epistemophiliac/fabric-samples
1
0
Fork 0
mirror of https://github.com/hyperledger/fabric-samples.git synced 2026-06-17 15:35:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

se elimino la test network de kubernetes

Browse source
This commit is contained in:
luc662 2025-05-17 21:46:20 +00:00
parent 92301573d5
commit 1f9a4075bb
66 changed files with 0 additions and 11370 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
test-network-k8s/.gitignore vendored
View file

@ -1,7 +0,0 @@
.idea/
network.log
network-debug.log
build/
.env
bin/
*.tgz

117
test-network-k8s/README.md
View file

@ -1,117 +0,0 @@
# Kubernetes Test Network
This project re-establishes the Hyperledger [test-network](../test-network) as a _cloud native_ application.
### Objectives:
- Provide a simple, _one click_ activity for running the Fabric test network.
- Provide a reference guide for deploying _production-style_ networks on Kubernetes.
- Provide a _cloud ready_ platform for developing chaincode, Gateway, and blockchain apps.
- Provide a Kube supplement to the Fabric [CA Operations and Deployment](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy.html) guides.
- Support a transition to [Chaincode as a Service](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html).
- Support a transition from the Internal, Docker daemon to [External Chaincode](https://hyperledger-fabric.readthedocs.io/en/latest/cc_launcher.html) builders.
- Run on any Kube.
_Fabric, Ahoy!_
## Prerequisites:
- [kubectl](https://kubernetes.io/docs/tasks/tools/)
- [jq](https://stedolan.github.io/jq/)
- [envsubst](https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html) (`brew install gettext` on OSX)
- K8s - either:
- [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/#installation) + [Docker](https://www.docker.com) (resources: 8 CPU / 8 GRAM)
- [Rancher Desktop](https://rancherdesktop.io) (resources: 8 CPU / 8GRAM, mobyd, and disable Traefik)
## Quickstart
Create a KIND cluster:
```shell
./network kind
./network cluster init
```
or for [Rancher / k3s](docs/KUBERNETES.md#rancher-desktop-and-k3s):
```shell
export TEST_NETWORK_CLUSTER_RUNTIME=k3s
./network cluster init
```
Launch the network, create a channel, and deploy the [basic-asset-transfer](../asset-transfer-basic) smart contract:
```shell
./network up
./network channel create
./network chaincode deploy asset-transfer-basic ../asset-transfer-basic/chaincode-java
```
Invoke and query chaincode:
```shell
./network chaincode invoke asset-transfer-basic '{"Args":["InitLedger"]}'
./network chaincode query asset-transfer-basic '{"Args":["ReadAsset","asset1"]}'
```
Access the blockchain with a [REST API](https://github.com/hyperledger/fabric-samples/tree/main/asset-transfer-basic/rest-api-typescript):
```shell
./network rest-easy
```
Shut down the test network:
```shell
./network down
```
Tear down the cluster (KIND):
```shell
./network unkind
```
For Rancher: Preferences -> Kubernetes Settings -> Reset Kubernetes OR ...
```shell
./network cluster clean
```
## [Detailed Guides](docs/README.md)
- [Working with Kubernetes](docs/KUBERNETES.md)
- [Certificate Authorities](docs/CA.md)
- [Launching the Test Network](docs/TEST_NETWORK.md)
- [Working with Channels](docs/CHANNELS.md)
- [Working with Chaincode](docs/CHAINCODE.md)
- [Working with Applications](docs/APPLICATIONS.md)
### DNS Resolution on OSX
Fabric's OSX binaries have been statically linked with the golang `go` DNS resolver. In some environments, this
causes a brief but [noticeable delay](https://github.com/hyperledger/fabric/issues/3372) when issuing peer commands
against the test network.
Workarounds to improve DNS resolution time on OSX:
- Add manual DNS overrides for virtual hosts by adding to /etc/hosts:
```
127.0.0.1 org0-ca.localho.st
127.0.0.1 org1-ca.localho.st
127.0.0.1 org2-ca.localho.st
127.0.0.1 org0-orderer1.localho.st
127.0.0.1 org0-orderer2.localho.st
127.0.0.1 org0-orderer3.localho.st
127.0.0.1 org1-peer1.localho.st
127.0.0.1 org1-peer2.localho.st
127.0.0.1 org2-peer1.localho.st
127.0.0.1 org2-peer2.localho.st
```
- Reduce the system resolver timeout from the default 5s by adding to /etc/resolv.conf:
```shell
options: timeout 2
```
- Compile the [fabric binaries](https://github.com/hyperledger/fabric) on a Mac and copy `build/bin/*` outputs to
`test-network-k8s/bin`. Mac native builds are linked against the `netdns=cgo` DNS resolver, and are not
subject to the timeouts associated with the Golang DNS resolver.

415
test-network-k8s/config/org0/configtx-template.yaml
View file

@ -1,415 +0,0 @@
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: ./channel-msp/ordererOrganizations/org0/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
OrdererEndpoints:
- org0-orderer1.${ORG0_NS}.svc.cluster.local:6050
- org0-orderer2.${ORG0_NS}.svc.cluster.local:6050
- org0-orderer3.${ORG0_NS}.svc.cluster.local:6050
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org1MSP
# ID to load the MSP definition as
ID: Org1MSP
MSPDir: ./channel-msp/peerOrganizations/org1/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org1MSP.peer')"
# leave this flag set to true.
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: org1-peer1.${ORG1_NS}.svc.cluster.local
Port: 7051
- &Org2
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org2MSP
# ID to load the MSP definition as
ID: Org2MSP
MSPDir: ./channel-msp/peerOrganizations/org2/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org2MSP.peer')"
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: org2-peer1.${ORG2_NS}.svc.cluster.local
Port: 7051
################################################################################
#
# SECTION: Capabilities
#
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V2_0 capability ensures that orderers and peers behave according
# to v2.0 channel capabilities. Orderers and peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 capability.
# Prior to enabling V2.0 channel capabilities, ensure that all
# orderers and peers on a channel are at v2.0.0 or later.
V2_0: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V2_0 orderer capability ensures that orderers behave according
# to v2.0 orderer capabilities. Orderers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 orderer capability.
# Prior to enabling V2.0 orderer capabilities, ensure that all
# orderers on channel are at v2.0.0 or later.
V2_0: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V2_0 application capability ensures that peers behave according
# to v2.0 application capabilities. Peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 application capability.
# Prior to enabling V2.0 application capabilities, ensure that all
# peers on channel are at v2.0.0 or later.
V2_0: true
################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: Signature
Rule: "OR('Org1MSP.peer','Org2MSP.peer')"
Endorsement:
Type: Signature
Rule: "OR('Org1MSP.peer','Org2MSP.peer')"
Capabilities:
<<: *ApplicationCapabilities
################################################################################
#
# SECTION: Orderer
#
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: org0-orderer1
Port: 6050
ClientTLSCert: ./channel-msp/ordererOrganizations/org0/orderers/org0-orderer1/tls/signcerts/tls-cert.pem
ServerTLSCert: ./channel-msp/ordererOrganizations/org0/orderers/org0-orderer1/tls/signcerts/tls-cert.pem
- Host: org0-orderer2
Port: 6050
ClientTLSCert: ./channel-msp/ordererOrganizations/org0/orderers/org0-orderer2/tls/signcerts/tls-cert.pem
ServerTLSCert: ./channel-msp/ordererOrganizations/org0/orderers/org0-orderer2/tls/signcerts/tls-cert.pem
- Host: org0-orderer3
Port: 6050
ClientTLSCert: ./channel-msp/ordererOrganizations/org0/orderers/org0-orderer3/tls/signcerts/tls-cert.pem
ServerTLSCert: ./channel-msp/ordererOrganizations/org0/orderers/org0-orderer3/tls/signcerts/tls-cert.pem
# Options to be specified for all the etcd/raft nodes. The values here
# are the defaults for all new channels and can be modified on a
# per-channel basis via configuration updates.
Options:
# TickInterval is the time interval between two Node.Tick invocations.
#TickInterval: 500ms default
TickInterval: 2500ms
# ElectionTick is the number of Node.Tick invocations that must pass
# between elections. That is, if a follower does not receive any
# message from the leader of current term before ElectionTick has
# elapsed, it will become candidate and start an election.
# ElectionTick must be greater than HeartbeatTick.
# ElectionTick: 10 default
ElectionTick: 5
# HeartbeatTick is the number of Node.Tick invocations that must
# pass between heartbeats. That is, a leader sends heartbeat
# messages to maintain its leadership every HeartbeatTick ticks.
HeartbeatTick: 1
# MaxInflightBlocks limits the max number of in-flight append messages
# during optimistic replication phase.
MaxInflightBlocks: 5
# SnapshotIntervalSize defines number of bytes per which a snapshot is taken
SnapshotIntervalSize: 16 MB
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
################################################################################
#
# CHANNEL
#
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
Capabilities:
<<: *ChannelCapabilities
################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
# test network profile with application (not system) channel.
TwoOrgsApplicationGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Capabilities: *OrdererCapabilities
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities: *ApplicationCapabilities
#
# Unclear lineage for these profiles: nano-fab?
#
# TwoOrgsOrdererGenesis will construct a system channel as it has a Consortiums stanza, which is not
# compatible with osnadmin.
#
# @enyeart - which profile should be used for the kube test network?
#
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
OrdererType: etcdraft
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
TwoOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities:
<<: *ApplicationCapabilities
Org1Channel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
Capabilities:
<<: *ApplicationCapabilities
Org2Channel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org2
Capabilities:
<<: *ApplicationCapabilities

506
test-network-k8s/config/org0/fabric-ca-server-config.yaml
View file

@ -1,506 +0,0 @@
#############################################################################
# This is a configuration file for the fabric-ca-server command.
#
# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
# ------------------------------------------------
# Each configuration element can be overridden via command line
# arguments or environment variables. The precedence for determining
# the value of each element is as follows:
# 1) command line argument
# Examples:
# a) --port 443
# To set the listening port
# b) --ca.keyfile ../mykey.pem
# To set the "keyfile" element in the "ca" section below;
# note the '.' separator character.
# 2) environment variable
# Examples:
# a) FABRIC_CA_SERVER_PORT=443
# To set the listening port
# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
# To set the "keyfile" element in the "ca" section below;
# note the '_' separator character.
# 3) configuration file
# 4) default value (if there is one)
# All default values are shown beside each element below.
#
# FILE NAME ELEMENTS
# ------------------
# The value of all fields whose name ends with "file" or "files" are
# name or names of other files.
# For example, see "tls.certfile" and "tls.clientauth.certfiles".
# The value of each of these fields can be a simple filename, a
# relative path, or an absolute path. If the value is not an
# absolute path, it is interpreted as being relative to the location
# of this configuration file.
#
#############################################################################
# Version of config file
version: 1.5.2
# Server's listening port (default: 7054)
port: 443
# Cross-Origin Resource Sharing (CORS)
cors:
enabled: false
origins:
- "*"
# Enables debug logging (default: false)
debug: false
# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000
#############################################################################
# TLS section for the server's listening port
#
# The following types are supported for client authentication: NoClientCert,
# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
# and RequireAndVerifyClientCert.
#
# Certfiles is a list of root certificate authorities that the server uses
# when verifying client certificates.
#############################################################################
tls:
# Enable TLS (default: false)
enabled: true
# TLS for the server's listening port
certfile:
keyfile:
clientauth:
type: noclientcert
certfiles:
#############################################################################
# The CA section contains information related to the Certificate Authority
# including the name of the CA, which should be unique for all members
# of a blockchain network. It also includes the key and certificate files
# used when issuing enrollment certificates (ECerts) and transaction
# certificates (TCerts).
# The chainfile (if it exists) contains the certificate chain which
# should be trusted for this CA, where the 1st in the chain is always the
# root CA certificate.
#############################################################################
ca:
# Name of this CA
name: org0-ca
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:
#############################################################################
# The gencrl REST endpoint is used to generate a CRL that contains revoked
# certificates. This section contains configuration options that are used
# during gencrl request processing.
#############################################################################
crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h
#############################################################################
# The registry section controls how the fabric-ca-server does two things:
# 1) authenticates enrollment requests which contain a username and password
# (also known as an enrollment ID and secret).
# 2) once authenticated, retrieves the identity's attribute names and
# values which the fabric-ca-server optionally puts into TCerts
# which it issues for transacting on the Hyperledger Fabric blockchain.
# These attributes are useful for making access control decisions in
# chaincode.
# There are two main configuration options:
# 1) The fabric-ca-server is the registry.
# This is true if "ldap.enabled" in the ldap section below is false.
# 2) An LDAP server is the registry, in which case the fabric-ca-server
# calls the LDAP server to perform these tasks.
# This is true if "ldap.enabled" in the ldap section below is true,
# which means this "registry" section is ignored.
#############################################################################
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: rcaadmin
pass: rcaadminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
#############################################################################
# Database section
# Supported types are: "sqlite3", "postgres", and "mysql".
# The datasource value depends on the type.
# If the type is "sqlite3", the datasource value is a file name to use
# as the database store. Since "sqlite3" is an embedded database, it
# may not be used if you want to run the fabric-ca-server in a cluster.
# To run the fabric-ca-server in a cluster, you must choose "postgres"
# or "mysql".
#############################################################################
db:
type: sqlite3
datasource: fabric-ca-server.db
tls:
enabled: false
certfiles:
client:
certfile:
keyfile:
#############################################################################
# LDAP section
# If LDAP is enabled, the fabric-ca-server calls LDAP to:
# 1) authenticate enrollment ID and secret (i.e. username and password)
# for enrollment requests;
# 2) To retrieve identity attributes
#############################################################################
ldap:
# Enables or disables the LDAP client (default: false)
# If this is set to true, the "registry" section is ignored.
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
# TLS configuration for the client connection to the LDAP server
tls:
certfiles:
client:
certfile:
keyfile:
# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
attribute:
# 'names' is an array of strings containing the LDAP attribute names which are
# requested from the LDAP server for an LDAP identity's entry
names: ['uid','member']
# The 'converters' section is used to convert an LDAP entry to the value of
# a fabric CA attribute.
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the boolean expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
converters:
- name:
value:
# The 'maps' section contains named maps which may be referenced by the 'map'
# function in the 'converters' section to map LDAP responses to arbitrary values.
# For example, assume a user has an LDAP attribute named 'member' which has multiple
# values which are each a distinguished name (i.e. a DN). For simplicity, assume the
# values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
# Further assume the following configuration.
# converters:
# - name: hf.Registrar.Roles
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: peer
# - name: dn2
# value: client
# The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
# "peer,client,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "peer" and "dn2" with "client".
maps:
groups:
- name:
value:
#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
# businessunit1:
# department1:
# - team1
# businessunit2:
# - department2
# - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
org1:
- department1
- department2
org2:
- department1
#############################################################################
# Signing section
#
# The "default" subsection is used to sign enrollment certificates;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
# The "ca" profile subsection is used to sign intermediate CA certificates;
# the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
# Note that "isca" is true, meaning that it issues a CA certificate.
# A maxpathlen of 0 means that the intermediate CA cannot issue other
# intermediate CA certificates, though it can still issue end entity certificates.
# (See RFC 5280, section 4.2.1.9)
#
# The "tls" profile subsection is used to sign TLS certificate requests;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
###########################################################################
# Certificate Signing Request (CSR) section.
# This controls the creation of the root CA certificate.
# The expiration for the root CA certificate is configured with the
# "ca.expiry" field below, whose default value is "131400h" which is
# 15 years in hours.
# The pathlength field is used to limit CA certificate hierarchy as described
# in section 4.2.1.9 of RFC 5280.
# Examples:
# 1) No pathlength value means no limit is requested.
# 2) pathlength == 1 means a limit of 1 is requested which is the default for
# a root CA. This means the root CA can issue intermediate CA certificates,
# but these intermediate CAs may not in turn issue other CA certificates
# though they can still issue end entity certificates.
# 3) pathlength == 0 means a limit of 0 is requested;
# this is the default for an intermediate CA, which means it can not issue
# CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
cn: fabric-ca-server
keyrequest:
algo: ecdsa
size: 256
names:
- C: US
ST: "North Carolina"
L:
O: Hyperledger
OU: Fabric
hosts:
- localhost
- 127.0.0.1
- org0-ca
- org0-ca.${NS}.svc.cluster.local
ca:
expiry: 131400h
pathlength: 1
###########################################################################
# Each CA can issue both X509 enrollment certificate as well as Idemix
# Credential. This section specifies configuration for the issuer component
# that is responsible for issuing Idemix credentials.
###########################################################################
idemix:
# Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
# Idemix credential. The issuer will create a pool revocation handles of this specified size. When
# a credential is requested, issuer will get handle from the pool and assign it to the credential.
# Issuer will repopulate the pool with new handles when the last handle in the pool is used.
# A revocation handle and credential revocation information (CRI) are used to create non revocation proof
# by the prover to prove to the verifier that her credential is not revoked.
rhpoolsize: 1000
# The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer
# and second step is send credential request that is constructed using the nonce to the issuer to
# request a credential. This configuration property specifies expiration for the nonces. By default is
# nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
nonceexpiration: 15s
# Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
# The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
noncesweepinterval: 15m
#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default. This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs. The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA. Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################
cacount:
cafiles:
#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
# 1) A single server process may contain or function as one or more CAs.
# This is configured by the "Multi CA section" above.
# 2) Each CA is either a root CA or an intermediate CA.
# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
# url - The URL of the parent server
# caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
# profile - Name of the signing profile to use in issuing the certificate
# label - Label to use in HSM operations
#
# tls section for secure socket connection
# certfiles - PEM-encoded list of trusted root certificate files
# client:
# certfile - PEM-encoded certificate file for when client authentication
# is enabled on server
# keyfile - PEM-encoded key file for when client authentication
# is enabled on server
#############################################################################
intermediate:
parentserver:
url:
caname:
enrollment:
hosts:
profile:
label:
tls:
certfiles:
client:
certfile:
keyfile:
#############################################################################
# CA configuration section
#
# Configure the number of incorrect password attempts are allowed for
# identities. By default, the value of 'passwordattempts' is 10, which
# means that 10 incorrect password attempts can be made before an identity get
# locked out.
#############################################################################
cfg:
identities:
passwordattempts: 10
###############################################################################
#
# Operations section
#
###############################################################################
operations:
# host and port for the operations server
listenAddress: 127.0.0.1:9443
# TLS configuration for the operations endpoint
tls:
# TLS enabled
enabled: false
# path to PEM encoded server certificate for the operations server
cert:
file:
# path to PEM encoded server key for the operations server
key:
file:
# require client certificate authentication to access all resources
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
clientRootCAs:
files: []
###############################################################################
#
# Metrics section
#
###############################################################################
metrics:
# statsd, prometheus, or disabled
provider: disabled
# statsd configuration
statsd:
# network type: tcp or udp
network: udp
# statsd server address
address: 127.0.0.1:8125
# the interval at which locally cached counters and gauges are pushed
# to statsd; timings are pushed immediately
writeInterval: 10s
# prefix is prepended to all emitted statsd metrics
prefix: server

