Deploy Oracle Blockchain Platform Enterprise Edition on Oracle Kubernetes Engine

Before deploying Oracle Blockchain Platform Enterprise Edition, you must have a Kubernetes cluster running and you must install several prerequisites.

For detailed information about Oracle Kubernetes Engine, see Oracle Cloud Infrastructure Container Engine for Kubernetes

Create an Oracle Kubernetes Engine Cluster on OCI

Recommended minimum specifications for your Oracle Kubernetes Engine Cluster:

	Development	Production with High Availability
Minimum Version	v1.29.1	v1.29.1
Node Type	Managed	Managed
Node Image	Oracle Linux 8	Oracle Linux 8
Node CPU	2 OCPUs or higher	4 OCPUs or higher
Node Memory	24 GB or higher	32 GB or higher
Node Count	1 or higher	3 or higher
Boot volume size	100 GB or higher. The default boot volume of 50 GB may not be sufficient to hold Oracle Blockchain Platform Enterprise Edition container images and temporary data for chaincode pods because of limited ephemeral storage.	100 GB or higher. The default boot volume of 50 GB may not be sufficient to hold Oracle Blockchain Platform Enterprise Edition container images and temporary data for chaincode pods because of limited ephemeral storage.

For added security, select Private workers for the Kubernetes worker nodes.
Ensure that the worker nodes have access to the internet, which is required to install chaincodes on your Oracle Blockchain Platform instances.

This section walks through creating an example Oracle Kubernetes Engine on OCI. For additional options and details, see Creating Kubernetes Clusters Using Console Workflows

Log in to your OCI tenancy, selecting your region and compartment.
Open the navigation menu and click Developer Services. Under Containers & Artifacts, click Kubernetes Clusters (OKE).
On the Cluster List page, click Create cluster.
In the Create cluster dialog, select Quick create and click Submit.
On the Create cluster page, either accept the default configuration details for the new cluster, or specify alternatives as follows:
- Name: The name of the new cluster. Either accept the default name or enter a name of your choice.
- Compartment: The compartment in which to create the new cluster and the associated network resources.
- Kubernetes version: The version of Kubernetes to run on the control plane nodes and worker nodes of the cluster. v1.29.1 was tested with Oracle Blockchain Platform Enterprise Edition.
- Kubernetes API endpoint: The type of access to the cluster's Kubernetes API endpoint. Select Public (accessible directly from internet). A public regional subnet is created and the Kubernetes API endpoint is hosted in that subnet. The Kubernetes API endpoint is assigned a public IP address as well as a private IP address.
- Node type: Specify the type of worker nodes in the first node pool in the cluster. Select Managed. You have responsibility for managing the worker nodes in the node pool. Managed nodes run on compute instances (either bare metal or virtual machine) in your tenancy. As you are responsible for managing managed nodes, you have the flexibility to configure them to meet your specific requirements. You are responsible for upgrading Kubernetes on managed nodes, and for managing cluster capacity.
- Kubernetes worker nodes: The type of access to the cluster's worker nodes. Select Private (accessible through other VCN subnets). A private regional subnet is created to host worker nodes. The worker nodes are assigned a private IP address.
- Node shape: The shape to use for each node in the node pool. The shape determines the number of CPUs and the amount of memory allocated to each node. The list shows only those shapes available in your tenancy that are supported by Container Engine for Kubernetes. Oracle Blockchain Platform Enterprise Edition was tested with VM.Standard.E3.Flex and VM.Standard.E4.Flex shapes.
- Image: The image to use on worker nodes in the managed node pool. An image is a template of a virtual hard drive that determines the operating system and other software for the managed node pool. Oracle Blockchain Platform Enterprise Edition was tested with Oracle Linux 8.
- Node count: The number of worker nodes to create in the node pool, placed in the regional subnet created for the cluster. Select three or more.
Select the following Advanced Options:
- Boot volume: Configure the size and encryption options for the worker node's boot volume. The default boot volume of 50 GB may not be sufficient to hold Oracle Blockchain Platform Enterprise Edition images and temporary data for chaincode pods because of limited ephemeral storage. If you plan to deploy several chaincodes (more than five), increase the boot volume to approximately 100 GB.
Review the options you've selected, and click Create Cluster.
Ensure that your worker nodes and node pools are running:
- Under Resources, select Nodes. For each worker node, ensure that the node is ready, active, and matches the Kubernetes cluster version.
- Under Resources, select Node pools. For your node pool, ensure that the pool is active and matches the Kubernetes cluster version.

