Add deployment steps for self-provisioned K8s via AWS and ECR

sample-network/README.md

@@ -40,6 +40,7 @@ For additional cluster options, see the detailed guidelines for:
 - [fabric-devenv](#vagrant-fabric-devenv): vagrant VM
 - [IKS](#iks)
 - [EKS](#eks)
+- [self-provisioned Kubernetes on AWS + ECR](#self-provisioned-kubernetes-on-aws--ecr)
 - [OCP](#ocp)
 
 
@@ -299,6 +300,44 @@ export TEST_NETWORK_INGRESS_DOMAIN=$(echo $INGRESS_IPADDR | tr -s '.' '-').nip.i
 For additional guidelines on configuring ingress and DNS, see [Considerations for Kubernetes Distributions](https://cloud.ibm.com/docs/blockchain-sw-252?topic=blockchain-sw-252-deploy-k8#console-deploy-k8-considerations).
 
 
+### Self-provisioned Kubernetes on AWS + ECR
+
+- This will push the chaincode images to AWS ECR (private authenticated container registry).
+- It will use AWS CLI for ECR related operations like login and push.
+- The same image will then be pulled from ECR by the chaincode deployed in `test-network` k8s namespace.
+
+**Prerequisites**:
+- All steps in [#EKS](#eks).
+- Make sure the AWS profile is configured with the correct AWS region and credentials for [aws-cli](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html).
+  - You could use `AmazonEC2ContainerRegistryFullAccess` for relaxed access, but this is not recommended.
+  - Refer to [ECR related AWS managed policies](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam-awsmanpol.html) for more information.
+- ECR repo as exported below under env var `TEST_NETWORK_AWS_ECR_REPO` exists in the correct region.
+
+And for ECR based container registry, export:
+
+```sh
+export TEST_NETWORK_CHAINCODE_REGISTRY="ecr"
+export TEST_NETWORK_AWS_PROFILE="default"
+export TEST_NETWORK_AWS_ACCOUNT="999999999999"
+export TEST_NETWORK_AWS_ECR_REPO="chaincodes"
+```
+
+For using this ECR registry with Kubernetes, create a secret in `test-network` namespace within your cluster:
+
+```sh
+export AWS_REGION=$(aws configure get region --profile ${TEST_NETWORK_AWS_PROFILE})
+
+kubectl create secret docker-registry regcred \
+  --docker-server="${TEST_NETWORK_AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com" \
+  --docker-username=AWS \
+  --docker-password="$(aws ecr get-login-password --region ${AWS_REGION})" \
+  --namespace=test-network
+```
+
+- Go ahead with the chaincode deployment now.
+- Test it out and make sure your cluster can pull images from the registry.
+  - If not, try mounting the secret as a volume in your deployments manually.
+
 ## Vagrant: fabric-devenv 
 
 The [fabric-devenv](https://github.com/hyperledgendary/fabric-devenv) project will create a local development Virtual

sample-network/network

@@ -90,6 +90,11 @@ context CONSOLE_IMAGE_LABEL       latest
 context DEPLOYER_IMAGE            ghcr.io/ibm-blockchain/fabric-deployer
 context DEPLOYER_IMAGE_LABEL      latest-amd64
 
+context AWS_PROFILE               default
+context AWS_ACCOUNT               999999999999
+context AWS_ECR_REPO              chaincodes
+context CHAINCODE_REGISTRY        default
+
 export FABRIC_OPERATOR_IMAGE=${OPERATOR_IMAGE}:${OPERATOR_IMAGE_LABEL}
 export FABRIC_CONSOLE_IMAGE=${CONSOLE_IMAGE}:${CONSOLE_IMAGE_LABEL}
 export FABRIC_DEPLOYER_IMAGE=${DEPLOYER_IMAGE}:${DEPLOYER_IMAGE_LABEL}
@@ -141,6 +146,7 @@ function print_help() {
 . scripts/test_network.sh
 . scripts/channel.sh
 . scripts/chaincode.sh
+. scripts/aws_ecr.sh
 
 # check for kind, kubectl, etc.
 check_prereqs

sample-network/scripts/aws_ecr.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+aws_env() {
+  push_fn "Check AWS CLI access for ${ECR_RESOURCE}"
+
+  AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id --profile ${AWS_PROFILE})
+  AWS_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key --profile ${AWS_PROFILE})
+
+  ECR_USER=AWS
+  ECR_REGION=$(aws configure get region --profile ${AWS_PROFILE})
+
+  export ECR_RESOURCE=${AWS_ACCOUNT}.dkr.ecr.${ECR_REGION}.amazonaws.com
+
+  pop_fn
+}
+
+ecr_login() {
+  # exported variables used:
+  #   AWS_PROFILE
+  #   AWS_ACCOUNT
+
+  aws_env
+
+  push_fn "Login to AWS ECR ${ECR_RESOURCE}"
+
+  aws ecr get-login-password --region ${ECR_REGION} | \
+    $CONTAINER_CLI login --username ${ECR_USER} --password-stdin ${ECR_RESOURCE}
+
+  pop_fn
+}

sample-network/scripts/chaincode.sh

@@ -17,6 +17,34 @@
 # limitations under the License.
 #
 
+function set_ecr_image_tag() {
+  # converts local "/" separated image name to an appropriate ECR tag used in AWS_ECR_REPO
+  # Example: fabric-samples/asset-transfer-basic/chaincode-java:latest -> asset-transfer-basic_java_latest
+
+  local cc_local_image=$1
+  ECR_IMAGE_TAG=$(python -c 'import sys; p=sys.argv[1]; p=p.split("/")[-3:]; cc=p[1]; lang=p[-1].split("-")[-1]; tag="latest"; print(f"{cc}_{lang}_{tag}")' ${cc_local_image})
+}
+
+function ecr_load_image() {
+  local cc_local_image=$1
+
+  ecr_login      ${AWS_PROFILE} ${AWS_ACCOUNT}
+
+  local aws_ecr="${ECR_RESOURCE}/${AWS_ECR_REPO}"
+
+  set_ecr_image_tag ${cc_local_image}
+
+  CHAINCODE_IMAGE="${aws_ecr}:${ECR_IMAGE_TAG}"
+
+  push_fn "Tag chaincode image for ECR"
+  $CONTAINER_CLI tag ${cc_local_image} ${CHAINCODE_IMAGE}
+  pop_fn
+
+  push_fn "Load chaincode image into ECR"
+  $CONTAINER_CLI push "${CHAINCODE_IMAGE}"
+  pop_fn
+}
+
 # Convenience routine to "do everything" required to bring up a sample CC.
 function deploy_chaincode() {
   local cc_name=$1
@@ -33,8 +61,11 @@ function deploy_chaincode() {
 
   build_chaincode_image   ${cc_folder} ${CHAINCODE_IMAGE}
 
+  # push to container registry
   if [ "${CLUSTER_RUNTIME}" == "kind" ]; then
     kind_load_image       ${CHAINCODE_IMAGE}
+  elif [ "${CLUSTER_RUNTIME}" == "k3s" ] && [ "${CHAINCODE_REGISTRY}" == "ecr" ]; then
+    ecr_load_image        ${CHAINCODE_IMAGE}
   fi
 
   launch_chaincode        ${cc_name} ${CHAINCODE_ID} ${CHAINCODE_IMAGE}