Deploy Oracle Blockchain Platform Enterprise Edition on Oracle Kubernetes Engine

Before deploying Oracle Blockchain Platform Enterprise Edition, you must have a Kubernetes cluster running and installed several prerequisites.

For detailed information about Oracle Kubernetes Engine, see Oracle Cloud Infrastructure Container Engine for Kubernetes

Create an Oracle Kubernetes Engine Cluster on OCI

Recommended minimum specifications for your Oracle Kubernetes Engine Cluster:

	Development	Production with High Availability
Minimum Version	v1.29.1	v1.29.1
Node type	Managed	Managed
Node Image	Oracle Linux 8	Oracle Linux 8
Node CPU	2 OCPUs or higher	4 OCPUs or higher
Node Memory	24 GB or higher	32 GB or higher
Node Count	1 or higher	3 or higher
Boot volume size	100GB or higher. The default boot volume of 50GB may not be sufficient to hold Oracle Blockchain Platform Enterprise Edition container images and temporary data for chaincode pods because of limited ephemeral storage.	100GB or higher. The default boot volume of 50GB may not be sufficient to hold Oracle Blockchain Platform Enterprise Edition container images and temporary data for chaincode pods because of limited ephemeral storage.

We recommended using Private workers for Kubernetes worker nodes for added security
Ensure the worker nodes have access to the internet, which is required for installation of chaincodes on your Oracle Blockchain Platform instances.

This section will walk through the creation of an example Oracle Kubernetes Engine on OCI. For additional options and details, see Creating Kubernetes Clusters Using Console Workflows

Log in to your OCI tenancy, selecting your region and compartment.
Open the navigation menu and click Developer Services. Under Containers & Artifacts, click Kubernetes Clusters (OKE).
On the Cluster List page, click Create cluster.
In the Create cluster dialog, select Quick create and click Submit.
On the Create cluster page, either just accept the default configuration details for the new cluster, or specify alternatives as follows:
- Name: The name of the new cluster. Either accept the default name or enter a name of your choice.
- Compartment: The compartment in which to create the new cluster and the associated network resources.
- Kubernetes version: The version of Kubernetes to run on the control plane nodes and worker nodes of the cluster. v1.29.1 was tested with Oracle Blockchain Platform Enterprise Edition.
- Kubernetes API endpoint: The type of access to the cluster's Kubernetes API endpoint. Select Public (accessible directly from internet). A public regional subnet is created and the Kubernetes API endpoint is hosted in that subnet. The Kubernetes API endpoint is assigned a public IP address as well as a private IP address.
- Node type: Specify the type of worker nodes in the first node pool in the cluster. Select Managed. You have responsibility for managing the worker nodes in the node pool. Managed nodes run on compute instances (either bare metal or virtual machine) in your tenancy. As you are responsible for managing managed nodes, you have the flexibility to configure them to meet your specific requirements. You are responsible for upgrading Kubernetes on managed nodes, and for managing cluster capacity.
- Kubernetes worker nodes: The type of access to the cluster's worker nodes. Select Private (accessible through other VCN subnets). A private regional subnet is created to host worker nodes. The worker nodes are assigned a private IP address.
- Node shape: The shape to use for each node in the node pool. The shape determines the number of CPUs and the amount of memory allocated to each node. The list shows only those shapes available in your tenancy that are supported by Container Engine for Kubernetes. Oracle Blockchain Platform Enterprise Edition was tested with VM.Standard.E3.Flex and VM.Standard.E4.Flex shapes.
- Image: The image to use on worker nodes in the managed node pool. An image is a template of a virtual hard drive that determines the operating system and other software for the managed node pool. Oracle Blockchain Platform Enterprise Edition was tested with Oracle Linux 8.
- Node count: The number of worker nodes to create in the node pool, placed in the regional subnet created for the cluster. Select 3 or more.
Select the following Advanced Options:
- Boot volume: Configure the size and encryption options for the worker node's boot volume. The default boot volume of 50GB may not be sufficient to hold Oracle Blockchain Platform Enterprise Edition images and temporary data for chaincode pods because of limited ephemeral storage. If you're planning to deploy several chaincodes (more than 5), we suggest increasing the boot volume to approximately 100 GB.
Review the options you've selected, and click Create Cluster.
Ensure your worker nodes and node pools are running:
- Under Resources, select Nodes. For each worker node, ensure the node is ready, active, and matches the Kubernetes cluster version.
- Under Resources, select Node pools. For your node pool, ensure the pool is active and matches the Kubernetes cluster version.