420
test-network-k8s/config/org0/orderer.yaml
View file

@ -1,420 +0,0 @@
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Orderer Configuration
#
# - This controls the type and configuration of the orderer.
#
################################################################################
General:
# Listen address: The IP on which to bind to listen.
ListenAddress: 0.0.0.0
# Listen port: The port on which to bind to listen.
ListenPort: 6050
# TLS: TLS settings for the GRPC server.
TLS:
# Require server-side TLS
Enabled: false
# PrivateKey governs the file location of the private key of the TLS certificate.
PrivateKey: tls/server.key
# Certificate governs the file location of the server TLS certificate.
Certificate: tls/server.crt
# RootCAs contains a list of additional root certificates used for verifying certificates
# of other orderer nodes during outbound connections.
# It is not required to be set, but can be used to augment the set of TLS CA certificates
# available from the MSPs of each channels configuration.
RootCAs:
- tls/ca.crt
# Require client certificates / mutual TLS for inbound connections.
ClientAuthRequired: false
# If mutual TLS is enabled, ClientRootCAs contains a list of additional root certificates
# used for verifying certificates of client connections.
# It is not required to be set, but can be used to augment the set of TLS CA certificates
# available from the MSPs of each channels configuration.
ClientRootCAs:
# Keepalive settings for the GRPC server.
Keepalive:
# ServerMinInterval is the minimum permitted time between client pings.
# If clients send pings more frequently, the server will
# disconnect them.
ServerMinInterval: 60s
# ServerInterval is the time between pings to clients.
ServerInterval: 7200s
# ServerTimeout is the duration the server waits for a response from
# a client before closing the connection.
ServerTimeout: 20s
# Cluster settings for ordering service nodes that communicate with other ordering service nodes
# such as Raft based ordering service.
Cluster:
# SendBufferSize is the maximum number of messages in the egress buffer.
# Consensus messages are dropped if the buffer is full, and transaction
# messages are waiting for space to be freed.
SendBufferSize: 10
# ClientCertificate governs the file location of the client TLS certificate
# used to establish mutual TLS connections with other ordering service nodes.
# If not set, the server General.TLS.Certificate is re-used.
ClientCertificate:
# ClientPrivateKey governs the file location of the private key of the client TLS certificate.
# If not set, the server General.TLS.PrivateKey is re-used.
ClientPrivateKey:
# The below 4 properties should be either set together, or be unset together.
# If they are set, then the orderer node uses a separate listener for intra-cluster
# communication. If they are unset, then the general orderer listener is used.
# This is useful if you want to use a different TLS server certificates on the
# client-facing and the intra-cluster listeners.
# ListenPort defines the port on which the cluster listens to connections.
ListenPort:
# ListenAddress defines the IP on which to listen to intra-cluster communication.
ListenAddress:
# ServerCertificate defines the file location of the server TLS certificate used for intra-cluster
# communication.
ServerCertificate:
# ServerPrivateKey defines the file location of the private key of the TLS certificate.
ServerPrivateKey:
# Bootstrap method: The method by which to obtain the bootstrap block
# system channel is specified. The option can be one of:
# "file" - path to a file containing the genesis block or config block of system channel
# "none" - allows an orderer to start without a system channel configuration
BootstrapMethod: none
# Bootstrap file: The file containing the bootstrap block to use when
# initializing the orderer system channel and BootstrapMethod is set to
# "file". The bootstrap file can be the genesis block, and it can also be
# a config block for late bootstrap of some consensus methods like Raft.
# Generate a genesis block by updating $FABRIC_CFG_PATH/configtx.yaml and
# using configtxgen command with "-outputBlock" option.
# Defaults to file "genesisblock" (in $FABRIC_CFG_PATH directory) if not specified.
BootstrapFile:
# LocalMSPDir is where to find the private crypto material needed by the
# orderer. It is set relative here as a default for dev environments but
# should be changed to the real location in production.
LocalMSPDir: msp
# LocalMSPID is the identity to register the local MSP material with the MSP
# manager. IMPORTANT: The local MSP ID of an orderer needs to match the MSP
# ID of one of the organizations defined in the orderer system channel's
# /Channel/Orderer configuration. The sample organization defined in the
# sample configuration provided has an MSP ID of "SampleOrg".
LocalMSPID: SampleOrg
# Enable an HTTP service for Go "pprof" profiling as documented at:
# https://golang.org/pkg/net/http/pprof
Profile:
Enabled: false
Address: 0.0.0.0:6060
# BCCSP configures the blockchain crypto service providers.
BCCSP:
# Default specifies the preferred blockchain crypto service provider
# to use. If the preferred provider is not available, the software
# based provider ("SW") will be used.
# Valid providers are:
# - SW: a software based crypto provider
# - PKCS11: a CA hardware security module crypto provider.
Default: SW
# SW configures the software based blockchain crypto provider.
SW:
# TODO: The default Hash and Security level needs refactoring to be
# fully configurable. Changing these defaults requires coordination
# SHA2 is hardcoded in several places, not only BCCSP
Hash: SHA2
Security: 256
# Location of key store. If this is unset, a location will be
# chosen using: 'LocalMSPDir'/keystore
FileKeyStore:
KeyStore:
# Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11)
PKCS11:
# Location of the PKCS11 module library
Library:
# Token Label
Label:
# User PIN
Pin:
Hash:
Security:
FileKeyStore:
KeyStore:
# Authentication contains configuration parameters related to authenticating
# client messages
Authentication:
# the acceptable difference between the current server time and the
# client's time as specified in a client request message
TimeWindow: 15m
################################################################################
#
# SECTION: File Ledger
#
# - This section applies to the configuration of the file ledger.
#
################################################################################
FileLedger:
# Location: The directory to store the blocks in.
Location: /var/hyperledger/production/orderer
################################################################################
#
# SECTION: Kafka
#
# - This section applies to the configuration of the Kafka-based orderer, and
# its interaction with the Kafka cluster.
#
################################################################################
Kafka:
# Retry: What do if a connection to the Kafka cluster cannot be established,
# or if a metadata request to the Kafka cluster needs to be repeated.
Retry:
# When a new channel is created, or when an existing channel is reloaded
# (in case of a just-restarted orderer), the orderer interacts with the
# Kafka cluster in the following ways:
# 1. It creates a Kafka producer (writer) for the Kafka partition that
# corresponds to the channel.
# 2. It uses that producer to post a no-op CONNECT message to that
# partition
# 3. It creates a Kafka consumer (reader) for that partition.
# If any of these steps fail, they will be re-attempted every
# <ShortInterval> for a total of <ShortTotal>, and then every
# <LongInterval> for a total of <LongTotal> until they succeed.
# Note that the orderer will be unable to write to or read from a
# channel until all of the steps above have been completed successfully.
ShortInterval: 5s
ShortTotal: 10m
LongInterval: 5m
LongTotal: 12h
# Affects the socket timeouts when waiting for an initial connection, a
# response, or a transmission. See Config.Net for more info:
# https://godoc.org/github.com/Shopify/sarama#Config
NetworkTimeouts:
DialTimeout: 10s
ReadTimeout: 10s
WriteTimeout: 10s
# Affects the metadata requests when the Kafka cluster is in the middle
# of a leader election.See Config.Metadata for more info:
# https://godoc.org/github.com/Shopify/sarama#Config
Metadata:
RetryBackoff: 250ms
RetryMax: 3
# What to do if posting a message to the Kafka cluster fails. See
# Config.Producer for more info:
# https://godoc.org/github.com/Shopify/sarama#Config
Producer:
RetryBackoff: 100ms
RetryMax: 3
# What to do if reading from the Kafka cluster fails. See
# Config.Consumer for more info:
# https://godoc.org/github.com/Shopify/sarama#Config
Consumer:
RetryBackoff: 2s
# Settings to use when creating Kafka topics. Only applies when
# Kafka.Version is v0.10.1.0 or higher
Topic:
# The number of Kafka brokers across which to replicate the topic
ReplicationFactor: 3
# Verbose: Enable logging for interactions with the Kafka cluster.
Verbose: false
# TLS: TLS settings for the orderer's connection to the Kafka cluster.
TLS:
# Enabled: Use TLS when connecting to the Kafka cluster.
Enabled: false
# PrivateKey: PEM-encoded private key the orderer will use for
# authentication.
PrivateKey:
# As an alternative to specifying the PrivateKey here, uncomment the
# following "File" key and specify the file name from which to load the
# value of PrivateKey.
#File: path/to/PrivateKey
# Certificate: PEM-encoded signed public key certificate the orderer will
# use for authentication.
Certificate:
# As an alternative to specifying the Certificate here, uncomment the
# following "File" key and specify the file name from which to load the
# value of Certificate.
#File: path/to/Certificate
# RootCAs: PEM-encoded trusted root certificates used to validate
# certificates from the Kafka cluster.
RootCAs:
# As an alternative to specifying the RootCAs here, uncomment the
# following "File" key and specify the file name from which to load the
# value of RootCAs.
#File: path/to/RootCAs
# SASLPlain: Settings for using SASL/PLAIN authentication with Kafka brokers
SASLPlain:
# Enabled: Use SASL/PLAIN to authenticate with Kafka brokers
Enabled: false
# User: Required when Enabled is set to true
User:
# Password: Required when Enabled is set to true
Password:
# Kafka protocol version used to communicate with the Kafka cluster brokers
# (defaults to 0.10.2.0 if not specified)
Version:
################################################################################
#
# Debug Configuration
#
# - This controls the debugging options for the orderer
#
################################################################################
Debug:
# BroadcastTraceDir when set will cause each request to the Broadcast service
# for this orderer to be written to a file in this directory
BroadcastTraceDir:
# DeliverTraceDir when set will cause each request to the Deliver service
# for this orderer to be written to a file in this directory
DeliverTraceDir:
################################################################################
#
# Operations Configuration
#
# - This configures the operations server endpoint for the orderer
#
################################################################################
Operations:
# host and port for the operations server
ListenAddress: 0.0.0.0:8443
# TLS configuration for the operations endpoint
TLS:
# TLS enabled
Enabled: false
# Certificate is the location of the PEM encoded TLS certificate
Certificate:
# PrivateKey points to the location of the PEM-encoded key
PrivateKey:
# Most operations service endpoints require client authentication when TLS
# is enabled. ClientAuthRequired requires client certificate authentication
# at the TLS layer to access all resources.
ClientAuthRequired: false
# Paths to PEM encoded ca certificates to trust for client authentication
ClientRootCAs: []
################################################################################
#
# Metrics Configuration
#
# - This configures metrics collection for the orderer
#
################################################################################
Metrics:
# The metrics provider is one of statsd, prometheus, or disabled
Provider: disabled
# The statsd configuration
Statsd:
# network type: tcp or udp
Network: udp
# the statsd server address
Address: 127.0.0.1:8125
# The interval at which locally cached counters and gauges are pushed
# to statsd; timings are pushed immediately
WriteInterval: 30s
# The prefix is prepended to all emitted statsd metrics
Prefix:
################################################################################
#
# Admin Configuration
#
# - This configures the admin server endpoint for the orderer
#
################################################################################
Admin:
# host and port for the admin server
ListenAddress: 0.0.0.0:9443
# TLS configuration for the admin endpoint
TLS:
# TLS enabled
Enabled: false
# Certificate is the location of the PEM encoded TLS certificate
Certificate:
# PrivateKey points to the location of the PEM-encoded key
PrivateKey:
# Most admin service endpoints require client authentication when TLS
# is enabled. ClientAuthRequired requires client certificate authentication
# at the TLS layer to access all resources.
#
# NOTE: When TLS is enabled, the admin endpoint requires mutual TLS. The
# orderer will panic on startup if this value is set to false.
ClientAuthRequired: true
# Paths to PEM encoded ca certificates to trust for client authentication
ClientRootCAs: []
################################################################################
#
# Channel participation API Configuration
#
# - This provides the channel participation API configuration for the orderer.
# - Channel participation uses the ListenAddress and TLS settings of the Admin
# service.
#
################################################################################
ChannelParticipation:
# Channel participation API is enabled.
Enabled: true
# The maximum size of the request body when joining a channel.
MaxRequestBodySize: 1 MB
################################################################################
#
# Consensus Configuration
#
# - This section contains config options for a consensus plugin. It is opaque
# to orderer, and completely up to consensus implementation to make use of.
#
################################################################################
Consensus:
# The allowed key-value pairs here depend on consensus plugin. For etcd/raft,
# we use following options:
# WALDir specifies the location at which Write Ahead Logs for etcd/raft are
# stored. Each channel will have its own subdir named after channel ID.
WALDir: /var/hyperledger/production/orderer/etcdraft/wal
# SnapDir specifies the location at which snapshots for etcd/raft are
# stored. Each channel will have its own subdir named after channel ID.
SnapDir: /var/hyperledger/production/orderer/etcdraft/snapshot