Install the OCI Command Line Interface

This section provides an example walkthrough of installing the OCI Command Line Interface. Oracle Blockchain Platform Enterprise Edition was tested with v3.42.0. For additional information, refer to OCI Command Line Interface.

Oracle Linux
macOS

# Install:
    sudo dnf -y install oraclelinux-developer-release-el8
    sudo dnf -y install python36-oci-cli
 
# Verify:
    $ oci --version
    3.42.0

# Install:

    brew update && brew install oci-cli

## If this fails with "Error: python@3.12: the bottle needs the Apple Command Line Tools to be installed.", run below command:

    xcode-select --install

# Verify:
   oci --version
   3.43.1

Create Install Initiator System

Set up local access for the cluster

See the following for additional information: Setting Up Local Access to Clusters.

Copy your RSA key to the Oracle Linux or macOS system on which you installed the prerequisites. Your keys can be found in the OCI console: Identity, and then Domains, and then OracleIdentityCloudService domain, and then Users, and then User name, and then API keys. Secure the key: chmod 400 your_rsa.key
You can create a key if needed. See How to Generate an API Signing Key
In the OCI console, go to your cluster and open the Cluster Details page.
Select Access Cluster, and then Local Access.
1. Create a directory to contain the kubeconfig file: mkdir -p $HOME/.kube
2. Copy the To access the kubeconfig for your cluster via the VCN-Native public endpoint command.
3. Run the command on your Linux or macOS system. Because the config file doesn't exist yet, you'll be prompted for the following:
  - Do you want to create a new config file? [Y/n]: y
  - Do you want to create your config file by logging in through a browser? [Y/n]: n
  - Enter a location for your config [/home/opc/.oci/config]: select a location
  - Enter a user OCID: can be found in the OCI console
  - Enter a tenancy OCID: can be found in the OCI console
  - Enter a region by index or name: Enter the number corresponding to your Tenancy's Region, for example 12
  - Do you want to generate a new API Signing RSA key pair? If you decline you will be asked to supply the path to an existing key. [Y/n]: n
  - Enter the location of your API Signing private key file: location of RSA key file created above
  This creates a config file that gives the Kubernetes control plane VM access to the cluster hosted on OCI.
4. When the OCI config file is created, you must re-run the copied To access the kubeconfig for your cluster via the VCN-Native public endpoint command. It will used the config file that you just created.
Verify that you can reach the Oracle Kubernetes Engine cluster: kubectl get nodes. If the setup is correct, the command will show all the worker nodes in your cluster.
Restrict access to the config file: chmod 600 $HOME/.kube/config
Set your KUBECONFIG environment variable to the file for this cluster: export KUBECONFIG=$HOME/.kube/config

Note:

Check whether your OCI config file has multiple profiles similar to the following text:

[OCI_PROFILE_A]
fingerprint = .............
key_file = .............
tenancy = .............
region = .............
user = .............

[OCI_PROFILE_B] 
fingerprint = ............. 
key_file = .............
tenancy = .............
region = .............
user = .............

If so, you'll need to customize the kubeconfig file or you'll get an authorization error when you try to install Oracle Blockchain Platform Enterprise Edition. In the users section of the kubeconfig file, add a line to specify which user to use in your OCI config file. For example

users:
- name: user-c3xxxxxq
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - ce
      - cluster
      - generate-token
      - --cluster-id
      - ocid1.cluster.oc1.eu-frankfurt-1.aaaaaaxxxxxxxxxyyyyyy
      - --region
      - eu-frankfurt-1
      - --profile
      - <OCI_PROFILE_NAME>
      command: oci
      env: []
      interactiveMode: IfAvailable
      provideClusterInfo: false

where <OCI_PROFILE_NAME> would be OCI_PROFILE_A

Complete the Istio Install

Oracle Blockchain Platform Enterprise Edition supports version 1.20.2 and later. You must have completed the steps in Install Istio before running the following commands.