Install the OCI Command Line Interface

This section provides an example walkthrough of installing the OCI Command Line Interface. Oracle Blockchain Platform Enterprise Edition was tested with v3.42.0. For additional information, refer to OCI Command Line Interface.

Oracle Linux
macOS

# Install:
    sudo dnf -y install oraclelinux-developer-release-el8
    sudo dnf -y install python36-oci-cli
 
# Verify:
    $ oci --version
    3.42.0

# Install:

    brew update && brew install oci-cli

## If this fails with "Error: python@3.12: the bottle needs the Apple Command Line Tools to be installed.", run below command:

    xcode-select --install

# Verify:
   oci --version
   3.43.1

Create Install Initiator System

Set up local access for the cluster

See the following for additional information: Setting Up Local Access to Clusters.

Copy your RSA key to the Oracle Linux or macOS machine on which you installed the prerequisites. Your keys can be found in the OCI console: Identity, and then Domains, and then OracleIdentityCloudService domain, and then Users, and then User name, and then API keys. Secure the key: chmod 400 your_rsa.key
You can create a new key if needed. See How to Generate an API Signing Key
In the OCI console, go to your cluster and open the Cluster Details page.
Select Access Cluster, and then Local Access.
1. Create a directory to contain the kubeconfig file: mkdir -p $HOME/.kube
2. Copy the To access the kubeconfig for your cluster via the VCN-Native public endpoint command.
3. Run the command on your Linux or macOS machine. Because the config file doesn't exist yet, you'll be prompted for the following:
  - Do you want to create a new config file? [Y/n]: y
  - Do you want to create your config file by logging in through a browser? [Y/n]: n
  - Enter a location for your config [/home/opc/.oci/config]: select a location
  - Enter a user OCID: can be found in the OCI console
  - Enter a tenancy OCID: can be found in the OCI console
  - Enter a region by index or name: Enter the number corresponding to your Tenancy's Region, for example 12
  - Do you want to generate a new API Signing RSA key pair? If you decline you will be asked to supply the path to an existing key. [Y/n]: n
  - Enter the location of your API Signing private key file: location of RSA key file created above
  This creates a config file that gives the Kubernetes control plane VM access to the cluster hosted on OCI.
4. When the OCI config file is created, you must re-run the copied To access the kubeconfig for your cluster via the VCN-Native public endpoint command. It will used the config file you just created.
Verify that you can reach the Oracle Kubernetes Engine cluster: kubectl get nodes. if the setup is correct, the command will output all the worker nodes in your cluster.
Restrict access to the config file: chmod 600 $HOME/.kube/config
Set your KUBECONFIG environment variable to the file for this cluster: export KUBECONFIG=$HOME/.kube/config

Note:

If your OCI config file has multiple profiles similar to:

[OCI_PROFILE_A]
fingerprint = .............
key_file = .............
tenancy = .............
region = .............
user = .............

[OCI_PROFILE_B] 
fingerprint = ............. 
key_file = .............
tenancy = .............
region = .............
user = .............

you'll need to customize the kubeconfig file or you'll get an authorization error when you try to install Oracle Blockchain Platform Enterprise Edition. In the users section of the kubeconfig file, add a line to specify which user to use within your OCI config file. For example

users:
- name: user-c3xxxxxq
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - ce
      - cluster
      - generate-token
      - --cluster-id
      - ocid1.cluster.oc1.eu-frankfurt-1.aaaaaaxxxxxxxxxyyyyyy
      - --region
      - eu-frankfurt-1
      - --profile
      - <OCI_PROFILE_NAME>
      command: oci
      env: []
      interactiveMode: IfAvailable
      provideClusterInfo: false

where <OCI_PROFILE_NAME> would be OCI_PROFILE_A

Complete the Istio Install

Oracle Blockchain Platform Enterprise Edition supports version 1.20.2 and later. You must have completed the steps in Install Istio before completing the following.