766
test-network-k8s/config/org1/core.yaml
View file

@ -1,766 +0,0 @@
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
###############################################################################
#
# Peer section
#
###############################################################################
peer:
# The peer id provides a name for this peer instance and is used when
# naming docker resources.
id: jdoe
# The networkId allows for logical separation of networks and is used when
# naming docker resources.
networkId: dev
# The Address at local network interface this Peer will listen on.
# By default, it will listen on all network interfaces
listenAddress: 0.0.0.0:7051
# The endpoint this peer uses to listen for inbound chaincode connections.
# If this is commented-out, the listen address is selected to be
# the peer's address (see below) with port 7052
# chaincodeListenAddress: 0.0.0.0:7052
# The endpoint the chaincode for this peer uses to connect to the peer.
# If this is not specified, the chaincodeListenAddress address is selected.
# And if chaincodeListenAddress is not specified, address is selected from
# peer address (see below). If specified peer address is invalid then it
# will fallback to the auto detected IP (local IP) regardless of the peer
# addressAutoDetect value.
# chaincodeAddress: 0.0.0.0:7052
# When used as peer config, this represents the endpoint to other peers
# in the same organization. For peers in other organization, see
# gossip.externalEndpoint for more info.
# When used as CLI config, this means the peer's endpoint to interact with
address: 0.0.0.0:7051
# Whether the Peer should programmatically determine its address
# This case is useful for docker containers.
# When set to true, will override peer address.
addressAutoDetect: false
# Keepalive settings for peer server and clients
keepalive:
# Interval is the duration after which if the server does not see
# any activity from the client it pings the client to see if it's alive
interval: 7200s
# Timeout is the duration the server waits for a response
# from the client after sending a ping before closing the connection
timeout: 20s
# MinInterval is the minimum permitted time between client pings.
# If clients send pings more frequently, the peer server will
# disconnect them
minInterval: 60s
# Client keepalive settings for communicating with other peer nodes
client:
# Interval is the time between pings to peer nodes. This must
# greater than or equal to the minInterval specified by peer
# nodes
interval: 60s
# Timeout is the duration the client waits for a response from
# peer nodes before closing the connection
timeout: 20s
# DeliveryClient keepalive settings for communication with ordering
# nodes.
deliveryClient:
# Interval is the time between pings to ordering nodes. This must
# greater than or equal to the minInterval specified by ordering
# nodes.
interval: 60s
# Timeout is the duration the client waits for a response from
# ordering nodes before closing the connection
timeout: 20s
# Gossip related configuration
gossip:
# Bootstrap set to initialize gossip with.
# This is a list of other peers that this peer reaches out to at startup.
# Important: The endpoints here have to be endpoints of peers in the same
# organization, because the peer would refuse connecting to these endpoints
# unless they are in the same organization as the peer.
bootstrap: 127.0.0.1:7051
# NOTE: orgLeader and useLeaderElection parameters are mutual exclusive.
# Setting both to true would result in the termination of the peer
# since this is undefined state. If the peers are configured with
# useLeaderElection=false, make sure there is at least 1 peer in the
# organization that its orgLeader is set to true.
# Defines whenever peer will initialize dynamic algorithm for
# "leader" selection, where leader is the peer to establish
# connection with ordering service and use delivery protocol
# to pull ledger blocks from ordering service.
useLeaderElection: false
# Statically defines peer to be an organization "leader",
# where this means that current peer will maintain connection
# with ordering service and disseminate block across peers in
# its own organization. Multiple peers or all peers in an organization
# may be configured as org leaders, so that they all pull
# blocks directly from ordering service.
orgLeader: true
# Interval for membershipTracker polling
membershipTrackerInterval: 5s
# Overrides the endpoint that the peer publishes to peers
# in its organization. For peers in foreign organizations
# see 'externalEndpoint'
endpoint:
# Maximum count of blocks stored in memory
maxBlockCountToStore: 10
# Max time between consecutive message pushes(unit: millisecond)
maxPropagationBurstLatency: 10ms
# Max number of messages stored until a push is triggered to remote peers
maxPropagationBurstSize: 10
# Number of times a message is pushed to remote peers
propagateIterations: 1
# Number of peers selected to push messages to
propagatePeerNum: 3
# Determines frequency of pull phases(unit: second)
# Must be greater than digestWaitTime + responseWaitTime
pullInterval: 4s
# Number of peers to pull from
pullPeerNum: 3
# Determines frequency of pulling state info messages from peers(unit: second)
requestStateInfoInterval: 4s
# Determines frequency of pushing state info messages to peers(unit: second)
publishStateInfoInterval: 4s
# Maximum time a stateInfo message is kept until expired
stateInfoRetentionInterval:
# Time from startup certificates are included in Alive messages(unit: second)
publishCertPeriod: 10s
# Should we skip verifying block messages or not (currently not in use)
skipBlockVerification: false
# Dial timeout(unit: second)
dialTimeout: 3s
# Connection timeout(unit: second)
connTimeout: 2s
# Buffer size of received messages
recvBuffSize: 20
# Buffer size of sending messages
sendBuffSize: 200
# Time to wait before pull engine processes incoming digests (unit: second)
# Should be slightly smaller than requestWaitTime
digestWaitTime: 1s
# Time to wait before pull engine removes incoming nonce (unit: milliseconds)
# Should be slightly bigger than digestWaitTime
requestWaitTime: 1500ms
# Time to wait before pull engine ends pull (unit: second)
responseWaitTime: 2s
# Alive check interval(unit: second)
aliveTimeInterval: 5s
# Alive expiration timeout(unit: second)
aliveExpirationTimeout: 25s
# Reconnect interval(unit: second)
reconnectInterval: 25s
# Max number of attempts to connect to a peer
maxConnectionAttempts: 120
# Message expiration factor for alive messages
msgExpirationFactor: 20
# This is an endpoint that is published to peers outside of the organization.
# If this isn't set, the peer will not be known to other organizations.
externalEndpoint:
# Leader election service configuration
election:
# Longest time peer waits for stable membership during leader election startup (unit: second)
startupGracePeriod: 15s
# Interval gossip membership samples to check its stability (unit: second)
membershipSampleInterval: 1s
# Time passes since last declaration message before peer decides to perform leader election (unit: second)
leaderAliveThreshold: 10s
# Time between peer sends propose message and declares itself as a leader (sends declaration message) (unit: second)
leaderElectionDuration: 5s
pvtData:
# pullRetryThreshold determines the maximum duration of time private data corresponding for a given block
# would be attempted to be pulled from peers until the block would be committed without the private data
pullRetryThreshold: 60s
# As private data enters the transient store, it is associated with the peer's ledger's height at that time.
# transientstoreMaxBlockRetention defines the maximum difference between the current ledger's height upon commit,
# and the private data residing inside the transient store that is guaranteed not to be purged.
# Private data is purged from the transient store when blocks with sequences that are multiples
# of transientstoreMaxBlockRetention are committed.
transientstoreMaxBlockRetention: 1000
# pushAckTimeout is the maximum time to wait for an acknowledgement from each peer
# at private data push at endorsement time.
pushAckTimeout: 3s
# Block to live pulling margin, used as a buffer
# to prevent peer from trying to pull private data
# from peers that is soon to be purged in next N blocks.
# This helps a newly joined peer catch up to current
# blockchain height quicker.
btlPullMargin: 10
# the process of reconciliation is done in an endless loop, while in each iteration reconciler tries to
# pull from the other peers the most recent missing blocks with a maximum batch size limitation.
# reconcileBatchSize determines the maximum batch size of missing private data that will be reconciled in a
# single iteration.
reconcileBatchSize: 10
# reconcileSleepInterval determines the time reconciler sleeps from end of an iteration until the beginning
# of the next reconciliation iteration.
reconcileSleepInterval: 1m
# reconciliationEnabled is a flag that indicates whether private data reconciliation is enable or not.
reconciliationEnabled: true
# skipPullingInvalidTransactionsDuringCommit is a flag that indicates whether pulling of invalid
# transaction's private data from other peers need to be skipped during the commit time and pulled
# only through reconciler.
skipPullingInvalidTransactionsDuringCommit: false
# implicitCollectionDisseminationPolicy specifies the dissemination policy for the peer's own implicit collection.
# When a peer endorses a proposal that writes to its own implicit collection, below values override the default values
# for disseminating private data.
# Note that it is applicable to all channels the peer has joined. The implication is that requiredPeerCount has to
# be smaller than the number of peers in a channel that has the lowest numbers of peers from the organization.
implicitCollectionDisseminationPolicy:
# requiredPeerCount defines the minimum number of eligible peers to which the peer must successfully
# disseminate private data for its own implicit collection during endorsement. Default value is 0.
requiredPeerCount: 0
# maxPeerCount defines the maximum number of eligible peers to which the peer will attempt to
# disseminate private data for its own implicit collection during endorsement. Default value is 1.
maxPeerCount: 1
# Gossip state transfer related configuration
state:
# indicates whenever state transfer is enabled or not
# default value is true, i.e. state transfer is active
# and takes care to sync up missing blocks allowing
# lagging peer to catch up to speed with rest network.
# Keep in mind that when peer.gossip.useLeaderElection is true
# and there are several peers in the organization,
# or peer.gossip.useLeaderElection is false alongside with
# peer.gossip.orgleader being false, the peer's ledger may lag behind
# the rest of the peers and will never catch up due to state transfer
# being disabled.
enabled: false
# checkInterval interval to check whether peer is lagging behind enough to
# request blocks via state transfer from another peer.
checkInterval: 10s
# responseTimeout amount of time to wait for state transfer response from
# other peers
responseTimeout: 3s
# batchSize the number of blocks to request via state transfer from another peer
batchSize: 10
# blockBufferSize reflects the size of the re-ordering buffer
# which captures blocks and takes care to deliver them in order
# down to the ledger layer. The actual buffer size is bounded between
# 0 and 2*blockBufferSize, each channel maintains its own buffer
blockBufferSize: 20
# maxRetries maximum number of re-tries to ask
# for single state transfer request
maxRetries: 3
# TLS Settings
tls:
# Require server-side TLS
enabled: true
# Require client certificates / mutual TLS for inbound connections.
# Note that clients that are not configured to use a certificate will
# fail to connect to the peer.
clientAuthRequired: false
# X.509 certificate used for TLS server
cert:
file: tls/server.crt
# Private key used for TLS server
key:
file: tls/server.key
# rootcert.file represents the trusted root certificate chain used for verifying certificates
# of other nodes during outbound connections.
# It is not required to be set, but can be used to augment the set of TLS CA certificates
# available from the MSPs of each channels configuration.
rootcert:
file: tls/ca.crt
# If mutual TLS is enabled, clientRootCAs.files contains a list of additional root certificates
# used for verifying certificates of client connections.
# It augments the set of TLS CA certificates available from the MSPs of each channels configuration.
# Minimally, set your organization's TLS CA root certificate so that the peer can receive join channel requests.
clientRootCAs:
files:
- tls/ca.crt
# Private key used for TLS when making client connections.
# If not set, peer.tls.key.file will be used instead
clientKey:
file:
# X.509 certificate used for TLS when making client connections.
# If not set, peer.tls.cert.file will be used instead
clientCert:
file:
# Authentication contains configuration parameters related to authenticating
# client messages
authentication:
# the acceptable difference between the current server time and the
# client's time as specified in a client request message
timewindow: 15m
# Path on the file system where peer will store data (eg ledger). This
# location must be access control protected to prevent unintended
# modification that might corrupt the peer operations.
fileSystemPath: /var/hyperledger/production
# BCCSP (Blockchain crypto provider): Select which crypto implementation or
# library to use
BCCSP:
Default: SW
# Settings for the SW crypto provider (i.e. when DEFAULT: SW)
SW:
# TODO: The default Hash and Security level needs refactoring to be
# fully configurable. Changing these defaults requires coordination
# SHA2 is hardcoded in several places, not only BCCSP
Hash: SHA2
Security: 256
# Location of Key Store
FileKeyStore:
# If "", defaults to 'mspConfigPath'/keystore
KeyStore:
# Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11)
PKCS11:
# Location of the PKCS11 module library
Library:
# Token Label
Label:
# User PIN
Pin:
Hash:
Security:
# Path on the file system where peer will find MSP local configurations
mspConfigPath: msp
# Identifier of the local MSP
# ----!!!!IMPORTANT!!!-!!!IMPORTANT!!!-!!!IMPORTANT!!!!----
# Deployers need to change the value of the localMspId string.
# In particular, the name of the local MSP ID of a peer needs
# to match the name of one of the MSPs in each of the channel
# that this peer is a member of. Otherwise this peer's messages
# will not be identified as valid by other nodes.
localMspId: Org1MSP
# CLI common client config options
client:
# connection timeout
connTimeout: 10s
# Delivery service related config
deliveryclient:
# It sets the total time the delivery service may spend in reconnection
# attempts until its retry logic gives up and returns an error
reconnectTotalTimeThreshold: 3600s
# It sets the delivery service <-> ordering service node connection timeout
connTimeout: 10s
# It sets the delivery service maximal delay between consecutive retries
reConnectBackoffThreshold: 3600s
# A list of orderer endpoint addresses which should be overridden
# when found in channel configurations.
addressOverrides:
# - from:
# to:
# caCertsFile:
# - from:
# to:
# caCertsFile:
# Type for the local MSP - by default it's of type bccsp
localMspType: bccsp
# Used with Go profiling tools only in none production environment. In
# production, it should be disabled (eg enabled: false)
profile:
enabled: false
listenAddress: 0.0.0.0:6060
# Handlers defines custom handlers that can filter and mutate
# objects passing within the peer, such as:
# Auth filter - reject or forward proposals from clients
# Decorators - append or mutate the chaincode input passed to the chaincode
# Endorsers - Custom signing over proposal response payload and its mutation
# Valid handler definition contains:
# - A name which is a factory method name defined in
# core/handlers/library/library.go for statically compiled handlers
# - library path to shared object binary for pluggable filters
# Auth filters and decorators are chained and executed in the order that
# they are defined. For example:
# authFilters:
# -
# name: FilterOne
# library: /opt/lib/filter.so
# -
# name: FilterTwo
# decorators:
# -
# name: DecoratorOne
# -
# name: DecoratorTwo
# library: /opt/lib/decorator.so
# Endorsers are configured as a map that its keys are the endorsement system chaincodes that are being overridden.
# Below is an example that overrides the default ESCC and uses an endorsement plugin that has the same functionality
# as the default ESCC.
# If the 'library' property is missing, the name is used as the constructor method in the builtin library similar
# to auth filters and decorators.
# endorsers:
# escc:
# name: DefaultESCC
# library: /etc/hyperledger/fabric/plugin/escc.so
handlers:
authFilters:
-
name: DefaultAuth
-
name: ExpirationCheck # This filter checks identity x509 certificate expiration
decorators:
-
name: DefaultDecorator
endorsers:
escc:
name: DefaultEndorsement
library:
validators:
vscc:
name: DefaultValidation
library:
# library: /etc/hyperledger/fabric/plugin/escc.so
# Number of goroutines that will execute transaction validation in parallel.
# By default, the peer chooses the number of CPUs on the machine. Set this
# variable to override that choice.
# NOTE: overriding this value might negatively influence the performance of
# the peer so please change this value only if you know what you're doing
validatorPoolSize:
# The discovery service is used by clients to query information about peers,
# such as - which peers have joined a certain channel, what is the latest
# channel config, and most importantly - given a chaincode and a channel,
# what possible sets of peers satisfy the endorsement policy.
discovery:
enabled: true
# Whether the authentication cache is enabled or not.
authCacheEnabled: true
# The maximum size of the cache, after which a purge takes place
authCacheMaxSize: 1000
# The proportion (0 to 1) of entries that remain in the cache after the cache is purged due to overpopulation
authCachePurgeRetentionRatio: 0.75
# Whether to allow non-admins to perform non channel scoped queries.
# When this is false, it means that only peer admins can perform non channel scoped queries.
orgMembersAllowedAccess: false
# Limits is used to configure some internal resource limits.
limits:
# Concurrency limits the number of concurrently running requests to a service on each peer.
# Currently this option is only applied to endorser service and deliver service.
# When the property is missing or the value is 0, the concurrency limit is disabled for the service.
concurrency:
# endorserService limits concurrent requests to endorser service that handles chaincode deployment, query and invocation,
# including both user chaincodes and system chaincodes.
endorserService: 2500
# deliverService limits concurrent event listeners registered to deliver service for blocks and transaction events.
deliverService: 2500
###############################################################################
#
# VM section
#
###############################################################################
vm:
# Endpoint of the vm management system. For docker can be one of the following in general
# unix:///var/run/docker.sock
# http://localhost:2375
# https://localhost:2376
# endpoint: unix:///var/run/docker.sock
# settings for docker vms
docker:
tls:
enabled: false
ca:
file: docker/ca.crt
cert:
file: docker/tls.crt
key:
file: docker/tls.key
# Enables/disables the standard out/err from chaincode containers for
# debugging purposes
attachStdout: false
# Parameters on creating docker container.
# Container may be efficiently created using ipam & dns-server for cluster
# NetworkMode - sets the networking mode for the container. Supported
# standard values are: `host`(default),`bridge`,`ipvlan`,`none`.
# Dns - a list of DNS servers for the container to use.
# Note: `Privileged` `Binds` `Links` and `PortBindings` properties of
# Docker Host Config are not supported and will not be used if set.
# LogConfig - sets the logging driver (Type) and related options
# (Config) for Docker. For more info,
# https://docs.docker.com/engine/admin/logging/overview/
# Note: Set LogConfig using Environment Variables is not supported.
hostConfig:
NetworkMode: host
Dns:
# - 192.168.0.1
LogConfig:
Type: json-file
Config:
max-size: "50m"
max-file: "5"
Memory: 2147483648
###############################################################################
#
# Chaincode section
#
###############################################################################
chaincode:
# The id is used by the Chaincode stub to register the executing Chaincode
# ID with the Peer and is generally supplied through ENV variables
# the `path` form of ID is provided when installing the chaincode.
# The `name` is used for all other requests and can be any string.
id:
path:
name:
# Generic builder environment, suitable for most chaincode types
builder: $(DOCKER_NS)/fabric-ccenv:$(TWO_DIGIT_VERSION)
# Enables/disables force pulling of the base docker images (listed below)
# during user chaincode instantiation.
# Useful when using moving image tags (such as :latest)
pull: false
golang:
# golang will never need more than baseos
runtime: $(DOCKER_NS)/fabric-baseos:$(TWO_DIGIT_VERSION)
# whether or not golang chaincode should be linked dynamically
dynamicLink: false
java:
# This is an image based on java:openjdk-8 with addition compiler
# tools added for java shim layer packaging.
# This image is packed with shim layer libraries that are necessary
# for Java chaincode runtime.
runtime: $(DOCKER_NS)/fabric-javaenv:$(TWO_DIGIT_VERSION)
node:
# This is an image based on node:$(NODE_VER)-alpine
runtime: $(DOCKER_NS)/fabric-nodeenv:$(TWO_DIGIT_VERSION)
# List of directories to treat as external builders and launchers for
# chaincode. The external builder detection processing will iterate over the
# builders in the order specified below.
externalBuilders:
- name: ccaas_builder
path: /opt/hyperledger/ccaas_builder
propagateEnvironment:
- CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG
# copied into the /var persistent volume share by "network up"
- name: k8s_builder
path: /var/hyperledger/fabric/external_builders/k8s_builder
propagateEnvironment:
- CORE_PEER_ID
- FABRIC_K8S_BUILDER_OBJECT_NAME_PREFIX
- KUBERNETES_SERVICE_HOST
- KUBERNETES_SERVICE_PORT
# The maximum duration to wait for the chaincode build and install process
# to complete.
installTimeout: 300s
# Timeout duration for starting up a container and waiting for Register
# to come through.
startuptimeout: 300s
# Timeout duration for Invoke and Init calls to prevent runaway.
# This timeout is used by all chaincodes in all the channels, including
# system chaincodes.
# Note that during Invoke, if the image is not available (e.g. being
# cleaned up when in development environment), the peer will automatically
# build the image, which might take more time. In production environment,
# the chaincode image is unlikely to be deleted, so the timeout could be
# reduced accordingly.
executetimeout: 30s
# There are 2 modes: "dev" and "net".
# In dev mode, user runs the chaincode after starting peer from
# command line on local machine.
# In net mode, peer will run chaincode in a docker container.
mode: net
# keepalive in seconds. In situations where the communication goes through a
# proxy that does not support keep-alive, this parameter will maintain connection
# between peer and chaincode.
# A value <= 0 turns keepalive off
keepalive: 0
# enabled system chaincodes
system:
_lifecycle: enable
cscc: enable
lscc: enable
qscc: enable
# Logging section for the chaincode container
logging:
# Default level for all loggers within the chaincode container
level: info
# Override default level for the 'shim' logger
shim: warning
# Format for the chaincode container logs
format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}'
###############################################################################
#
# Ledger section - ledger configuration encompasses both the blockchain
# and the state
#
###############################################################################
ledger:
blockchain:
state:
# stateDatabase - options are "goleveldb", "CouchDB"
# goleveldb - default state database stored in goleveldb.
# CouchDB - store state database in CouchDB
stateDatabase: goleveldb
# Limit on the number of records to return per query
totalQueryLimit: 100000
couchDBConfig:
# It is recommended to run CouchDB on the same server as the peer, and
# not map the CouchDB container port to a server port in docker-compose.
# Otherwise proper security must be provided on the connection between
# CouchDB client (on the peer) and server.
couchDBAddress: 127.0.0.1:5984
# This username must have read and write authority on CouchDB
username:
# The password is recommended to pass as an environment variable
# during start up (eg CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD).
# If it is stored here, the file must be access control protected
# to prevent unintended users from discovering the password.
password:
# Number of retries for CouchDB errors
maxRetries: 3
# Number of retries for CouchDB errors during peer startup.
# The delay between retries doubles for each attempt.
# Default of 10 retries results in 11 attempts over 2 minutes.
maxRetriesOnStartup: 10
# CouchDB request timeout (unit: duration, e.g. 20s)
requestTimeout: 35s
# Limit on the number of records per each CouchDB query
# Note that chaincode queries are only bound by totalQueryLimit.
# Internally the chaincode may execute multiple CouchDB queries,
# each of size internalQueryLimit.
internalQueryLimit: 1000
# Limit on the number of records per CouchDB bulk update batch
maxBatchUpdateSize: 1000
# Warm indexes after every N blocks.
# This option warms any indexes that have been
# deployed to CouchDB after every N blocks.
# A value of 1 will warm indexes after every block commit,
# to ensure fast selector queries.
# Increasing the value may improve write efficiency of peer and CouchDB,
# but may degrade query response time.
warmIndexesAfterNBlocks: 1
# Create the _global_changes system database
# This is optional. Creating the global changes database will require
# additional system resources to track changes and maintain the database
createGlobalChangesDB: false
# CacheSize denotes the maximum mega bytes (MB) to be allocated for the in-memory state
# cache. Note that CacheSize needs to be a multiple of 32 MB. If it is not a multiple
# of 32 MB, the peer would round the size to the next multiple of 32 MB.
# To disable the cache, 0 MB needs to be assigned to the cacheSize.
cacheSize: 64
history:
# enableHistoryDatabase - options are true or false
# Indicates if the history of key updates should be stored.
# All history 'index' will be stored in goleveldb, regardless if using
# CouchDB or alternate database for the state.
enableHistoryDatabase: true
pvtdataStore:
# the maximum db batch size for converting
# the ineligible missing data entries to eligible missing data entries
collElgProcMaxDbBatchSize: 5000
# the minimum duration (in milliseconds) between writing
# two consecutive db batches for converting the ineligible missing data entries to eligible missing data entries
collElgProcDbBatchesInterval: 1000
# The missing data entries are classified into two categories:
# (1) prioritized
# (2) deprioritized
# Initially, all missing data are in the prioritized list. When the
# reconciler is unable to fetch the missing data from other peers,
# the unreconciled missing data would be moved to the deprioritized list.
# The reconciler would retry deprioritized missing data after every
# deprioritizedDataReconcilerInterval (unit: minutes). Note that the
# interval needs to be greater than the reconcileSleepInterval
deprioritizedDataReconcilerInterval: 60m
snapshots:
# Path on the file system where peer will store ledger snapshots
rootDir: /var/hyperledger/production/snapshots
###############################################################################
#
# Operations section
#
###############################################################################
operations:
# host and port for the operations server
listenAddress: 127.0.0.1:9443
# TLS configuration for the operations endpoint
tls:
# TLS enabled
enabled: false
# path to PEM encoded server certificate for the operations server
cert:
file:
# path to PEM encoded server key for the operations server
key:
file:
# most operations service endpoints require client authentication when TLS
# is enabled. clientAuthRequired requires client certificate authentication
# at the TLS layer to access all resources.
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
clientRootCAs:
files: []
###############################################################################
#
# Metrics section
#
###############################################################################
metrics:
# metrics provider is one of statsd, prometheus, or disabled
provider: disabled
# statsd configuration
statsd:
# network type: tcp or udp
network: udp
# statsd server address
address: 127.0.0.1:8125
# the interval at which locally cached counters and gauges are pushed
# to statsd; timings are pushed immediately
writeInterval: 10s
# prefix is prepended to all emitted statsd metrics
prefix:

506
test-network-k8s/config/org1/fabric-ca-server-config.yaml
View file

@ -1,506 +0,0 @@
#############################################################################
# This is a configuration file for the fabric-ca-server command.
#
# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
# ------------------------------------------------
# Each configuration element can be overridden via command line
# arguments or environment variables. The precedence for determining
# the value of each element is as follows:
# 1) command line argument
# Examples:
# a) --port 443
# To set the listening port
# b) --ca.keyfile ../mykey.pem
# To set the "keyfile" element in the "ca" section below;
# note the '.' separator character.
# 2) environment variable
# Examples:
# a) FABRIC_CA_SERVER_PORT=443
# To set the listening port
# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
# To set the "keyfile" element in the "ca" section below;
# note the '_' separator character.
# 3) configuration file
# 4) default value (if there is one)
# All default values are shown beside each element below.
#
# FILE NAME ELEMENTS
# ------------------
# The value of all fields whose name ends with "file" or "files" are
# name or names of other files.
# For example, see "tls.certfile" and "tls.clientauth.certfiles".
# The value of each of these fields can be a simple filename, a
# relative path, or an absolute path. If the value is not an
# absolute path, it is interpreted as being relative to the location
# of this configuration file.
#
#############################################################################
# Version of config file
version: 1.5.2
# Server's listening port (default: 7054)
port: 443
# Cross-Origin Resource Sharing (CORS)
cors:
enabled: false
origins:
- "*"
# Enables debug logging (default: false)
debug: false
# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000
#############################################################################
# TLS section for the server's listening port
#
# The following types are supported for client authentication: NoClientCert,
# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
# and RequireAndVerifyClientCert.
#
# Certfiles is a list of root certificate authorities that the server uses
# when verifying client certificates.
#############################################################################
tls:
# Enable TLS (default: false)
enabled: true
# TLS for the server's listening port
certfile:
keyfile:
clientauth:
type: noclientcert
certfiles:
#############################################################################
# The CA section contains information related to the Certificate Authority
# including the name of the CA, which should be unique for all members
# of a blockchain network. It also includes the key and certificate files
# used when issuing enrollment certificates (ECerts) and transaction
# certificates (TCerts).
# The chainfile (if it exists) contains the certificate chain which
# should be trusted for this CA, where the 1st in the chain is always the
# root CA certificate.
#############################################################################
ca:
# Name of this CA
name: org1-ca
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:
#############################################################################
# The gencrl REST endpoint is used to generate a CRL that contains revoked
# certificates. This section contains configuration options that are used
# during gencrl request processing.
#############################################################################
crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h
#############################################################################
# The registry section controls how the fabric-ca-server does two things:
# 1) authenticates enrollment requests which contain a username and password
# (also known as an enrollment ID and secret).
# 2) once authenticated, retrieves the identity's attribute names and
# values which the fabric-ca-server optionally puts into TCerts
# which it issues for transacting on the Hyperledger Fabric blockchain.
# These attributes are useful for making access control decisions in
# chaincode.
# There are two main configuration options:
# 1) The fabric-ca-server is the registry.
# This is true if "ldap.enabled" in the ldap section below is false.
# 2) An LDAP server is the registry, in which case the fabric-ca-server
# calls the LDAP server to perform these tasks.
# This is true if "ldap.enabled" in the ldap section below is true,
# which means this "registry" section is ignored.
#############################################################################
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: rcaadmin
pass: rcaadminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
#############################################################################
# Database section
# Supported types are: "sqlite3", "postgres", and "mysql".
# The datasource value depends on the type.
# If the type is "sqlite3", the datasource value is a file name to use
# as the database store. Since "sqlite3" is an embedded database, it
# may not be used if you want to run the fabric-ca-server in a cluster.
# To run the fabric-ca-server in a cluster, you must choose "postgres"
# or "mysql".
#############################################################################
db:
type: sqlite3
datasource: fabric-ca-server.db
tls:
enabled: false
certfiles:
client:
certfile:
keyfile:
#############################################################################
# LDAP section
# If LDAP is enabled, the fabric-ca-server calls LDAP to:
# 1) authenticate enrollment ID and secret (i.e. username and password)
# for enrollment requests;
# 2) To retrieve identity attributes
#############################################################################
ldap:
# Enables or disables the LDAP client (default: false)
# If this is set to true, the "registry" section is ignored.
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
# TLS configuration for the client connection to the LDAP server
tls:
certfiles:
client:
certfile:
keyfile:
# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
attribute:
# 'names' is an array of strings containing the LDAP attribute names which are
# requested from the LDAP server for an LDAP identity's entry
names: ['uid','member']
# The 'converters' section is used to convert an LDAP entry to the value of
# a fabric CA attribute.
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the boolean expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
converters:
- name:
value:
# The 'maps' section contains named maps which may be referenced by the 'map'
# function in the 'converters' section to map LDAP responses to arbitrary values.
# For example, assume a user has an LDAP attribute named 'member' which has multiple
# values which are each a distinguished name (i.e. a DN). For simplicity, assume the
# values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
# Further assume the following configuration.
# converters:
# - name: hf.Registrar.Roles
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: peer
# - name: dn2
# value: client
# The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
# "peer,client,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "peer" and "dn2" with "client".
maps:
groups:
- name:
value:
#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
# businessunit1:
# department1:
# - team1
# businessunit2:
# - department2
# - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
org1:
- department1
- department2
org2:
- department1
#############################################################################
# Signing section
#
# The "default" subsection is used to sign enrollment certificates;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
# The "ca" profile subsection is used to sign intermediate CA certificates;
# the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
# Note that "isca" is true, meaning that it issues a CA certificate.
# A maxpathlen of 0 means that the intermediate CA cannot issue other
# intermediate CA certificates, though it can still issue end entity certificates.
# (See RFC 5280, section 4.2.1.9)
#
# The "tls" profile subsection is used to sign TLS certificate requests;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
###########################################################################
# Certificate Signing Request (CSR) section.
# This controls the creation of the root CA certificate.
# The expiration for the root CA certificate is configured with the
# "ca.expiry" field below, whose default value is "131400h" which is
# 15 years in hours.
# The pathlength field is used to limit CA certificate hierarchy as described
# in section 4.2.1.9 of RFC 5280.
# Examples:
# 1) No pathlength value means no limit is requested.
# 2) pathlength == 1 means a limit of 1 is requested which is the default for
# a root CA. This means the root CA can issue intermediate CA certificates,
# but these intermediate CAs may not in turn issue other CA certificates
# though they can still issue end entity certificates.
# 3) pathlength == 0 means a limit of 0 is requested;
# this is the default for an intermediate CA, which means it can not issue
# CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
cn: fabric-ca-server
keyrequest:
algo: ecdsa
size: 256
names:
- C: US
ST: "North Carolina"
L:
O: Hyperledger
OU: Fabric
hosts:
- localhost
- 127.0.0.1
- org1-ca
- org1-ca.${NS}.svc.cluster.local
ca:
expiry: 131400h
pathlength: 1
###########################################################################
# Each CA can issue both X509 enrollment certificate as well as Idemix
# Credential. This section specifies configuration for the issuer component
# that is responsible for issuing Idemix credentials.
###########################################################################
idemix:
# Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
# Idemix credential. The issuer will create a pool revocation handles of this specified size. When
# a credential is requested, issuer will get handle from the pool and assign it to the credential.
# Issuer will repopulate the pool with new handles when the last handle in the pool is used.
# A revocation handle and credential revocation information (CRI) are used to create non revocation proof
# by the prover to prove to the verifier that her credential is not revoked.
rhpoolsize: 1000
# The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer
# and second step is send credential request that is constructed using the nonce to the issuer to
# request a credential. This configuration property specifies expiration for the nonces. By default is
# nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
nonceexpiration: 15s
# Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
# The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
noncesweepinterval: 15m
#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default. This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs. The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA. Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################
cacount:
cafiles:
#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
# 1) A single server process may contain or function as one or more CAs.
# This is configured by the "Multi CA section" above.
# 2) Each CA is either a root CA or an intermediate CA.
# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
# url - The URL of the parent server
# caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
# profile - Name of the signing profile to use in issuing the certificate
# label - Label to use in HSM operations
#
# tls section for secure socket connection
# certfiles - PEM-encoded list of trusted root certificate files
# client:
# certfile - PEM-encoded certificate file for when client authentication
# is enabled on server
# keyfile - PEM-encoded key file for when client authentication
# is enabled on server
#############################################################################
intermediate:
parentserver:
url:
caname:
enrollment:
hosts:
profile:
label:
tls:
certfiles:
client:
certfile:
keyfile:
#############################################################################
# CA configuration section
#
# Configure the number of incorrect password attempts are allowed for
# identities. By default, the value of 'passwordattempts' is 10, which
# means that 10 incorrect password attempts can be made before an identity get
# locked out.
#############################################################################
cfg:
identities:
passwordattempts: 10
###############################################################################
#
# Operations section
#
###############################################################################
operations:
# host and port for the operations server
listenAddress: 127.0.0.1:9443
# TLS configuration for the operations endpoint
tls:
# TLS enabled
enabled: false
# path to PEM encoded server certificate for the operations server
cert:
file:
# path to PEM encoded server key for the operations server
key:
file:
# require client certificate authentication to access all resources
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
clientRootCAs:
files: []
###############################################################################
#
# Metrics section
#
###############################################################################
metrics:
# statsd, prometheus, or disabled
provider: disabled
# statsd configuration
statsd:
# network type: tcp or udp
network: udp
# statsd server address
address: 127.0.0.1:8125
# the interval at which locally cached counters and gauges are pushed
# to statsd; timings are pushed immediately
writeInterval: 10s
# prefix is prepended to all emitted statsd metrics
prefix: server

