I guess many people have have said that it is a credential management tool. It is not it is not managing any credentials. It is it is just giving a secure way to store and access the credentials store and storage and retrieval of credentials or secrets. You know, it can be passwords, it can be generally we use in in Bevel to store the public keys and the private keys. Yeah, so so yeah, so that's more or less correct. But just to correct everyone whoever has said it is it is not a credential management tool. It is a storage and retrieval and it gives a lot of different options. So for just on brief on the history why we chose Hashikov vault in Hyperledger Bevel is is because Hashikov vault provides and again an abstraction for kind of the similar reasons we chose Kubernetes as an abstraction layer. Hashikov vault is providing the abstraction layer on top of of the cloud provider. So you are not tied to a single cloud provider, because all cloud providers have their own key management systems or you know, key retrieval storage. But that will mean that you will get tied to a specific cloud provider if Hashikov Bevel said, oh it is only supporting AWS KMS or Azure KD. So that is to avoid that we are using using Hashikov vault. Hashikov vault can be deployed similar to Kubernetes. It can be deployed on a laptop or a desktop or on even on cloud or even on on your very highly secure data centers as well. And then you can have all the other advantages of vault is that it can connect, use the native cloud provided KMS services to integrate some of the aspects of the vault. For example, in our case in AWS, in our Dev and test environment, we use the automatic unseal of the keys for using the AWS KMS itself. So all of these can be they can be integrated with vault to make it much more secure. So and that was the reason for selection of vault and for so that's more or less here. Any questions till now? So is there any question? Okay, if not, then yeah. So for today's session, we these are the prerequisites. We should have a Kubernetes cluster and you should of course have a laptop or desktop from where you are connecting. Right. So let's start hands on workshop. You should have your access or Kubernetes cluster up and running. If you have not, you know, you may made it sleep like the nodes to zero just increase the number of nodes so that you have a cluster working. I will. Yeah, so just go back and share. Share the link on the chat. So we are here again, maybe I'll just put it here and I'll run the commands from my should be. Okay, from zoom point of view, right? So before we start, you have you can check your Kubernetes config. So mine is here. And then I just ran the same command as Cube CTL get boards minus a to check that the I am I am on the on the right. Kubernetes cluster. So as you can see, it's my Google Kubernetes cluster, which has doesn't have anything additional right now, mostly all the Cube system pods that are running at with for for the specific GKE cluster that I have created. Okay. So first, first, if we there are some concepts and all in in the deployment guide, we are using a basic deployment guide so that, you know, you don't get confused with all this, how to do it on mini cube and how using console will use very basic things. Okay, how question is how do we get to config on laptop? Right. So depends on I'm showing Kubernetes on on GKE, right? So I'm on Google. So you can how do you get it on laptop is you first export. I mean, by default, it will be in dot cube slash config, your default cube config. If you want to save it in another one, another place, you can just do this, for example, export the cube cube config as a variable equals to say and give your path where you want to store your cube config. So for me, it is cube. And then I renamed it as this file and bevel dash workshop WS dot YAML. So that's now set. And then after this is set, you go to your, you know, wherever your cloud, there is an option to if you open this Kubernetes cluster details is this connect option command, you can copy this and then run it, run here. And yeah, that's how you get your communities config config in your laptop. It will be a little bit different for AWS. For example, if you're unfortunately using mini cube, it should already be set by default at dot cube slash config. You can check if you have the right cube config by also checking, giving this command cube CTL config view. So it shows my details, my cube config details. Okay, hopefully that answered the question. So there is some on on details on, you know, wall reference architecture and all that. So we will skip that for now, you can do read that on your own time. And to run this, of course, you will also need helm. So I already have helm in my system. If not, you can get helm by downloading it from the API. So I'll give you the link as well. Download helm three, please should be the default helm. Any I am using 3.6.1. So you can you can use as well. So this is how that help. Okay, so let's do, let's start. So we'll first start by creating a separate namespace for on the Kubernetes by using this command give CTL create namespace vault name name of the namespace is vault namespace is like a logical separation inside Kubernetes, whereas it's almost similar