Hyperledger Besu — Private & Permissioned Network over EKS Cluster
I'm happy to write this blog with my experience by deploying the Hperledger Besu — Private & Permissioned Network over EKS. A kind of Production grade Setup
Prerequisite :
1, AWS Account with EKS Cluster
2, Hyperledger Besu client ( EVM machine)
3, Helm chart & kubectl
Configure your local system with AWS IAM creds with all required privileges to launch the EKS cluster. So we can use the `eksctl` tool to launch the cluster from the command line.
$ aws configurePlease keep eye on the official ref doc for Hyperledger besu updates.
Let's launch the EKS cluster with the below config.
Clone the repo and run the below cmd
$ eksctl create cluster -f ./cluster/cluster.yml- Your
.kube/configshould be connected to your cluster automatically, if not, please run the following:
aws sts get-caller-identity
aws eks --region us-east-2 update-kubeconfig --name besucluster2, Install the EBS drivers for local volumes where the pod can use the storage space to write the blocks.
CLUSTER_NAME=besucluster
AWS_REGION=us-east-2
AWS_ACCOUNT=1234567890
eksctl create iamserviceaccount --name ebs-csi-controller-sa --namespace kube-system --cluster $CLUSTER_NAME --region $AWS_REGION --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy --approve --role-only --role-name AmazonEKS_EBS_CSI_DriverRole eksctl create addon --name aws-ebs-csi-driver --cluster $CLUSTER_NAME --region $AWS_REGION --service-account-role-arn arn:aws:iam::$AWS_ACCOUNT:role/AmazonEKS_EBS_CSI_DriverRole --force
Note: Repace your Account aws account id with above
3, Now install the IAM Secret Manager and CSI driver,
Note: I have used helm here for better package management to install the required drivers.
helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts helm install --namespace kube-system --create-namespace csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml POLICY_ARN=$(aws --region us-east-2 --query Policy.Arn --output text iam create-policy --policy-name besu-node-secrets-mgr-policy --policy-document "Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow", "
"Action":["secretsmanager:CreateSecret","secretsmanager:UpdateSecret","secretsmanager:DescribeSecret","secretsmanager:GetSecretValue","secretsmanager:PutSecretValue","secretsmanager:ReplicateSecretToRegions","secretsmanager:TagResource"],
"Resource": ["arn:aws:secretsmanager:us-east-2:$AWS_ACCOUNT:secret:besu-node-*"]
} ]
}')kubectl create namespace besueksctl create iamserviceaccount --name besu-node-secrets-sa --namespace besu --region=us-east-2 --cluster besucluster --attach-policy-arn "$POLICY_ARN" --approve --override-existing-serviceaccounts
With the above 3 steps, your AWS EKS cluster is ready to launch Ethereum private network using hyper ledger besu.
4, I have customized as per my requirements, and the repos available for ref.
Change the directory to helm
for genesis:
for boot nodes:
for validators :
Once you configure as above, for all three, you are good to go and launch the nodes one by one.
helm install genesis ./charts/besu-genesis --namespace besu --values ./values/genesis-besu.yml# bootnodes
helm install bootnode-1 ./charts/besu-node --namespace besu --values ./values/bootnode.yml
helm install bootnode-2 ./charts/besu-node --namespace besu --values ./values/bootnode.yml
# validators
helm install validator-1 ./charts/besu-node --namespace besu --values ./values/validator.yml
helm install validator-2 ./charts/besu-node --namespace besu --values ./values/validator.yml
helm install validator-3 ./charts/besu-node --namespace besu --values ./values/validator.yml
helm install validator-4 ./charts/besu-node --namespace besu --values ./values/validator.yml
Now all the nodes are up and we can see the logs to confirm the blocks are producing.
kubectl logs pod/besu-node-validator-2-0 --tail 10 -f
Now the nodes are connected to their peers and producing the blocks in the network with the Kubernetes cluster.,So How to do the transaction in the network?
we will launch another node — the RPC node for public access and connect metamask to do transactions.
# rpc node
helm install rpc-1 ./charts/besu-node --namespace besu--values ./values/reader.ymlafter the launch of RPC node, check the RPC connected to the network and import the blocks. now will launch the ingress controller for this node
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install besu-network-ingress ingress-nginx/ingress-nginx \
--namespace besu \
--set controller.ingressClassResource.name="nginx-2" \
--set controller.ingressClassResource.controllerValue="k8s.io/ingress-nginx-2" \
--set controller.replicaCount=1 \
--set controller.nodeSelector."kubernetes\.io/os"=linux \
--set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \
--set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux \
--set controller.service.externalTrafficPolicy=Local \
--set controller.ingressClassResource.enabled=true \
--set controller.IngressClassByName=true#now apply the ingress service.kubectl apply -f ../ingress/besu-ingress-rules.yml
Now use the address configured in the genesis file with your private keys in metamask to import the wallet. Configure your RPC URL in metamask and will get our initial wallet balance and we can play around with metamask.
Next Topic :
Adding MTLS for the node's communication and adding a new validator from outside the EKS cluster