766
test-network-k8s/config/org2/core.yaml
View file

@ -1,766 +0,0 @@
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
###############################################################################
#
# Peer section
#
###############################################################################
peer:
# The peer id provides a name for this peer instance and is used when
# naming docker resources.
id: jdoe
# The networkId allows for logical separation of networks and is used when
# naming docker resources.
networkId: dev
# The Address at local network interface this Peer will listen on.
# By default, it will listen on all network interfaces
listenAddress: 0.0.0.0:7051
# The endpoint this peer uses to listen for inbound chaincode connections.
# If this is commented-out, the listen address is selected to be
# the peer's address (see below) with port 7052
# chaincodeListenAddress: 0.0.0.0:7052
# The endpoint the chaincode for this peer uses to connect to the peer.
# If this is not specified, the chaincodeListenAddress address is selected.
# And if chaincodeListenAddress is not specified, address is selected from
# peer address (see below). If specified peer address is invalid then it
# will fallback to the auto detected IP (local IP) regardless of the peer
# addressAutoDetect value.
# chaincodeAddress: 0.0.0.0:7052
# When used as peer config, this represents the endpoint to other peers
# in the same organization. For peers in other organization, see
# gossip.externalEndpoint for more info.
# When used as CLI config, this means the peer's endpoint to interact with
address: 0.0.0.0:7051
# Whether the Peer should programmatically determine its address
# This case is useful for docker containers.
# When set to true, will override peer address.
addressAutoDetect: false
# Keepalive settings for peer server and clients
keepalive:
# Interval is the duration after which if the server does not see
# any activity from the client it pings the client to see if it's alive
interval: 7200s
# Timeout is the duration the server waits for a response
# from the client after sending a ping before closing the connection
timeout: 20s
# MinInterval is the minimum permitted time between client pings.
# If clients send pings more frequently, the peer server will
# disconnect them
minInterval: 60s
# Client keepalive settings for communicating with other peer nodes
client:
# Interval is the time between pings to peer nodes. This must
# greater than or equal to the minInterval specified by peer
# nodes
interval: 60s
# Timeout is the duration the client waits for a response from
# peer nodes before closing the connection
timeout: 20s
# DeliveryClient keepalive settings for communication with ordering
# nodes.
deliveryClient:
# Interval is the time between pings to ordering nodes. This must
# greater than or equal to the minInterval specified by ordering
# nodes.
interval: 60s
# Timeout is the duration the client waits for a response from
# ordering nodes before closing the connection
timeout: 20s
# Gossip related configuration
gossip:
# Bootstrap set to initialize gossip with.
# This is a list of other peers that this peer reaches out to at startup.
# Important: The endpoints here have to be endpoints of peers in the same
# organization, because the peer would refuse connecting to these endpoints
# unless they are in the same organization as the peer.
bootstrap: 127.0.0.1:7051
# NOTE: orgLeader and useLeaderElection parameters are mutual exclusive.
# Setting both to true would result in the termination of the peer
# since this is undefined state. If the peers are configured with
# useLeaderElection=false, make sure there is at least 1 peer in the
# organization that its orgLeader is set to true.
# Defines whenever peer will initialize dynamic algorithm for
# "leader" selection, where leader is the peer to establish
# connection with ordering service and use delivery protocol
# to pull ledger blocks from ordering service.
useLeaderElection: false
# Statically defines peer to be an organization "leader",
# where this means that current peer will maintain connection
# with ordering service and disseminate block across peers in
# its own organization. Multiple peers or all peers in an organization
# may be configured as org leaders, so that they all pull
# blocks directly from ordering service.
orgLeader: true
# Interval for membershipTracker polling
membershipTrackerInterval: 5s
# Overrides the endpoint that the peer publishes to peers
# in its organization. For peers in foreign organizations
# see 'externalEndpoint'
endpoint:
# Maximum count of blocks stored in memory
maxBlockCountToStore: 10
# Max time between consecutive message pushes(unit: millisecond)
maxPropagationBurstLatency: 10ms
# Max number of messages stored until a push is triggered to remote peers
maxPropagationBurstSize: 10
# Number of times a message is pushed to remote peers
propagateIterations: 1
# Number of peers selected to push messages to
propagatePeerNum: 3
# Determines frequency of pull phases(unit: second)
# Must be greater than digestWaitTime + responseWaitTime
pullInterval: 4s
# Number of peers to pull from
pullPeerNum: 3
# Determines frequency of pulling state info messages from peers(unit: second)
requestStateInfoInterval: 4s
# Determines frequency of pushing state info messages to peers(unit: second)
publishStateInfoInterval: 4s
# Maximum time a stateInfo message is kept until expired
stateInfoRetentionInterval:
# Time from startup certificates are included in Alive messages(unit: second)
publishCertPeriod: 10s
# Should we skip verifying block messages or not (currently not in use)
skipBlockVerification: false
# Dial timeout(unit: second)
dialTimeout: 3s
# Connection timeout(unit: second)
connTimeout: 2s
# Buffer size of received messages
recvBuffSize: 20
# Buffer size of sending messages
sendBuffSize: 200
# Time to wait before pull engine processes incoming digests (unit: second)
# Should be slightly smaller than requestWaitTime
digestWaitTime: 1s
# Time to wait before pull engine removes incoming nonce (unit: milliseconds)
# Should be slightly bigger than digestWaitTime
requestWaitTime: 1500ms
# Time to wait before pull engine ends pull (unit: second)
responseWaitTime: 2s
# Alive check interval(unit: second)
aliveTimeInterval: 5s
# Alive expiration timeout(unit: second)
aliveExpirationTimeout: 25s
# Reconnect interval(unit: second)
reconnectInterval: 25s
# Max number of attempts to connect to a peer
maxConnectionAttempts: 120
# Message expiration factor for alive messages
msgExpirationFactor: 20
# This is an endpoint that is published to peers outside of the organization.
# If this isn't set, the peer will not be known to other organizations.
externalEndpoint:
# Leader election service configuration
election:
# Longest time peer waits for stable membership during leader election startup (unit: second)
startupGracePeriod: 15s
# Interval gossip membership samples to check its stability (unit: second)
membershipSampleInterval: 1s
# Time passes since last declaration message before peer decides to perform leader election (unit: second)
leaderAliveThreshold: 10s
# Time between peer sends propose message and declares itself as a leader (sends declaration message) (unit: second)
leaderElectionDuration: 5s
pvtData:
# pullRetryThreshold determines the maximum duration of time private data corresponding for a given block
# would be attempted to be pulled from peers until the block would be committed without the private data
pullRetryThreshold: 60s
# As private data enters the transient store, it is associated with the peer's ledger's height at that time.
# transientstoreMaxBlockRetention defines the maximum difference between the current ledger's height upon commit,
# and the private data residing inside the transient store that is guaranteed not to be purged.
# Private data is purged from the transient store when blocks with sequences that are multiples
# of transientstoreMaxBlockRetention are committed.
transientstoreMaxBlockRetention: 1000
# pushAckTimeout is the maximum time to wait for an acknowledgement from each peer
# at private data push at endorsement time.
pushAckTimeout: 3s
# Block to live pulling margin, used as a buffer
# to prevent peer from trying to pull private data
# from peers that is soon to be purged in next N blocks.
# This helps a newly joined peer catch up to current
# blockchain height quicker.
btlPullMargin: 10
# the process of reconciliation is done in an endless loop, while in each iteration reconciler tries to
# pull from the other peers the most recent missing blocks with a maximum batch size limitation.
# reconcileBatchSize determines the maximum batch size of missing private data that will be reconciled in a
# single iteration.
reconcileBatchSize: 10
# reconcileSleepInterval determines the time reconciler sleeps from end of an iteration until the beginning
# of the next reconciliation iteration.
reconcileSleepInterval: 1m
# reconciliationEnabled is a flag that indicates whether private data reconciliation is enable or not.
reconciliationEnabled: true
# skipPullingInvalidTransactionsDuringCommit is a flag that indicates whether pulling of invalid
# transaction's private data from other peers need to be skipped during the commit time and pulled
# only through reconciler.
skipPullingInvalidTransactionsDuringCommit: false
# implicitCollectionDisseminationPolicy specifies the dissemination policy for the peer's own implicit collection.
# When a peer endorses a proposal that writes to its own implicit collection, below values override the default values
# for disseminating private data.
# Note that it is applicable to all channels the peer has joined. The implication is that requiredPeerCount has to
# be smaller than the number of peers in a channel that has the lowest numbers of peers from the organization.
implicitCollectionDisseminationPolicy:
# requiredPeerCount defines the minimum number of eligible peers to which the peer must successfully
# disseminate private data for its own implicit collection during endorsement. Default value is 0.
requiredPeerCount: 0
# maxPeerCount defines the maximum number of eligible peers to which the peer will attempt to
# disseminate private data for its own implicit collection during endorsement. Default value is 1.
maxPeerCount: 1
# Gossip state transfer related configuration
state:
# indicates whenever state transfer is enabled or not
# default value is true, i.e. state transfer is active
# and takes care to sync up missing blocks allowing
# lagging peer to catch up to speed with rest network.
# Keep in mind that when peer.gossip.useLeaderElection is true
# and there are several peers in the organization,
# or peer.gossip.useLeaderElection is false alongside with
# peer.gossip.orgleader being false, the peer's ledger may lag behind
# the rest of the peers and will never catch up due to state transfer
# being disabled.
enabled: false
# checkInterval interval to check whether peer is lagging behind enough to
# request blocks via state transfer from another peer.
checkInterval: 10s
# responseTimeout amount of time to wait for state transfer response from
# other peers
responseTimeout: 3s
# batchSize the number of blocks to request via state transfer from another peer
batchSize: 10
# blockBufferSize reflects the size of the re-ordering buffer
# which captures blocks and takes care to deliver them in order
# down to the ledger layer. The actual buffer size is bounded between
# 0 and 2*blockBufferSize, each channel maintains its own buffer
blockBufferSize: 20
# maxRetries maximum number of re-tries to ask
# for single state transfer request
maxRetries: 3
# TLS Settings
tls:
# Require server-side TLS
enabled: true
# Require client certificates / mutual TLS for inbound connections.
# Note that clients that are not configured to use a certificate will
# fail to connect to the peer.
clientAuthRequired: false
# X.509 certificate used for TLS server
cert:
file: tls/server.crt
# Private key used for TLS server
key:
file: tls/server.key
# rootcert.file represents the trusted root certificate chain used for verifying certificates
# of other nodes during outbound connections.
# It is not required to be set, but can be used to augment the set of TLS CA certificates
# available from the MSPs of each channels configuration.
rootcert:
file: tls/ca.crt
# If mutual TLS is enabled, clientRootCAs.files contains a list of additional root certificates
# used for verifying certificates of client connections.
# It augments the set of TLS CA certificates available from the MSPs of each channels configuration.
# Minimally, set your organization's TLS CA root certificate so that the peer can receive join channel requests.
clientRootCAs:
files:
- tls/ca.crt
# Private key used for TLS when making client connections.
# If not set, peer.tls.key.file will be used instead
clientKey:
file:
# X.509 certificate used for TLS when making client connections.
# If not set, peer.tls.cert.file will be used instead
clientCert:
file:
# Authentication contains configuration parameters related to authenticating
# client messages
authentication:
# the acceptable difference between the current server time and the
# client's time as specified in a client request message
timewindow: 15m
# Path on the file system where peer will store data (eg ledger). This
# location must be access control protected to prevent unintended
# modification that might corrupt the peer operations.
fileSystemPath: /var/hyperledger/production
# BCCSP (Blockchain crypto provider): Select which crypto implementation or
# library to use
BCCSP:
Default: SW
# Settings for the SW crypto provider (i.e. when DEFAULT: SW)
SW:
# TODO: The default Hash and Security level needs refactoring to be
# fully configurable. Changing these defaults requires coordination
# SHA2 is hardcoded in several places, not only BCCSP
Hash: SHA2
Security: 256
# Location of Key Store
FileKeyStore:
# If "", defaults to 'mspConfigPath'/keystore
KeyStore:
# Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11)
PKCS11:
# Location of the PKCS11 module library
Library:
# Token Label
Label:
# User PIN
Pin:
Hash:
Security:
# Path on the file system where peer will find MSP local configurations
mspConfigPath: msp
# Identifier of the local MSP
# ----!!!!IMPORTANT!!!-!!!IMPORTANT!!!-!!!IMPORTANT!!!!----
# Deployers need to change the value of the localMspId string.
# In particular, the name of the local MSP ID of a peer needs
# to match the name of one of the MSPs in each of the channel
# that this peer is a member of. Otherwise this peer's messages
# will not be identified as valid by other nodes.
localMspId: Org2MSP
# CLI common client config options
client:
# connection timeout
connTimeout: 10s
# Delivery service related config
deliveryclient:
# It sets the total time the delivery service may spend in reconnection
# attempts until its retry logic gives up and returns an error
reconnectTotalTimeThreshold: 3600s
# It sets the delivery service <-> ordering service node connection timeout
connTimeout: 10s
# It sets the delivery service maximal delay between consecutive retries
reConnectBackoffThreshold: 3600s
# A list of orderer endpoint addresses which should be overridden
# when found in channel configurations.
addressOverrides:
# - from:
# to:
# caCertsFile:
# - from:
# to:
# caCertsFile:
# Type for the local MSP - by default it's of type bccsp
localMspType: bccsp
# Used with Go profiling tools only in none production environment. In
# production, it should be disabled (eg enabled: false)
profile:
enabled: false
listenAddress: 0.0.0.0:6060
# Handlers defines custom handlers that can filter and mutate
# objects passing within the peer, such as:
# Auth filter - reject or forward proposals from clients
# Decorators - append or mutate the chaincode input passed to the chaincode
# Endorsers - Custom signing over proposal response payload and its mutation
# Valid handler definition contains:
# - A name which is a factory method name defined in
# core/handlers/library/library.go for statically compiled handlers
# - library path to shared object binary for pluggable filters
# Auth filters and decorators are chained and executed in the order that
# they are defined. For example:
# authFilters:
# -
# name: FilterOne
# library: /opt/lib/filter.so
# -
# name: FilterTwo
# decorators:
# -
# name: DecoratorOne
# -
# name: DecoratorTwo
# library: /opt/lib/decorator.so
# Endorsers are configured as a map that its keys are the endorsement system chaincodes that are being overridden.
# Below is an example that overrides the default ESCC and uses an endorsement plugin that has the same functionality
# as the default ESCC.
# If the 'library' property is missing, the name is used as the constructor method in the builtin library similar
# to auth filters and decorators.
# endorsers:
# escc:
# name: DefaultESCC
# library: /etc/hyperledger/fabric/plugin/escc.so
handlers:
authFilters:
-
name: DefaultAuth
-
name: ExpirationCheck # This filter checks identity x509 certificate expiration
decorators:
-
name: DefaultDecorator
endorsers:
escc:
name: DefaultEndorsement
library:
validators:
vscc:
name: DefaultValidation
library:
# library: /etc/hyperledger/fabric/plugin/escc.so
# Number of goroutines that will execute transaction validation in parallel.
# By default, the peer chooses the number of CPUs on the machine. Set this
# variable to override that choice.
# NOTE: overriding this value might negatively influence the performance of
# the peer so please change this value only if you know what you're doing
validatorPoolSize:
# The discovery service is used by clients to query information about peers,
# such as - which peers have joined a certain channel, what is the latest
# channel config, and most importantly - given a chaincode and a channel,
# what possible sets of peers satisfy the endorsement policy.
discovery:
enabled: true
# Whether the authentication cache is enabled or not.
authCacheEnabled: true
# The maximum size of the cache, after which a purge takes place
authCacheMaxSize: 1000
# The proportion (0 to 1) of entries that remain in the cache after the cache is purged due to overpopulation
authCachePurgeRetentionRatio: 0.75
# Whether to allow non-admins to perform non channel scoped queries.
# When this is false, it means that only peer admins can perform non channel scoped queries.
orgMembersAllowedAccess: false
# Limits is used to configure some internal resource limits.
limits:
# Concurrency limits the number of concurrently running requests to a service on each peer.
# Currently this option is only applied to endorser service and deliver service.
# When the property is missing or the value is 0, the concurrency limit is disabled for the service.
concurrency:
# endorserService limits concurrent requests to endorser service that handles chaincode deployment, query and invocation,
# including both user chaincodes and system chaincodes.
endorserService: 2500
# deliverService limits concurrent event listeners registered to deliver service for blocks and transaction events.
deliverService: 2500
###############################################################################
#
# VM section
#
###############################################################################
vm:
# Endpoint of the vm management system. For docker can be one of the following in general
# unix:///var/run/docker.sock
# http://localhost:2375
# https://localhost:2376
# endpoint: unix:///var/run/docker.sock
# settings for docker vms
docker:
tls:
enabled: false
ca:
file: docker/ca.crt
cert:
file: docker/tls.crt
key:
file: docker/tls.key
# Enables/disables the standard out/err from chaincode containers for
# debugging purposes
attachStdout: false
# Parameters on creating docker container.
# Container may be efficiently created using ipam & dns-server for cluster
# NetworkMode - sets the networking mode for the container. Supported
# standard values are: `host`(default),`bridge`,`ipvlan`,`none`.
# Dns - a list of DNS servers for the container to use.
# Note: `Privileged` `Binds` `Links` and `PortBindings` properties of
# Docker Host Config are not supported and will not be used if set.
# LogConfig - sets the logging driver (Type) and related options
# (Config) for Docker. For more info,
# https://docs.docker.com/engine/admin/logging/overview/
# Note: Set LogConfig using Environment Variables is not supported.
hostConfig:
NetworkMode: host
Dns:
# - 192.168.0.1
LogConfig:
Type: json-file
Config:
max-size: "50m"
max-file: "5"
Memory: 2147483648
###############################################################################
#
# Chaincode section
#
###############################################################################
chaincode:
# The id is used by the Chaincode stub to register the executing Chaincode
# ID with the Peer and is generally supplied through ENV variables
# the `path` form of ID is provided when installing the chaincode.
# The `name` is used for all other requests and can be any string.
id:
path:
name:
# Generic builder environment, suitable for most chaincode types
builder: $(DOCKER_NS)/fabric-ccenv:$(TWO_DIGIT_VERSION)
# Enables/disables force pulling of the base docker images (listed below)
# during user chaincode instantiation.
# Useful when using moving image tags (such as :latest)
pull: false
golang:
# golang will never need more than baseos
runtime: $(DOCKER_NS)/fabric-baseos:$(TWO_DIGIT_VERSION)
# whether or not golang chaincode should be linked dynamically
dynamicLink: false
java:
# This is an image based on java:openjdk-8 with addition compiler
# tools added for java shim layer packaging.
# This image is packed with shim layer libraries that are necessary
# for Java chaincode runtime.
runtime: $(DOCKER_NS)/fabric-javaenv:$(TWO_DIGIT_VERSION)
node:
# This is an image based on node:$(NODE_VER)-alpine
runtime: $(DOCKER_NS)/fabric-nodeenv:$(TWO_DIGIT_VERSION)
# List of directories to treat as external builders and launchers for
# chaincode. The external builder detection processing will iterate over the
# builders in the order specified below.
externalBuilders:
- name: ccaas_builder
path: /opt/hyperledger/ccaas_builder
propagateEnvironment:
- CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG
# copied into the /var persistent volume share by "network up"
- name: k8s_builder
path: /var/hyperledger/fabric/external_builders/k8s_builder
propagateEnvironment:
- CORE_PEER_ID
- FABRIC_K8S_BUILDER_OBJECT_NAME_PREFIX
- KUBERNETES_SERVICE_HOST
- KUBERNETES_SERVICE_PORT
# The maximum duration to wait for the chaincode build and install process
# to complete.
installTimeout: 300s
# Timeout duration for starting up a container and waiting for Register
# to come through.
startuptimeout: 300s
# Timeout duration for Invoke and Init calls to prevent runaway.
# This timeout is used by all chaincodes in all the channels, including
# system chaincodes.
# Note that during Invoke, if the image is not available (e.g. being
# cleaned up when in development environment), the peer will automatically
# build the image, which might take more time. In production environment,
# the chaincode image is unlikely to be deleted, so the timeout could be
# reduced accordingly.
executetimeout: 30s
# There are 2 modes: "dev" and "net".
# In dev mode, user runs the chaincode after starting peer from
# command line on local machine.
# In net mode, peer will run chaincode in a docker container.
mode: net
# keepalive in seconds. In situations where the communication goes through a
# proxy that does not support keep-alive, this parameter will maintain connection
# between peer and chaincode.
# A value <= 0 turns keepalive off
keepalive: 0
# enabled system chaincodes
system:
_lifecycle: enable
cscc: enable
lscc: enable
qscc: enable
# Logging section for the chaincode container
logging:
# Default level for all loggers within the chaincode container
level: info
# Override default level for the 'shim' logger
shim: warning
# Format for the chaincode container logs
format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}'
###############################################################################
#
# Ledger section - ledger configuration encompasses both the blockchain
# and the state
#
###############################################################################
ledger:
blockchain:
state:
# stateDatabase - options are "goleveldb", "CouchDB"
# goleveldb - default state database stored in goleveldb.
# CouchDB - store state database in CouchDB
stateDatabase: goleveldb
# Limit on the number of records to return per query
totalQueryLimit: 100000
couchDBConfig:
# It is recommended to run CouchDB on the same server as the peer, and
# not map the CouchDB container port to a server port in docker-compose.
# Otherwise proper security must be provided on the connection between
# CouchDB client (on the peer) and server.
couchDBAddress: 127.0.0.1:5984
# This username must have read and write authority on CouchDB
username:
# The password is recommended to pass as an environment variable
# during start up (eg CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD).
# If it is stored here, the file must be access control protected
# to prevent unintended users from discovering the password.
password:
# Number of retries for CouchDB errors
maxRetries: 3
# Number of retries for CouchDB errors during peer startup.
# The delay between retries doubles for each attempt.
# Default of 10 retries results in 11 attempts over 2 minutes.
maxRetriesOnStartup: 10
# CouchDB request timeout (unit: duration, e.g. 20s)
requestTimeout: 35s
# Limit on the number of records per each CouchDB query
# Note that chaincode queries are only bound by totalQueryLimit.
# Internally the chaincode may execute multiple CouchDB queries,
# each of size internalQueryLimit.
internalQueryLimit: 1000
# Limit on the number of records per CouchDB bulk update batch
maxBatchUpdateSize: 1000
# Warm indexes after every N blocks.
# This option warms any indexes that have been
# deployed to CouchDB after every N blocks.
# A value of 1 will warm indexes after every block commit,
# to ensure fast selector queries.
# Increasing the value may improve write efficiency of peer and CouchDB,
# but may degrade query response time.
warmIndexesAfterNBlocks: 1
# Create the _global_changes system database
# This is optional. Creating the global changes database will require
# additional system resources to track changes and maintain the database
createGlobalChangesDB: false
# CacheSize denotes the maximum mega bytes (MB) to be allocated for the in-memory state
# cache. Note that CacheSize needs to be a multiple of 32 MB. If it is not a multiple
# of 32 MB, the peer would round the size to the next multiple of 32 MB.
# To disable the cache, 0 MB needs to be assigned to the cacheSize.
cacheSize: 64
history:
# enableHistoryDatabase - options are true or false
# Indicates if the history of key updates should be stored.
# All history 'index' will be stored in goleveldb, regardless if using
# CouchDB or alternate database for the state.
enableHistoryDatabase: true
pvtdataStore:
# the maximum db batch size for converting
# the ineligible missing data entries to eligible missing data entries
collElgProcMaxDbBatchSize: 5000
# the minimum duration (in milliseconds) between writing
# two consecutive db batches for converting the ineligible missing data entries to eligible missing data entries
collElgProcDbBatchesInterval: 1000
# The missing data entries are classified into two categories:
# (1) prioritized
# (2) deprioritized
# Initially, all missing data are in the prioritized list. When the
# reconciler is unable to fetch the missing data from other peers,
# the unreconciled missing data would be moved to the deprioritized list.
# The reconciler would retry deprioritized missing data after every
# deprioritizedDataReconcilerInterval (unit: minutes). Note that the
# interval needs to be greater than the reconcileSleepInterval
deprioritizedDataReconcilerInterval: 60m
snapshots:
# Path on the file system where peer will store ledger snapshots
rootDir: /var/hyperledger/production/snapshots
###############################################################################
#
# Operations section
#
###############################################################################
operations:
# host and port for the operations server
listenAddress: 127.0.0.1:9443
# TLS configuration for the operations endpoint
tls:
# TLS enabled
enabled: false
# path to PEM encoded server certificate for the operations server
cert:
file:
# path to PEM encoded server key for the operations server
key:
file:
# most operations service endpoints require client authentication when TLS
# is enabled. clientAuthRequired requires client certificate authentication
# at the TLS layer to access all resources.
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
clientRootCAs:
files: []
###############################################################################
#
# Metrics section
#
###############################################################################
metrics:
# metrics provider is one of statsd, prometheus, or disabled
provider: disabled
# statsd configuration
statsd:
# network type: tcp or udp
network: udp
# statsd server address
address: 127.0.0.1:8125
# the interval at which locally cached counters and gauges are pushed
# to statsd; timings are pushed immediately
writeInterval: 10s
# prefix is prepended to all emitted statsd metrics
prefix:

506
test-network-k8s/config/org2/fabric-ca-server-config.yaml
View file

@ -1,506 +0,0 @@
#############################################################################
# This is a configuration file for the fabric-ca-server command.
#
# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
# ------------------------------------------------
# Each configuration element can be overridden via command line
# arguments or environment variables. The precedence for determining
# the value of each element is as follows:
# 1) command line argument
# Examples:
# a) --port 443
# To set the listening port
# b) --ca.keyfile ../mykey.pem
# To set the "keyfile" element in the "ca" section below;
# note the '.' separator character.
# 2) environment variable
# Examples:
# a) FABRIC_CA_SERVER_PORT=443
# To set the listening port
# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
# To set the "keyfile" element in the "ca" section below;
# note the '_' separator character.
# 3) configuration file
# 4) default value (if there is one)
# All default values are shown beside each element below.
#
# FILE NAME ELEMENTS
# ------------------
# The value of all fields whose name ends with "file" or "files" are
# name or names of other files.
# For example, see "tls.certfile" and "tls.clientauth.certfiles".
# The value of each of these fields can be a simple filename, a
# relative path, or an absolute path. If the value is not an
# absolute path, it is interpreted as being relative to the location
# of this configuration file.
#
#############################################################################
# Version of config file
version: 1.5.2
# Server's listening port (default: 7054)
port: 443
# Cross-Origin Resource Sharing (CORS)
cors:
enabled: false
origins:
- "*"
# Enables debug logging (default: false)
debug: false
# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000
#############################################################################
# TLS section for the server's listening port
#
# The following types are supported for client authentication: NoClientCert,
# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
# and RequireAndVerifyClientCert.
#
# Certfiles is a list of root certificate authorities that the server uses
# when verifying client certificates.
#############################################################################
tls:
# Enable TLS (default: false)
enabled: true
# TLS for the server's listening port
certfile:
keyfile:
clientauth:
type: noclientcert
certfiles:
#############################################################################
# The CA section contains information related to the Certificate Authority
# including the name of the CA, which should be unique for all members
# of a blockchain network. It also includes the key and certificate files
# used when issuing enrollment certificates (ECerts) and transaction
# certificates (TCerts).
# The chainfile (if it exists) contains the certificate chain which
# should be trusted for this CA, where the 1st in the chain is always the
# root CA certificate.
#############################################################################
ca:
# Name of this CA
name: org2-ca
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:
#############################################################################
# The gencrl REST endpoint is used to generate a CRL that contains revoked
# certificates. This section contains configuration options that are used
# during gencrl request processing.
#############################################################################
crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h
#############################################################################
# The registry section controls how the fabric-ca-server does two things:
# 1) authenticates enrollment requests which contain a username and password
# (also known as an enrollment ID and secret).
# 2) once authenticated, retrieves the identity's attribute names and
# values which the fabric-ca-server optionally puts into TCerts
# which it issues for transacting on the Hyperledger Fabric blockchain.
# These attributes are useful for making access control decisions in
# chaincode.
# There are two main configuration options:
# 1) The fabric-ca-server is the registry.
# This is true if "ldap.enabled" in the ldap section below is false.
# 2) An LDAP server is the registry, in which case the fabric-ca-server
# calls the LDAP server to perform these tasks.
# This is true if "ldap.enabled" in the ldap section below is true,
# which means this "registry" section is ignored.
#############################################################################
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: rcaadmin
pass: rcaadminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
#############################################################################
# Database section
# Supported types are: "sqlite3", "postgres", and "mysql".
# The datasource value depends on the type.
# If the type is "sqlite3", the datasource value is a file name to use
# as the database store. Since "sqlite3" is an embedded database, it
# may not be used if you want to run the fabric-ca-server in a cluster.
# To run the fabric-ca-server in a cluster, you must choose "postgres"
# or "mysql".
#############################################################################
db:
type: sqlite3
datasource: fabric-ca-server.db
tls:
enabled: false
certfiles:
client:
certfile:
keyfile:
#############################################################################
# LDAP section
# If LDAP is enabled, the fabric-ca-server calls LDAP to:
# 1) authenticate enrollment ID and secret (i.e. username and password)
# for enrollment requests;
# 2) To retrieve identity attributes
#############################################################################
ldap:
# Enables or disables the LDAP client (default: false)
# If this is set to true, the "registry" section is ignored.
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
# TLS configuration for the client connection to the LDAP server
tls:
certfiles:
client:
certfile:
keyfile:
# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
attribute:
# 'names' is an array of strings containing the LDAP attribute names which are
# requested from the LDAP server for an LDAP identity's entry
names: ['uid','member']
# The 'converters' section is used to convert an LDAP entry to the value of
# a fabric CA attribute.
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the boolean expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
converters:
- name:
value:
# The 'maps' section contains named maps which may be referenced by the 'map'
# function in the 'converters' section to map LDAP responses to arbitrary values.
# For example, assume a user has an LDAP attribute named 'member' which has multiple
# values which are each a distinguished name (i.e. a DN). For simplicity, assume the
# values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
# Further assume the following configuration.
# converters:
# - name: hf.Registrar.Roles
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: peer
# - name: dn2
# value: client
# The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
# "peer,client,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "peer" and "dn2" with "client".
maps:
groups:
- name:
value:
#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
# businessunit1:
# department1:
# - team1
# businessunit2:
# - department2
# - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
org1:
- department1
- department2
org2:
- department1
#############################################################################
# Signing section
#
# The "default" subsection is used to sign enrollment certificates;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
# The "ca" profile subsection is used to sign intermediate CA certificates;
# the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
# Note that "isca" is true, meaning that it issues a CA certificate.
# A maxpathlen of 0 means that the intermediate CA cannot issue other
# intermediate CA certificates, though it can still issue end entity certificates.
# (See RFC 5280, section 4.2.1.9)
#
# The "tls" profile subsection is used to sign TLS certificate requests;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
###########################################################################
# Certificate Signing Request (CSR) section.
# This controls the creation of the root CA certificate.
# The expiration for the root CA certificate is configured with the
# "ca.expiry" field below, whose default value is "131400h" which is
# 15 years in hours.
# The pathlength field is used to limit CA certificate hierarchy as described
# in section 4.2.1.9 of RFC 5280.
# Examples:
# 1) No pathlength value means no limit is requested.
# 2) pathlength == 1 means a limit of 1 is requested which is the default for
# a root CA. This means the root CA can issue intermediate CA certificates,
# but these intermediate CAs may not in turn issue other CA certificates
# though they can still issue end entity certificates.
# 3) pathlength == 0 means a limit of 0 is requested;
# this is the default for an intermediate CA, which means it can not issue
# CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
cn: fabric-ca-server
keyrequest:
algo: ecdsa
size: 256
names:
- C: US
ST: "North Carolina"
L:
O: Hyperledger
OU: Fabric
hosts:
- localhost
- 127.0.0.1
- org2-ca
- org2-ca.${NS}.svc.cluster.local
ca:
expiry: 131400h
pathlength: 1
###########################################################################
# Each CA can issue both X509 enrollment certificate as well as Idemix
# Credential. This section specifies configuration for the issuer component
# that is responsible for issuing Idemix credentials.
###########################################################################
idemix:
# Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
# Idemix credential. The issuer will create a pool revocation handles of this specified size. When
# a credential is requested, issuer will get handle from the pool and assign it to the credential.
# Issuer will repopulate the pool with new handles when the last handle in the pool is used.
# A revocation handle and credential revocation information (CRI) are used to create non revocation proof
# by the prover to prove to the verifier that her credential is not revoked.
rhpoolsize: 1000
# The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer
# and second step is send credential request that is constructed using the nonce to the issuer to
# request a credential. This configuration property specifies expiration for the nonces. By default is
# nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
nonceexpiration: 15s
# Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
# The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
noncesweepinterval: 15m
#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default. This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs. The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA. Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################
cacount:
cafiles:
#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
# 1) A single server process may contain or function as one or more CAs.
# This is configured by the "Multi CA section" above.
# 2) Each CA is either a root CA or an intermediate CA.
# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
# url - The URL of the parent server
# caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
# profile - Name of the signing profile to use in issuing the certificate
# label - Label to use in HSM operations
#
# tls section for secure socket connection
# certfiles - PEM-encoded list of trusted root certificate files
# client:
# certfile - PEM-encoded certificate file for when client authentication
# is enabled on server
# keyfile - PEM-encoded key file for when client authentication
# is enabled on server
#############################################################################
intermediate:
parentserver:
url:
caname:
enrollment:
hosts:
profile:
label:
tls:
certfiles:
client:
certfile:
keyfile:
#############################################################################
# CA configuration section
#
# Configure the number of incorrect password attempts are allowed for
# identities. By default, the value of 'passwordattempts' is 10, which
# means that 10 incorrect password attempts can be made before an identity get
# locked out.
#############################################################################
cfg:
identities:
passwordattempts: 10
###############################################################################
#
# Operations section
#
###############################################################################
operations:
# host and port for the operations server
listenAddress: 127.0.0.1:9443
# TLS configuration for the operations endpoint
tls:
# TLS enabled
enabled: false
# path to PEM encoded server certificate for the operations server
cert:
file:
# path to PEM encoded server key for the operations server
key:
file:
# require client certificate authentication to access all resources
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
clientRootCAs:
files: []
###############################################################################
#
# Metrics section
#
###############################################################################
metrics:
# statsd, prometheus, or disabled
provider: disabled
# statsd configuration
statsd:
# network type: tcp or udp
network: udp
# statsd server address
address: 127.0.0.1:8125
# the interval at which locally cached counters and gauges are pushed
# to statsd; timings are pushed immediately
writeInterval: 10s
# prefix is prepended to all emitted statsd metrics
prefix: server

106
test-network-k8s/docs/APPLICATIONS.md
View file

@ -1,106 +0,0 @@
# Working with Applications
## TL/DR:
```shell
$ ./network rest-easy
Launching fabric-rest-sample application:
✅ - Ensuring fabric-rest-sample image ...
✅ - Constructing fabric-rest-sample connection profiles ...
✅ - Starting fabric-rest-sample ...
The fabric-rest-sample has started. See https://github.com/hyperledger/fabric-samples/tree/main/asset-transfer-basic/rest-api-typescript for additional usage.
To access the endpoint:
export SAMPLE_APIKEY=97834158-3224-4CE7-95F9-A148C886653E
curl -s --header "X-Api-Key: ${SAMPLE_APIKEY}" http://localhost/api/assets
🏁 - Fabric REST sample is ready.
```
```shell
$ export SAMPLE_APIKEY=97834158-3224-4CE7-95F9-A148C886653E
$ ./network chaincode invoke asset-transfer-basic '{"Args":["CreateAsset","1","blue","35","tom","1000"]}'
$ curl -s --header "X-Api-Key: ${SAMPLE_APIKEY}" http://fabric-rest-sample.localho.st/api/assets | jq
[
{
"Key": "1",
"Record": {
"ID": "1",
"color": "blue",
"size": 35,
"owner": "tom",
"appraisedValue": 1000
}
}
]
$ open https://github.com/hyperledger/fabric-samples/tree/main/asset-transfer-basic/rest-api-typescript
```
## Guide for Gateway Client Applications
TODO: this section is a work-in-progress.
### EXTERNAL Gateway Client (localhost)
For certain development scenarios, it is advantageous to run a Gateway Client externally, using a bridge
or port forward to access services running behind the veil of Kubernetes networking. For instance, during active
development we can run a Gateway Client under the microscope of an IDE / debugger, on a local system, connected
to a remote network as if it were running resident within the Kube. As the system is developed (bugs addressed, etc.),
the application author can transition the updated routines into Docker containers, verify locally, and push
into the container registry for validation within the Kubernetes network.
Here is a brief overview of the steps necessary to run EXTERNAL gateway applications:
1. Open a TCP port forward from the local host to a targeted peer:
```shell
kubectl -n test-network port-forward svc/org1-peer1 7051:7051
```
2. Add "mock DNS" records to /etc/hosts for TLS host validation:
```shell
127.0.0.1 org1-peer1
```
3. Configure the gateway client to connect to `org1-peer1:7051`, or the kube TCP port forward.
4. Launch the gateway client application locally, e.g. in a docker container or attached to an IDE.
5. Update this guide with feedback, recipes, and stories of successful client development on Kube/KIND.
### INTERNAL Gateway Client (In Kube)
#### TODO: Deploy
```shell
./network application ACTION
```
#### Local Container Registry
Docker images built locally can be uploaded to the `localhost:5000` container registry for
immediate access within the Kube/KIND cluster. In addition to providing fast turn-around to/from containers
running in Kube, the use of a private container registry allows us to quickly iterate on code without uploading
images to the Internet. Even when using _private_ container registries, the use of a local server saves valuable
time when loading images into the kind control plane.
e.g.:
```shell
docker build -t localhost:5000/my-gateway-app .
docker push localhost:5000/my-gateway-app
```
Provided that the `imagePullPolicy` for the client deployment is not set to `IfNotPresent`, killing the current pod
running the gateway client will force a refresh with the latest image layer available at the local registry.
#### Aggregating MSP and Certificates
#### Deploying to the Namespace