to domain names, DNS kind of thing. So if you create a create a namespace for vault and then you create resources in that namespace that by default, everyone has only resources in that namespace will have access. And the advantage also is that you can directly just go and delete a whole namespace. So you're all everything that was inside the namespace gets deleted. We'll do that. And that should create a namespace called vault. You can check the namespaces by running this command. QCTL get namespaces. So as you see the by default Kubernetes had these namespaces default cube node these cube public and cube system. And I just now created this namespace called vault. As you see the ages is 10 seconds. Then you can check what objects you have in your namespace. We don't right now have any connection objects. Right. The next step is to set up the helm repo. So let's do that, which is command. So if you have that error, that means your Kubernetes is not running or your cube config file is wrong. So and hence I said for to check before you start, you should check by running this command QCTL get words minus a this is command. The learn command is here. I'm not sure why you're not able to see the whole thing. And and okay. So what I did was I added the helm repo. Now helm is is a package manager similar to npm. But it is for Kubernetes. So using helm, you can you can we call them helm charts, which you you call it everything that is related to a specific release. And then you can store those charts in something called helm repo, helm repositories. And then you have a name for that helm repo. And this command is doing that you're adding that helm, the helm repo to your local helm repository basically. So that is what it says as she cop. When I run this command, has she cop has been added to your repositories. Then you are searching for that particular chart in the next command, which is Helm search repo hashtag of vault. So it shows here. This is the, there is the latest one. So the chart version is 021, but that version is one, 10, three. So the other thing, one thing. So here, the app version means the hashtag of world version has to go up 1.10.3 is not supported by the highest we are supporting right now is 1.7.4. So we'll have to install that version. Okay. So what we'll do, we'll, we'll search for the rest of the versions. Helm search repo has she covered minus, minus versions. And we'll see. So 1.7.4 is not there. We can use 173 because it is it lower. So 1.7.4. Everyone, any questions until now? Nope. Okay. So did you get your Kubernetes config corrected so that you are able to connect to the cluster by now? Okay. So yeah, I mean, when you attended, so when you attended the, you know, the in-person workshop in London, I thought we already have reached this point. But yeah, maybe you have, you know, deleted the cluster and recreated it. And hence, it needs a new Kubernetes config file. Okay. For the next one, next command, we are now installing the Helm chart. There is a, in this place, there is a kind of common things how you run a Helm command. But in general, you do Helm install, then you give the release name, and then you have the chart name. And then it is namespace is, you give the namespace on which this release will be deployed. And then, because we have to deploy a specific chart version, we have to give the version. So as I, as you listed here, the version we'll be using is 0, 0, 13, 0, because that's what is deploying world version 173, which, which we want. So you copy this and give the version a command. Okay. That's it. I'll paste this command in the chat. Okay. So now it says it has been deployed. And then let's see how it is. It looks. Okay. So if you do give CTL get, go back with all the, get all. So we see it has been deployed. We, we have in QCTL minus namespace world, get all if we do, we have two parts. Then we have the services. And then we have some deployment and all. So there's one thing wrong here, which is that the service is a cluster IP. So that's, that's a problem because we need this service to be available over the internet. And hence it should be a load balancer. So we'll, we'll have to fix that. Okay. We'll see how do we fix that? We'll create a small file called override. It is, I mean, the details are there in this, in the value itself in, in, sorry, in the, in the guide that we're following itself. But I'll do additional things as well. So an editor. So I'm just writing a file here. On a new, you know, I'm using a atom, but you can, you can use your preferred editor. But no issue with that. The only thing that it needs is, is this part where you're enabling the vault UI. So this one, you can, if you see the, I'll show you the section here. So it's, I'm just, I just copied this part from the end of this file because this is a sample override file, which you can override, use to override the values that is by the default values that was set to when you ran the helm install command. So what this is saying is to enable the UI and then use the service type as load balancer and not use a node port. It says null and then external port is 8200. If you have, if in some cases you may have, you know, restrictions on those ports, like can't access 820 shouldn't allow and all that. In that