# Install
    istioctl install --set profile=default --set values.pilot.env.ENABLE_TLS_ON_SIDECAR_INGRESS=true --set components.cni.enabled=true --set values.cni.repair.deletePods="true"
    ## Enter "y" when prompted for "Proceed? (y/N)"
 
# Verify:
    $ istioctl version
    client version: 1.22.1
    control plane version: 1.22.1
    data plane version: 1.22.1 (1 proxies)

Set Up an Auth Token for Your User

Create an Auth Token for your administrative user so that you can pull images from the OCI Registry: Generating an Auth Token to Enable Login to Oracle Cloud Infrastructure Registry.

Install Oracle Blockchain Platform Enterprise Edition

On the Oracle Blockchain Platform Enterprise Edition page, click Download and follow the steps to download the Oracle Blockchain Platform Enterprise Edition package. Unzip the package, and then extract the package from the downloaded archive file.
```
tar -xzf <distribution-package-file>
# example tar -xzf obpee_package_24.1.3-20240723083137.tgz
```
Update runme-input.yaml with the required values. This is an example runme-input.yaml which can be used as reference:
```
imageRegistryConfiguration:
  registry: <container_registry_name>
  imageTagPrefix: <container-image-repository-prefix>
  username: <container-registry-username>
 
imageReleaseVersion: 24.1.3-20240723083137
 
# storageClassName should be set to create a dynamic persistent volume. If empty, default storageClass is used.
 
controlPlaneStorage:
  storageClassName: 
  # Example 500Mi, 5Gi
  size: 4Gi
  
parentDomainName: example.com
#imagePullTimeout: Use this field to customize the wait time (in seconds) for pulling the required container images from the repository. Default is 1800 seconds.
    imagePullTimeout: 1800
```
where:
- imageRegistryConfiguration.registry: Container registry server to use. Example: iad.ocir.io
- imageRegistryConfiguration.imageTagPrefix: Container base repository path with the registry, where the images shall be pushed (pulled) to (from). Example: iad.ocir.io/obpee/bcs
- imageRegistryConfiguration.username: Container registry login username
- imageReleaseVersion - Oracle Blockchain Platform Enterprise Edition release version
- controlPlaneStorage.storageClassName: Kubernetes storage-class to use for PVC (PersistentVolumeClaim). If empty, default storageClass is used
- controlPlaneStorage.size: PVC size for Blockchain Platform Manager (control plane) services
- parentDomainName: Domain name to use for Blockchain Platform Manager services. Example: example.com
- imagePullTimeout: Image pull wait timeout in seconds during Oracle Blockchain Platform Enterprise Edition installation. Default is 1800 seconds.
Run runme_oke.sh [--publish-images], following the prompts.

Note:
The optional --publish-images command uploads the containers to a container image registry such as Oracle Cloud Infrastructure Registry using the details specified in runme-input.yaml.
- Enter the default LDAP admin password (the password will not be displayed): this is used to set the admin user's password for the built-in LDAP authentication server.
- Enter the default control plane admin user password (the password will not be displayed): this is used to set the Blockchain Platform Manager admin user's password.
- If StorageClass wasn't provided in runme-input.yaml, the system will check if the default storage class is set and ask if you want to use it.
- Confirm the Istio ingress gateway service type: LoadBalancer is default, NodePort is also supported. Note that accessing NodePorts requires that the Kubernetes cluster is created with public worker nodes. See Install Istio.
- Confirm the Istio ingress gateway service https port: the default is 443 for the LoadBalancer service type.
- Enter registry <registry name> password: This is used to connect to your container image registry (as specified in runme-input.yaml) for downloading images.
As part of the output of the script, it will list the Istio-ingressgateway URL. Record the IP address listed.
The install script will continue to install the following services under the obp-cp namespace:
- control-plane
- openldap
- obp-auth-server
- obp-operator
- hlf-operator

Access Blockchain Platform Manager

After installation, configure the hostname resolution for the Blockchain Platform Manager hostnames generated.

Execute this command to get the list of configured hostnames:

kubectl get virtualservice -n obp-cp -o json | jq -r .items[].spec.hosts[0]

Based on the chosen service type for istio-ingressgateway, these generated hostnames are required to be resolved to an IPv4 address according to the following:
- LoadBalancer: resolve to the external IP address generated for the istio-ingressgateway service
- NodePort: resolve to the worker nodes' IP addresses