198
test-network-k8s/docs/CA.md
View file

@ -1,198 +0,0 @@
# Certificate Authorities
This guide serves as a companion to the [Fabric CA Deployment Guide](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy.html),
the definitive reference for planning, configuring, and managing CAs within a production Hyperledger Fabric installation.
For individual fabric nodes to communicate securely over a network, all interactions are performed over secure sockets
with (at a minimum) server side TLS certificate verification. In addition, for the individual participants of a Fabric
network to interact with the blockchain, the participant identities and activities are verified against an Enrollment
Certificate or 'ECert' authority.
In this document we'll outline the key aspects of bootstrapping test network TLS and ECert CAs, registration and
enrollment of node identities, and address some effective strategies for storage and organization of channel and
node local MSP data structures.
### TL/DR :
```shell
$ ./network up
Launching network "test-network":
...
✅ - Initializing TLS certificate Issuers ...
✅ - Launching Fabric CAs ...
✅ - Enrolling bootstrap ECert CA users ...
...
🏁 - Network is ready.
```
## [Planning for a CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy-topology.html#planning-for-a-ca)
Setting up a CA framework is one of the more daunting aspects of a Fabric installation. There is an incredible amount
of flexibility possible with the Fabric CA architecture, so to keep things straightforward we have opted to aim for a
simplified, but realistic CA deployment illustrating key touch points with Kubernetes:
- Each organization maintains distinct, [independent volumes](../kube/pv-fabric-org0.yaml) for the storage of MSP and
node certificates. This forces the consortium organizer to plan for the distribution of _public_ certificates to
member organizations, while maintaining an independent, secret storage location for _private_ signing keys.
- This guide simplifies the storage and organization of Fabric certificates into two distinct flows. For securing
inter-node communication with TLS, [cert-manager](https://cert-manager.io) is responsible for the lifecycle of issuing,
renewing, and revoking SSL certificates and keys as native Kubernetes `Certificate` resources. Complementing the
SSL certificate lifecycle is a set of fabric-CAs responsible for fulfilling Fabric [ECert](../kube/org0/org0-ca.yaml)
Enrollments and identities.
- MSP Certificate organization and [Folder Structure](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#folder-structure-for-your-org-and-node-admin-identities)
strictly adheres to the best practices and guidelines recommended by the CA Deployment Guide.
- The `cryptogen` anti-pattern is **strictly forbidden**. All MSP enrollments are constructed using the CA
registration and enrollment REST services, coordinated by calls to `fabric-ca-client`. At runtime, the ca-client
ONLY has visibility to the organization's shared volume mount.
- TLS Certificates are stored and organized within the cluster as a series of `Certificate` resources with associated
Kube `Secret` and volume mounts. Service pods mount the node TLS key pair and CA certificate at `/var/hyperledger/fabric/config/tls`.
Each organization in the network maintains an independent [CA `Issuer`](https://cert-manager.io/docs/configuration/ca/)
endorsed by a system-wide, self-signed root CA.
- Each organization in the network maintains an independent fabric CA instance, with configuration and certificates
stored in each org's persistent volume at `/var/hyperledger/fabric-ca-server`.
- fabric-ca-client configuration and certificates are maintained in each org's persistent volume at `/var/hyperledger/fabric-ca-client`
- ECert and MSP enrollment structures are maintained in each org's persistent volume at `/var/hyperledger/fabric/organizations`
### Future Enhancements:
- **_Bring your own Certificates_** : It would be nice to bootstrap the network using a single, top-level signing authority,
rather than generating self-signed certificates when the system is bootstrapped. Ideally this will be realized by
introducing an [Intermediate CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy-topology.html#when-would-i-want-an-intermediate-ca)
and/or alternate signing chains backed by formal (e.g. letsencrypt, Thawte, Verisign, etc.) certificate authorities.
- **_Time-Bomb Certificates_** : By default the certificates issued by the test network are valid for 1 (one) year. For
lightweight or adhoc testing, this is fine. But when applied to production deployments, certificate expiry is a
real operational challenge. For instance, it is possible to soft-lock a Fabric network when all system certificates
expire _en-masse_ - it's impossible to re-establish a consensus and renew the certificates!
- **_Mutual TLS_** : Server-side TLS is a minimum, but the addition of client-side TLS certificates will help fully
secure all TCP channels within the Fabric network.
- **_Bugs_** : `./network up` currently goes through the process of bootstrapping a fabric network from scratch, but
does not handle "multiple runs" or the complete course of errors that can occur in the wild. For instance, If the
routine is run multiple times in succession, it will overwrite the network's certificate chains and soft-lock the
network.
## [Process Overview](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#)
The [sequence of activities](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#what-order-should-i-deploy-the-cas)
necessary to bring up a CA infrastructure is well documented by the CA Deployment Guide:
1. [Deploy TLS CA Issuers](#deploy-tls-ca-issuers)
1. [Deploy the Organization CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#deploy-an-organization-ca)
1. [Configure the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-ca-server-configuration)
1. [Launch the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#start-the-ca-server)
1. [Enroll the ECert CA Bootstrap / Admin User](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-the-ca-admin)
## Deploy TLS CA Issuers
```
✅ - Initializing TLS certificate Issuers ...
...
```
The Kubernetes Test Network relies on [cert-manager](https://cert-manager.io) to issue, renew, and revoke TLS
certificates for network endpoints. Before launching peers, orderers, and chaincode pods, each node must
have a corresponding [`Certificate`](https://cert-manager.io/docs/usage/certificate/) generated by a cert manager [CA
`Issuer`](https://cert-manager.io/docs/configuration/ca/), stored in Kubernetes and exposed as a kube `Secret` at
runtime.
In the test network, the root TLS certificate is automatically generated by requesting a self-signed ECDSA key pair.
In turn, the root key is used to create a series of CA `Issuers`, one per member organization participating in the
blockchain:
```
# Use the self-signing issuer to generate three Issuers, one for each org:
kubectl -n test-network apply -f kube/org0/org0-tls-cert-issuer.yaml
kubectl -n test-network apply -f kube/org1/org1-tls-cert-issuer.yaml
kubectl -n test-network apply -f kube/org2/org2-tls-cert-issuer.yaml
```
Each organization's CA `Issuer` will be used to construct a TLS `Certificate` for each node in the network. At
runtime, the deployment pods will mount the certificate contents (`tls.key`, `tls.pem`, and `ca.pem`) as a kube
secrets mounted at `/var/hyperledger/fabric/config/tls`.
## [Deploy the Organization CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#deploy-an-organization-ca)
The organization (ECert) CA is used to issue MSP certificates for nodes, channels, and identities in the fabric network.
Before we can set up the peers, orderers, and channels, we will need to bootstrap an ECert CA administrator
for each org in the network.
### [Configure the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-ca-server-configuration)
When launching the ECert CA pods, both the org volume shares and org config maps are made available via volume shares.
The [fabric-ecert-ca-server.yaml](../config/org0/fabric-ca-server-config.yaml) includes overrides for:
- `port: 443` binds all traffic to the default HTTPS port
- `tls.enabled: true` enables TLS for registration and enrollment requests
- `ca.name: <service-name>` matches the Kubernetes `Service` host alias
- `csr.hosts:` includes host aliases for accessing the CA with Kube DNS
### [Launch the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#start-the-ca-server)
```shell
✅ - Launching ECert CAs ...
```
```shell
kubectl -n test-network apply -f kube/org0/org0-ca.yaml
kubectl -n test-network apply -f kube/org1/org1-ca.yaml
kubectl -n test-network apply -f kube/org2/org2-ca.yaml
```
- [x] Note: The `rcaadmin` enrollment's `cert.pem` and `key.pem` locations are specified in the ecert CA's k8s deployment as environment variables.
### [Enroll the ECert CA Bootstrap / Admin User](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-the-ca-admin)
```shell
✅ - Enrolling bootstrap ECert CA users ...
```
Finally, after the services are active, we can connect to each organization's ECert CA using TLS and
activate the `rcaadmin` (Root Certificate Authority) admin user. This user will be employed to generate the
local MSP certificate structure for all of the nodes in our test network.
```shell
fabric-ca-client enroll \
--url https://'${auth}'@'${ecert_ca}' \
--tls.certfiles /var/hyperledger/fabric/config/tls/ca.pem \
--mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp
```
## Next Steps :
After the CAs have been deployed, each org in the Kube namespace includes:
- One TLS CA `Issuer` and issuer `Certificate`
- One ECert CA `Service`, forwarding internal traffic from https://orgN-ecert-ca to the ECert CA
- One ECert CA `Deployment`
- One ECert CA `Pod`
- One ECert CA admin bootstrap user `rcaadmin` enrollment and MSP root certificate.
### [Launch the Test Network...](TEST_NETWORK.md)

205
test-network-k8s/docs/CALIPER.md
View file

@ -1,205 +0,0 @@
# Benchmarking the performance using Hyperledger Caliper
This document introduces how to use [Hyperledger Caliper](https://hyperledger.github.io/caliper/) to benchmark the performance of the Hyperledger Fabric environment created with test-network-k8s.
[Fabric adapter manual of Hyperledger Caliper v0.6.0](https://hyperledger.github.io/caliper/v0.6.0/fabric-config/new/) only describes how to connect to test-network. Furthermore, these chaincodes need to be executed as services to run in a K8s environment, but this is not supported by default, requiring customization. So we will explain how to benchmark the performance of the Kubernetes test network using Hyperledger Caliper and Asset Transfer Basic chaincode, which is most basic in current sample chaincodes.
The following documentation assumes that test-network-k8s and Hyperledger Caliper v0.6.0 are located on the same host.
## Setting of test-network-k8s side
As described in the README of test-network-k8s, launch the network, create a channel, and deploy and invoke the basic-asset-transfer smart contract:
```shell
./network kind
./network cluster init
./network up
./network channel create
./network chaincode deploy asset-transfer-basic ../asset-transfer-basic/chaincode-java
./network chaincode invoke asset-transfer-basic '{"Args":["InitLedger"]}'
```
REST API will not be used in the procedure described below, but the connection profile will be generated by launching it:
```shell
./network rest-easy
```
## Setting of Hyperledger Caliper side
Following [Install manual of Hyperledger Caliper v0.6.0](https://hyperledger.github.io/caliper/v0.6.0/installing-caliper/), install Hyperledger Caliper from npm:
```shell
git clone https://github.com/hyperledger/caliper-benchmarks.git
cd caliper-benchmarks
npm install --only=prod @hyperledger/caliper-cli@0.6.0
npx caliper bind --caliper-bind-sut fabric:fabric-gateway
```
Copy the connection profile created in test-network-k8s environment to Caliper environment.
```shell
cp <fabric-samples install dir>/test-network-k8s/build/fabric-rest-sample-config/HLF_CONNECTION_PROFILE_ORG1 networks/fabric/connection-profile.json
```
Replace `*.test-network.svc.cluster.local` with `*.localho.st` in "url" and "grpcOptions" section of connection-profile.json as below:
```json
"peers": {
"org1-peers": {
"url": "grpcs://org1-peer1.localho.st:443",
"tlsCACerts": {
"pem": <contents of pem file>"
},
"grpcOptions": {
"ssl-target-name-override": "org1-peer1.localho.st",
"hostnameOverride": "org1-peer1.localho.st"
}
}
},
```
`*.localho.st` is wildcard domain defined for accessing K8s pod from external network via Nginx ingress controller. Please see [Working with Kubernetes](KUBERNETES.md) document for details.
Open networks/fabric/test-network.yaml and edit it as below:
```yaml
name: Caliper Benchmarks
version: "2.0.0"
caliper:
blockchain: fabric
channels:
# channelName of mychannel matches the name of the channel created by test network
- channelName: mychannel
# the chaincodeIDs of all the fabric chaincodes in caliper-benchmarks
contracts:
- id: fabcar
- id: fixed-asset
- id: marbles
- id: simple
- id: smallbank
- id: asset-transfer-basic
organizations:
- mspid: Org1MSP
# Identities come from cryptogen created material for test-network
identities:
certificates:
- name: 'User1'
clientPrivateKey:
path: '<fabric-samples install absolute dir>/test-network-k8s/build/enrollments/org1/users/org1admin/msp/keystore/key.pem'
clientSignedCert:
path: '<fabric-samples install absolute dir>/test-network-k8s/build/enrollments/org1/users/org1admin/msp/signcerts/cert.pem'
connectionProfile:
path: 'networks/fabric/connection-profile.json'
discover: true
```
Currently, sample code for running a performance benchmark targeting asset-transfer-basic is not published on the Caliper repository. Therefore, use the sample code published in [Caliper's user manual to build a test workload.](https://hyperledger.github.io/caliper/vNext/fabric-tutorial/tutorials-fabric-existing/)
As shown in "Step 3" of the above document, create workload/readAsset.js file and edit it as below:
```javascript
'use strict';
const { WorkloadModuleBase } = require('@hyperledger/caliper-core');
class MyWorkload extends WorkloadModuleBase {
constructor() {
super();
}
async initializeWorkloadModule(workerIndex, totalWorkers, roundIndex, roundArguments, sutAdapter, sutContext) {
await super.initializeWorkloadModule(workerIndex, totalWorkers, roundIndex, roundArguments, sutAdapter, sutContext);
for (let i=0; i<this.roundArguments.assets; i++) {
const assetID = `${this.workerIndex}_${i}`;
console.log(`Worker ${this.workerIndex}: Creating asset ${assetID}`);
const request = {
contractId: this.roundArguments.contractId,
contractFunction: 'CreateAsset',
invokerIdentity: 'User1',
contractArguments: [assetID,'blue','20','penguin','500'],
readOnly: false
};
await this.sutAdapter.sendRequests(request);
}
}
async submitTransaction() {
const randomId = Math.floor(Math.random()*this.roundArguments.assets);
const myArgs = {
contractId: this.roundArguments.contractId,
contractFunction: 'ReadAsset',
invokerIdentity: 'User1',
contractArguments: [`${this.workerIndex}_${randomId}`],
readOnly: true
};
await this.sutAdapter.sendRequests(myArgs);
}
async cleanupWorkloadModule() {
for (let i=0; i<this.roundArguments.assets; i++) {
const assetID = `${this.workerIndex}_${i}`;
console.log(`Worker ${this.workerIndex}: Deleting asset ${assetID}`);
const request = {
contractId: this.roundArguments.contractId,
contractFunction: 'DeleteAsset',
invokerIdentity: 'User1',
contractArguments: [assetID],
readOnly: false
};
await this.sutAdapter.sendRequests(request);
}
}
}
function createWorkloadModule() {
return new MyWorkload();
}
module.exports.createWorkloadModule = createWorkloadModule;
```
As shown in "Step 4" of the above document, create benchmarks/myAssetBenchmark.yaml file and edit it as below:
```yaml
test:
name: basic-contract-benchmark
description: test benchmark
workers:
number: 2
rounds:
- label: readAsset
description: Read asset benchmark
txDuration: 30
rateControl:
type: fixed-load
opts:
transactionLoad: 2
workload:
module: workload/readAsset.js
arguments:
assets: 10
contractId: asset-transfer-basic
```
After creating the above files, you can run a performance benchmark with the following command, which will create some assets and measure the time it takes to reference the assets.
```shell
npx caliper launch manager --caliper-workspace . --caliper-benchconfig benchmarks/myAssetBenchmark.yaml --caliper-networkconfig networks/fabric/test-network.yaml
```