case, you can change this port. And if you see the guide here, you can also see that for added security, you can add IP, the source ranges on the load balancer as well. So that only, only this IP will be able to connect to vault. But anyway, vault will have, of course, because it is secure, it will have access control. So you'll not, it is even if you, and this is, you're doing a test in real life scenarios. Of course, vault will be behind, behind inside the DMZ, behind the DMZ or behind the firewall, or it should not be exposed over the internet. It's just for our, to make it easier. We are using it as such. Okay. So then you save this file as a YAML file. Yeah. So I've saved it as the here. Then I'll do is I'll uninstall the existing vault first. Then it's easy. You can also upgrade, but I'll uninstall. So I'll show you the command as well. So how do you uninstall a helm is using a simple command helm uninstall, you give the namespace because this is created in this namespace. And then the name of the release, which is vault is. So that has been uninstalled. Now we'll redo the installation. Yeah, I'll cat just second. Yeah, it's that. Okay. So we'll then redo the installation with the minus F command, which basically means is providing this file as the override value. So everything else remains the same. Just do this minus F override values. Now, if we see the get all, we'll see that you have vault UI, which has, which is creating a load balancer. The external IP is still pending, but it will surely come up soon. We'll have to wait for that. Because it's creating a external IP takes a little bit of time. Any questions till now? I'll do that again. So yeah, we have the external IP. So now with the external IP, I will go there and we know the port because we have asked for this port. And that's how you have the world UI. Right. James, I didn't get you. Sorry, the reinstall, you mean the uninstall? So I'll give the command for uninstall as well. Should be here. That's the uninstall. And then that's the reinstall with the override parameters file. Okay. So now you are at the vault UI. I just grabbed the IP address, which is when I do, or I can do also kubectl get services minus namespace vault. So if I do that, I'll see that vault UI has a service called load balancer. And this is the only service that has an external IP. So when I call copy the external IP and the port is 8200, if you're not sure, you can also check there. The port is 8200. So if you're using a different port, you grab that port. So I opened it and by default, it will forward to this page. This is only at the start of your vault because now the vault has been installed first time. So it is going to be, it has to be initialized. So if you're for the second time, it will be different. So once you're here, so there are two options here. So basically, this is how you create the number of unsealed keys. Like a physical vault, every vault needs a key to unseal it, unlock it. So for that, you will need unsealed key. You can generate for, for now, we can do one and one. So that means you will only get one key and you have to provide one key. But in generally, in other scenarios, you should have like five or three. So that means you will generate five keys, but then you will need at least three of those five keys to unseal. But this is a dev environment. So I'll use one and one to create the master keys. Should an ingress be used with the deployed load balancer that bevel deploys. I'm not sure the question is that we have not used bevel as of till now. So this is, this is just pure vault deployment. Bevel has not been used till now. So if the question is about bevel, which we'll be doing in two days time, bevel deploys load balancer for ambassador or in HA proxy. HA proxy is only used for fabric. So that's where bevel deploys. Bev should vault be deployed on the same cluster that bevel? No, that is not necessary. You can deploy vault on a different cluster as well. So I'm showing it the deployment of vault on the cluster because that's right now the easiest thing to do because if you deploy it on a separate cluster, you have to ensure that there is in the bevel cluster and the vault cluster should also be able to talk to each other on that port. If you follow our Discord channel, there were some questions regarding that because I guess someone deployed vault on their own machine but they deployed the cluster on GKE on cloud and then the cloud Kubernetes was not able to reach the vault on the machine because that's not how it works. Yeah, but it is possible. It is not that the vault should be, I mean in essence when we deploy vault, we deploy this thing for clients, we create vault on a separate VM instead of on the Kubernetes cluster. Okay, so this will generate keys which I'll hide from the recording. So just click on initialize. If you get an SSL error, you are trying to give to HTTPS but it is not HTTPS maybe, James. Okay, it is not showing so I'm safe. So yeah, if I click that, you will have this initial root token and the key I have downloaded the keys and then I will just go continue to unseal. Now again, as I said, for unsealing, you will need to open, you know, provide one of the keys. So let's do that. And yeah, so now the vault is unsealed, as