# Install
    istioctl install --set profile=default --set values.pilot.env.ENABLE_TLS_ON_SIDECAR_INGRESS=true --set components.cni.enabled=true --set values.cni.repair.deletePods="true"
    ## Enter "y" when prompted for "Proceed? (y/N)"
 
# Verify:
    $ istioctl version
    client version: 1.22.1
    control plane version: 1.22.1
    data plane version: 1.22.1 (1 proxies)

Set Up an Auth Token for Your User

Create an Auth Token for your administrative user so that you can pull images from the OCI Registry: Generating an Auth Token to Enable Login to Oracle Cloud Infrastructure Registry.

Install Oracle Blockchain Platform Enterprise Edition

On the Oracle Blockchain Platform Enterprise Edition page, click Download and follow the steps to download the Oracle Blockchain Platform Enterprise Edition package. Extract the package from the .zip file, and then extract the package from the downloaded archive file.
```
tar -xzf <distribution-package-file>
# example tar -xzf obpee_package_24.1.3-20240723083137.tgz
```
Update the runme-input.yaml file with the required values. The following example runme-input.yaml file can be used as reference:
```
imageRegistryConfiguration:
  registry: <container_registry_name>
  imageTagPrefix: <container-image-repository-prefix>
  username: <container-registry-username>
 
imageReleaseVersion: 24.1.3-20240723083137
 
# storageClassName should be set to create a dynamic persistent volume. If empty, default storageClass is used.
 
controlPlaneStorage:
  storageClassName: 
  # Example 500Mi, 5Gi
  size: 4Gi
  
parentDomainName: example.com
#imagePullTimeout: Use this field to customize the wait time (in seconds) for pulling the required container images from the repository. Default is 1800 seconds.
    imagePullTimeout: 1800
```
In the previous example, the variables are defined as shown in the following list:
- imageRegistryConfiguration.registry: Container registry server to use. Example: iad.ocir.io
- imageRegistryConfiguration.imageTagPrefix: Container base repository path with the registry, where the images will be pushed to and pulled from. Example: iad.ocir.io/obpee/bcs
- imageRegistryConfiguration.username: Container registry login user name
- imageReleaseVersion - Oracle Blockchain Platform Enterprise Edition release version
- controlPlaneStorage.storageClassName: Kubernetes storage class to use for PVC (PersistentVolumeClaim). If empty, the default storageClass is used
- controlPlaneStorage.size: PVC size for Blockchain Platform Manager (control plane) services
- parentDomainName: Domain name to use for Blockchain Platform Manager services. Example: example.com
- imagePullTimeout: Image pull wait timeout in seconds during Oracle Blockchain Platform Enterprise Edition installation. Default is 1800 seconds.
Run the runme_oke.sh [--publish-images] script, following the prompts.

Note:
The optional --publish-images command uploads the containers to a container image registry such as Oracle Cloud Infrastructure Registry using the details specified in the runme-input.yaml file.
- Enter the default LDAP admin password (the password will not be displayed): sets the administrator's password for the built-in LDAP authentication server.
- Enter the default control plane admin user password (the password will not be displayed): sets the Blockchain Platform Manager administrator's password.
- If StorageClass wasn't provided in the runme-input.yaml file, the system checks if the default storage class is set and ask if you want to use it.
- Confirm the Istio ingress gateway service type: LoadBalancer is the default. NodePort is also supported. Note that accessing NodePorts requires that the Kubernetes cluster was created with public worker nodes. See Install Istio.
- Confirm the Istio ingress gateway service https port: the default is 443 for the LoadBalancer service type.
- Enter registry <registry name> password: this password is used to connect to your container image registry (as specified in the runme-input.yaml file) for downloading images.
The script lists the Istio-ingressgateway URL as part of the output. Record the IP address listed.
The script installs the following services under the obp-cp namespace:
- control-plane
- openldap
- obp-auth-server
- obp-operator
- hlf-operator

Access Blockchain Platform Manager

After installation, configure the host name resolution for the generated Blockchain Platform Manager host names.

Run the following command to get the list of configured host names:

kubectl get virtualservice -n obp-cp -o json | jq -r '.items[].spec.hosts[0]'

Based on the chosen service type for istio-ingressgateway, these generated host names must be resolved to an IPv4 address according to the following requirements:
- LoadBalancer: resolve to the external IP address generated for the istio-ingressgateway service
- NodePort: resolve to the worker nodes' IP addresses