you see with the green thing here. And then you just now have to provide the token which is the root token for initial login. And yeah, so both the unseal keys and the root token, you should be safeguarding it and save it somewhere safe. It's same as a key to your vault in your house. The only advantage when you are you deploying it on using a VM or even on yeah, especially using a VM, you can do the unseal key management via the cloud KMS, for example, AWS KMS or Google keys. You can do that. So it will always whenever you restart vault, it will automatically unseal. But in other cases, if you're not doing that, then if you restart vault, you have to unseal the vault again. Because what vault thinks is if you're restarting the machine, vault kind of identifies it as an attack. And you have to give the keys again. I mean, similar to one when you restart your phone, it asks for your password. Right. So this is how the vault front end looks like. You have, you know, the secrets here, I'll do one small thing before we progress. But that's more or less what we are then we'll have the accesses here and in the policies. So once we when we do the deployment using devil, then we'll come and see how these entries in these things are changing. Okay, so any questions still for now? Otherwise, I'll just show a little to enable a new engine. So because I think by default, we're using secrets between some of the things. So we can do it again. So you have to enable a new engine for v2 version and give it a different name. And this name will be used in in bevel configuration file. So we we give the name as secrets v2. And just to ensure that the version is v2 in this, you can choose one. But right now, the current project doesn't support the version one. So don't do that. So choose version v2 and give a name called secrets. You can give it any other name as well, as long as you remember, remember it because we'll need it when you do the configuration for for the network. Yeah. Yeah. And then you click on enable engine and that's all. So you will then you'll see a new engine called secrets v2. And it says it's a v2 engine, but it is type of type key kv or key value that has been enabled on vault, though it doesn't have anything inside it right now. Okay. And yeah, that's pretty much for for this session. If there are any questions, did you get so what is the recommended approach to store secrets for bevel in production for back end back end or engine recommended? So the seek to store secrets, the recommended approach, as I said, just a minute, the recommended approach, as I said, was to do a set of vault on a separate VM and should be in the same VPC as your Kubernetes cluster. But it should be it will be should be on a different VM. And it should be an internal IP so that it is not accessible via from external and it should only be accessible from a VPC from a pod or or a machine which is inside the same VPC. And of course, you need access to the from your Ansible controller from where you will run the bevel commands, as well as from the Kubernetes cluster. And for the engine wise, there is no secret that we use kv. So there is no recommendation that is the only, the only approach you can do is use kv, which I just created of our v2 version of a kv. Okay. Okay. So the other question from James was can you type the key to unsealed? Not sure what you mean if you mean by you can run the commands from here as well or not. Then yes, I'll just check if I have vault. Yes, I do have vault. So for that, you will need a vault again, same similar to help, we will need the vault client. So and then you export the vault address, which is same as this one, not without the UI and all that. Okay. Then if you do vault status, it will show for me it is showing that it is initialized as true, and it is sealed as false. So that means it is unsealed and it is initialized so you can access that. You mean via the UI? No, I can't show it via the UI because that's only one time. I mean, if you reach the UI, you should have have the concept of giving the number of key shares and all that and I used one and one. Yeah, it wants a hex key. It's not a six digits key. The key that you downloaded, the JSON file that you downloaded, the base 64 one is the one that you should pass. So there are in that, if you have one and if you had one key share and one, you know, one and one in there, you should have only one key. And what it is asking for is the, you should pass the values called for keys base 64, and then it will unseal and then you will pass the root token to enter. Yeah, I mean you should have downloaded the keys when they were generated. I mean, if you have misplaced it, there's no hum dumb. What you can do is you can uninstall everything, uninstall not everything, uninstall vault and reinstall. So you will, it will hard for them. It is not asking for keys for GCP. It is asking for the key that was generated when you enter, pressed enter. So you should be able to see in the video again if you're stuck here on how to get there. You have vault installed on Q, but when you enter, yeah, you have to download the keys after you initialize right here. Have you initialized the vault? Yeah, and is the UI showing this, James? Or is it showing something else? Yeah, so if you, if it is in the unseal page, you should have one, if you have, you should have downloaded root one and one in those two boxes for the key shares and then pressed enter or I forgot the key, the exact name, then it would have generated a token and unseal key. And there was an option to download those keys or at least you can copy the keys. If you have not done that, it's fine. You can just uninstall with the uninstall commands I have given and reinstall, then you can do that. Yeah, most likely you have not downloaded the keys. You cannot go back. You can uninstall and reinstall to do download that because then it will generate a new set of keys. Yes. Yeah, yeah, with Helm, Helm uninstalled the commands that I gave a few minutes ago with uninstall and install again. Okay, so again, super important things are, of course, for the next class, next workshop, your address, the IP address or the vault address should be accessible from your computer, which I guess you will be using for as the uncivil controller. If you are going to use WSL or anything else, any other machine, make sure that you can access this vault IP with this address, exact same address from that machine as well or the WSL or the Docker container, whatever you're using. And you will need the root token for the next session because that's what you pass and you will need the name of this KV that you created. If you are using Secrets V2, it's fine. But if you're given a different name, you will need that name. And then, of course, you will need the Kubernetes config file, the kubectl config file, which by now you already have because you're connecting to Kubernetes kubectl using kubectl from your machine right now. Again, just ensure that the kubectl commands work from your uncivil controller, which can be your WSL machine or Ubuntu, different Ubuntu machine and all that. So yeah, so install vault, though they get installed by the uncivil command as well, but just make sure you have kubectl, vault and Helmin3 basically, Helmin in the path there. I am not sure what are the significant differences for vault enterprise. Most likely it is licensed and you will have support from Hashicop for that. But we have not used any additional features from the vault enterprise because we have kept everything open source. In a production environment, most likely you will use vault enterprise because if there is any problem in the vault itself, you don't want to debug or something. We have deployed vault for using console as the back end as well for some of the clients, but I have not used any for vault enterprise for anyone. Yeah, so I think that's exactly what Michael has said. You will have the HA and all that, it's features of enterprise as well. You can do the high availability with Michael. So you can do the high availability with other kind of storages as well, but I think on Kubernetes it default uses the file storage. So the next meeting details have been shared multiple times on this chat. I'll share again. Yeah, for some reason I'm not able to copy, but it is again. So it's the next on Thursday, basically in two days time. And it's a longer workshop, but expected we'll be working using devil commands. I mean, that's when we'll start using devil. Mainly these were just prelude two sessions. So make, as I said, ensure that your Kubernetes cluster is up and running and vault is accessible for the next session, which blockchain will be deployed that will depend on which people are comfortable with. So we have seen we can do fabric as well, because yeah, fabric is all right. I think we will be doing fabric. Besides two sessions, any other prerequisites for Thursday? Yeah, so I think there were, let me see my slide deck. So, yeah, the main prerequisites for Thursday is your Kubernetes cluster, your hashikov vault, you don't have to attend the sessions, but you can see the recordings. You need the Kubernetes cluster, you need hashikov vault deployed accessible from the Kubernetes cluster, and you will need a machine where you can run Docker. So you should be able to run Docker commands. If it is WSL, it's all fine. I have to figure out the networking yourself, but you will need a machine where you can run Docker commands. Okay, no, there's no version requirement for Docker. Our fabric version, we will be deploying 2.2.2, because that's what is supported. Recordings will be available on YouTube hyperledger channel. So you should be able to see that. No, we are not going to deploy the supply chain application, because I know many people are using very small Kubernetes cluster, and the whole supply chain application will not be able to run on it. And most people will not be using a DNS names to access the front end and the APIs. So we'll be only deploying fabric with, we'll see if the chain code gets deployed or not, but we'll deploy the fabric peers with the peer CLI, so that you can access the peers and deploy the chain codes manually as well, if you need. No domain name is not required for the next session, because we'll be doing the internal Kubernetes one, and that's why we are not going to deploy the supply chain application. Okay, so that's all from my side. And yeah, thanks. Thanks, everyone. Thanks for joining. And we'll see you on Thursday, 4 p.m.