217
test-network-k8s/docs/CHAINCODE.md
View file

@ -1,217 +0,0 @@
# Working with Chaincode
In this guide we will launch the Asset Transfer Basic chaincode "as a service" on the Kubernetes test network.
In addition, we will demonstrate how to connect the test network to a chaincode process running on your local
machine as a local binary, attached in an IDE debugger, or in a Docker container.
## TL/DR :
```shell
$ ./network chaincode deploy asset-transfer-basic ../asset-transfer-basic/chaincode-java
Deploying chaincode
✅ - Building chaincode image asset-transfer-basic ...
✅ - Publishing chaincode image localhost:5000/asset-transfer-basic ...
✅ - Packaging ccaas chaincode asset-transfer-basic ...
✅ - Launching chaincode container "localhost:5000/asset-transfer-basic" ...
✅ - Launching chaincode container "localhost:5000/asset-transfer-basic" ...
✅ - Installing chaincode for org org1 peer peer1 ...
✅ - Installing chaincode for org org1 peer peer2 ...
✅ - Approving chaincode asset-transfer-basic with ID asset-transfer-basic:eb972467417ca827115c3a6a2629fc14e18741c0613a2a0a78290e3b643a50 ...
✅ - Committing chaincode asset-transfer-basic ...
🏁 - Chaincode is ready.
```
```shell
$ ./network chaincode invoke asset-transfer-basic '{"Args":["CreateAsset","1","blue","35","tom","1000"]}'
2022-06-23 06:12:13.150 UTC 0001 INFO [chaincodeCmd] chaincodeInvokeOrQuery -> Chaincode invoke successful. result: status:200 payload:"{\"owner\":\"tom\",\"color\":\"blue\",\"size\":35,\"appraisedValue\":1000,\"assetID\":\"1\"}"
$ ./network chaincode query asset-transfer-basic '{"Args":["ReadAsset","1"]}' | jq
{
"ID": "1",
"color": "blue",
"size": 35,
"owner": "tom",
"appraisedValue": 1000
}
```
## Running Smart Contracts on Kubernetes
In the Kubernetes Test Network, smart contracts are developed with the [Chaincode as a Service](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html)
pattern, relying on an embedded [External Builder](https://hyperledger-fabric.readthedocs.io/en/latest/cc_launcher.html) to avoid the use of a Docker daemon. With
Chaincode-as-a-Service, smart contracts are deployed to Kubernetes as `Services`,
`Deployments`, and `Pods`. When invoking smart contracts, the Peer network connects to the grpc receiver
through the port exposed by the chaincode's Kube `Service` as described in the chaincode
connection.json.
Before installing chaincode to the network, a smart contract must:
- Utilize the `ChaincodeServer` grpc receiver, as described in the [Fabric Operations
Guide](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html#writing-chaincode-to-run-as-an-external-service).
- Run as a Docker image published to a container registry.
- Maintain a connection.json and metadata.json files in the `chaincode/$CHAINCODE_NAME` folder.
- Accept the `CHAINCODE_ID` environment variable: _CHAINCODE_LABEL:sha_256(chaincode.tar.gz)_.
## Deploying Chaincode to the Network
```shell
✅ - Packaging chaincode "asset-transfer-basic" archive ...
✅ - Deploying chaincode "asset-transfer-basic" for org org1 ...
```
When working with chaincode, the `./network` script includes two parameters that define the Docker image
launched in the cluster and the chaincode metadata:
- `${TEST_NETWORK_CHAINCODE_NAME:-asset-transfer-basic}` refers to the _name_ associated with the chaincode.
While packaging and deploying to the network, the `scripts/chaincode.sh` script uses this string to search
the local `/chaincode` folder for associated metadata and connection json descriptor files.
- `${TEST_NETWORK_CHAINCODE_IMAGE:-ghcr.io/hyperledgendary/fabric-ccaas-asset-transfer-basic}` defines the
container image that will be used when running the chaincode in Kubernetes.
To deploy the chaincode, the network script will:
1. Read the `connection.json` and `metadata.json` files from the `/chaincode/${TEST_NETWORK_CHAINCODE_NAME}`
folder, bundling the files into a chaincode tar.gz archive.
2. Install the chaincode archive on a peer in the organization:
```shell
export CORE_PEER_ADDRESS='${org}'-peer1:7051
peer lifecycle chaincode install chaincode/asset-transfer-basic.tgz
```
3. In typical Fabric operations, the output of the `chaincode install` command includes a generated ID of the
chaincode archive printed to standard out. This ID is manually inspected and transcribed by the
network operator when executing subsequent commands with the network peers. To avoid scraping the
output of the installation command, the test network scripts precompute the chaincode ID
as the `sha256` checksum of the tar.gz archive.
4. The chaincode docker [image is launched using the yaml template](../kube/org1/org1-cc-template.yaml) as a Kubernetes
`Deployment` specifying _CHAINCODE_ID=sha-256(archive)_ in the environment and binding a `Service` port 9999
within the namespace. When the network sends messages to the chaincode process, it will use the host URL as
defined in the `connection.json`, connecting to the kubernetes `Service` URL and `Deployment`.
5. Finally, the Admin CLI issues a series of peer commands to approve and commit the chaincode for the org:
```shell
export CORE_PEER_ADDRESS='${org}'-peer1:7051
peer lifecycle \
chaincode approveformyorg \
--channelID '${CHANNEL_NAME}' \
--name '${CHAINCODE_NAME}' \
--version 1 \
--package-id '${cc_id}' \
--sequence 1 \
-o org0-orderer1:6050 \
--tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem
peer lifecycle \
chaincode commit \
--channelID '${CHANNEL_NAME}' \
--name '${CHAINCODE_NAME}' \
--version 1 \
--sequence 1 \
-o org0-orderer1:6050 \
--tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem
```
## Invoking and Querying the Chaincode
Once the chaincode service has been deployed to the cluster, and the peers have approved the chaincode,
the test scripts can issue adhoc invoke, query, and metadata requests to the network:
### Invoke
```shell
$ ./network chaincode invoke asset-transfer-basic '{"Args":["CreateAsset","1","blue","35","tom","1000"]}'
2022-06-23 06:12:13.150 UTC 0001 INFO [chaincodeCmd] chaincodeInvokeOrQuery -> Chaincode invoke successful. result: status:200 payload:"{\"owner\":\"tom\",\"color\":\"blue\",\"size\":35,\"appraisedValue\":1000,\"assetID\":\"1\"}"
```
### Query
```shell
$ ./network chaincode query asset-transfer-basic '{"Args":["ReadAsset","1"]}' | jq
{
"ID": "1",
"color": "blue",
"size": 35,
"owner": "tom",
"appraisedValue": 1000
}
```
### Describe
```shell
$ ./network chaincode metadata asset-transfer-basic | awk "NR==3,NR==3 {print}" | jq | head
{
"info": {
"title": "undefined",
"version": "latest"
},
"contracts": {
"SmartContract": {
"info": {
"title": "SmartContract",
"version": "latest"
```
## Build a Chaincode Docker Image
Before chaincode can be started in the network, it must be compiled, linked with the grpc `ChaincodeServer`,
embedded into a Docker image, and pushed to a container registry visible to the Kubernetes cluster.
By default, the `./network` script will launch the [asset-transfer-basic](../../asset-transfer-basic/chaincode-external)
chaincode. When the test network installs this chaincode, there is no need to build a custom Docker image as it
has previously been uploaded to a public container registry.
As an exercise, we recommend making some updates to the asset transfer basic chaincode and then running the
modified smart contract on your local Kubernetes cluster. For instance, the current version of the
[assetTransfer.go](../../asset-transfer-basic/chaincode-external/assetTransfer.go) code is completely
silent, printing nothing to the log when functions are invoked in the container. Try adding some debugging
information to the stdout of this process, bundling into a Docker image, and pushing the docker
image to the local development container registry.
1. Add some print statements to assetTransfer.go. E.g.:
```go
fmt.Printf("reading asset %s\n", id)
```
2. Build the docker image locally with:
```shell
docker build -t asset-transfer-basic ../asset-transfer-basic/chaincode-external
```
3. Override the test network's default chaincode image, pointing to our local container registry:
```shell
export TEST_NETWORK_CHAINCODE_IMAGE=localhost:5000/asset-transfer-basic
```
3. Publish the custom image to the local registry:
```shell
docker tag asset-transfer-basic $TEST_NETWORK_CHAINCODE_IMAGE
docker push $TEST_NETWORK_CHAINCODE_IMAGE
```
## Debugging Chaincode
One of the most compelling features of Fabric's _Chaincode-as-a-Service_ pattern is that when the peer connects to a
chaincode URL, it can connect back to a port on the local host. Instead of connecting to a pod running in a
container within Kubernetes, the chaincode process can be launched locally as a native binary in a debugger, an IDE,
or a docker image bound to the host network.
For additional details, see the [debugging chaincode](CHAINCODE_AS_A_SERVICE.md) guide for running the basic asset
transfer chaincode in an interactive development workflow.
## Next Steps:
[Writing a Blockchain Application](APPLICATIONS.md)

171
test-network-k8s/docs/CHAINCODE_AS_A_SERVICE.md
View file

@ -1,171 +0,0 @@
# Debugging Chaincode
In this sample we will employ the [Kubernetes Test Network](../README.md) to illustrate a scenario of
building, running, and debugging chaincode on a development workstation.
While this guide targets the Java [asset-transfer-basic](../../asset-transfer-basic/chaincode-java) sample, the approach
may be applied to any sample and chaincode implementation language.
When debugging chaincode as a service, the chaincode process is launched on the local system, binding to a port
on the host's network interface. In this mode the developer has complete flexibility in determining how and where the
process runs - it can be launched as a native binary from a CLI, attached to an active debugging session from an IDE,
as a Docker container, or even behind a reverse network proxy for diagnosing issues in a remote / cloud-based Fabric
network.
## TL/DR
```
export PATH=${PWD}/test-network-k8s:$PATH
cd asset-transfer-basic/chaincode-java
network kind
network cluster init
```
```
network up
network channel create
```
```
network chaincode deploy asset-transfer-basic ${PWD}
```
```
network chaincode metadata asset-transfer-basic
network chaincode invoke asset-transfer-basic '{"Args":["InitLedger"]}'
network chaincode query asset-transfer-basic '{"Args":["ReadAsset","asset1"]}' | jq
```
## Detailed Guide
```shell
network down
network up
network channel create
```
```shell
# Build the chaincode docker image
docker build -t fabric-samples/asset-transfer-basic/chaincode-java .
# Load the docker image directly to the KIND control plane.
# (Alternately, build/tag/push the image to a remote container registry, e.g. localhost:5000 or ghcr.io)
kind load docker-image fabric-samples/asset-transfer-basic/chaincode-java
```
```shell
# Assemble the chaincode package archive
network chaincode package asset-transfer-basic asset-transfer-basic $PWD/build/asset-transfer.tgz
# Determine the ID for the chaincode package
CORE_CHAINCODE_ID_NAME=$(network chaincode id $PWD/build/asset-transfer.tgz)
# Launch the chaincode in k8s as Deployment + Service
network chaincode launch asset-transfer-basic $CORE_CHAINCODE_ID_NAME fabric-samples/asset-transfer-basic/chaincode-java
# Complete the chaincode lifecycle
network chaincode install $PWD/build/asset-transfer.tgz
network chaincode approve asset-transfer-basic $CORE_CHAINCODE_ID_NAME
network chaincode commit asset-transfer-basic
```
```shell
# execute the smart contract by name
network chaincode metadata asset-transfer-basic
network chaincode invoke asset-transfer-basic '{"Args":["InitLedger"]}'
network chaincode query asset-transfer-basic '{"Args":["ReadAsset","asset1"]}'
```
```shell
kubectl -n test-network logs -f deployment/org1peer1-ccaas-asset-transfer-basic
```
## Debugging
### Build
```shell
./gradlew shadowJar
```
or
```shell
docker build -t fabric-samples/asset-transfer-basic/chaincode-java .
```
### Package
By instructing the peer to connect to chaincode at the Docker host alias `host.docker.internal`, pods running in
Kubernetes will access the local process via a special loopback interface established by KIND.
Set the "address" attribute in the package connection.json descriptor and assemble the chaincode package:
```shell
export TEST_NETWORK_CHAINCODE_ADDRESS=host.docker.internal:9999
network cc package basic_1.0 asset-transfer-debug $PWD/build/asset-transfer-debug.tgz
```
*NOTE:* The Docker host alias `host.docker.internal` is not yet supported for Linux.
In Linux environments, as a workaround, you should specify the IP address of the host directly instead of `host.docker.internal`:
```shell
export TEST_NETWORK_CHAINCODE_ADDRESS=<YOUR_HOST_IP_ADDRESS>:9999
network cc package basic_1.0 asset-transfer-debug $PWD/build/asset-transfer-debug.tgz
```
### Launch
When chaincode is launched locally, it must declare the package ID in the environment as if the process had been managed
by the peer's chaincode lifecycle manager. Calculate the package ID and start the chaincode, binding to port 9999
on the local system:
```shell
export CHAINCODE_SERVER_ADDRESS=0.0.0.0:9999
export CORE_CHAINCODE_ID_NAME=$(network chaincode id $PWD/build/asset-transfer-debug.tgz)
java -jar build/libs/chaincode.jar
```
Or using the editor/debugger/IDE of your choice, create a launch target for `ContractMain.main()`, specifying the
environment as above.
Or launch the chaincode in a Docker container, binding to port 9999 on the host system:
```shell
docker run \
--rm \
--name basic_1.0 \
-p 9999:9999 \
-e CHAINCODE_SERVER_ADDRESS \
-e CORE_CHAINCODE_ID_NAME \
fabric-samples/asset-transfer-basic/chaincode-java
```
### Approve, Invoke, and Query
After the contract main has launched, install, approve, commit, and invoke the chaincode:
```shell
# Complete the chaincode lifecycle
network cc activate asset-transfer-debug $PWD/build/asset-transfer-debug.tgz
```
```shell
# execute the smart contract by name
network cc metadata asset-transfer-debug
network cc invoke asset-transfer-debug '{"Args":["InitLedger"]}'
network cc query asset-transfer-debug '{"Args":["ReadAsset","asset1"]}'
```
## Tear Down
```shell
network down
```
or
```shell
network unkind
```

150
test-network-k8s/docs/CHANNELS.md
View file

@ -1,150 +0,0 @@
# Channels
Once the test network peers and orderers have been started, and the network identities have been registered
and enrolled with the ECert CA, we can construct a channel linking the participants of the test network
blockchain.
## TL/DR :
```
$ export TEST_NETWORK_CHANNEL_NAME="mychannel"
$ ./network channel create
Creating channel "mychannel":
✅ - Registering org Admin users ...
✅ - Enrolling org Admin users ...
✅ - Creating channel MSP ...
✅ - Creating channel genesis block ...
✅ - Joining orderers to channel mychannel ...
✅ - Joining org1 peers to channel mychannel ...
✅ - Joining org2 peers to channel mychannel ...
🏁 - Channel is ready.
```
## Process Overview
In order to construct a Fabric channel, the following steps must be performed:
1. Admin users must be registered and enrolled with the CAs
2. TLS and enrollment certificates must be aggregated and distributed to all participants in the network.
3. The channel genesis block is constructed from `configtx.yaml`, specifying the location of channel MSP.
4. Network orderers are joined to the channel using the channel participation API.
5. Network peers are joined to the channel.
## Aggregating the Channel MSP
```shell
✅ - Registering org Admin users ...
✅ - Enrolling org Admin users ...
✅ - Creating channel MSP ...
```
One of the responsibilities of a Hyperledger Fabric _Consortium Organizer_ is to distribute the public MSP and
TLS certificates to organizations participating in a blockchain. In the Docker composed based test network, or
systems bootstrapped with the `cryptogen` command, all of the public certificates will be available on a common
file system or volume share. In our Kubernetes test network, each organization maintains the cryptographic
assets on a distinct persistent volume, invisible to other the other participants in the network.
To distribute the TLS and MSP _public_ certificates, the test network emulates the responsibilities of the
consortium organizer by constructing a [Channel MSP](https://hyperledger-fabric.readthedocs.io/en/latest/membership/membership.html#channel-msps)
structure, extracting the relevant certificate files into a local folder before constructing the channel
genesis block. The `configtx.yaml` specifies the channel root folder as the consortium org's (org0) `MSPDir`
attribute.
- Org admin users are registered with the `fabric-ca-client`, storing the enrollment MSP structures in the local
`${PWD}/build/enrollments/${org}` folder.
- Channel MSP certificates are extracted from the ECert CA and cert-manager TLS signing authorities, storing the files
locally in the `${PWD}/channel-msp` folder.
## Create the Channel
```shell
✅ - Creating channel "mychannel" ...
```
As the _consortium leader_ org0, we create the channel's genesis block and use the orderer admin REST
services to register the channel genesis block configuration on the ordering nodes:
```shell
configtxgen -profile TwoOrgsApplicationGenesis -channelID '${CHANNEL_NAME}' -outputBlock genesis_block.pb
osnadmin channel join --orderer-address org0-orderer1-admin.localho.st --channelID '${CHANNEL_NAME}' --config-block genesis_block.pb
osnadmin channel join --orderer-address org0-orderer2-admin.localho.st --channelID '${CHANNEL_NAME}' --config-block genesis_block.pb
osnadmin channel join --orderer-address org0-orderer3-admin.localho.st --channelID '${CHANNEL_NAME}' --config-block genesis_block.pb
```
## Join Peers
```shell
✅ - Joining org1 peers to channel "mychannel" ...
✅ - Joining org2 peers to channel "mychannel" ...
```
After the channel configurations have been registered with the network orderers, we will join the peers to the channel
by retrieving the genesis block from the orderers and then joining the channel:
```shell
# Fetch the genesis block from an orderer
peer channel \
fetch oldest \
genesis_block.pb \
-c '${CHANNEL_NAME}' \
-o org0-orderer1.localho.st \
--tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem
# Join peer1 to the channel.
CORE_PEER_ADDRESS='${org}'-peer1:7051 \
peer channel \
join \
-b genesis_block.pb \
-o org0-orderer1.localho.st \
--tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem
# Join peer2 to the channel.
CORE_PEER_ADDRESS='${org}'-peer2:7051 \
peer channel \
join \
-b genesis_block.pb \
-o org0-orderer1.localho.st \
--tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem
```
## Set Anchor Peers (Optional)
```shell
$ ./network anchor peer2
✅ - Updating anchor peers to "peer2" ...
```
In the test network, the configtx.yaml sets the organization [Anchor Peers](https://hyperledger-fabric.readthedocs.io/en/latest/glossary.html?highlight=anchor#anchor-peer)
to "peer1" in the genesis block. As such, no additional configuration is necessary for neighboring
organizations to discover additional peers in the network.
However, the process of setting the anchor peers on a channel requires a more complicated scripting process, so we
have included in the test network a mechanism to illustrate how anchor peers may be set on a network after a
channel has been constructed.
Up to this point in the network configuration, the shell scripts orchestrating the remote volumes, peers, and
admin commands have all been executed by piping a sequence of commands into an existing pod directly
into the input of a `kubectl` command. For small command sets this is adequate, but for the more complicated
process of registering a channel anchor peer, we have elected to use a different approach to launch the peer
update scripts on the kubernetes cluster.
When updating anchor peers, the `./network` script will:
1. Transfer the shell scripts from `/scripts/*.sh` into the remote organization's persistent volume.
2. Issue a `kubectl exec -c "script-name.sh {args}"` on the org's admin CLI pod.
For non-trivial Fabric administrative tasks, this approach of uploading a script into the cluster and then
executing in an admin pod works well.
## Next Steps
### [Working with Chaincode](CHAINCODE.md)

71
test-network-k8s/docs/HIGH_AVAILABILITY.md
View file

@ -1,71 +0,0 @@
# High Availability
The peers have been configured so they implemented a essential failover/high-availability configuration.
Two important notes:
1. The word 'gateway' in the k8s definitions is being used in a generic way. It is not tied to the concept of the 'Fabric Gateway' component. However using the 'Fabric-Gateway' with the updated SDKs, make connecting to Fabric even easier. There is a single connection, that can easily be handled with core k8s abilities. Attempting the approach described below with the older SDKs is not recommended.
2. Long Lived gRPC connections. Remember that the connections between components in Fabric are long-lived gRPC connections. From a client application's perspective that means the connection will be load-balanced when initially connected, but unless the connection breaks, it will not be 're-load-balanced'. It's important to keep this in mind.
## Peer Gateway Services
Each peer has defined their own K8S service, with the selector specifically choosing only one peer pod.
In this test-network, there are two peers per organization. Using a service with a different selector that
picks both peer pods, allows a degree of load balancing.
```yaml
---
apiVersion: v1
kind: Service
metadata:
name: org2-peer-gateway-svc
spec:
ports:
- name: gossip
port: 7051
protocol: TCP
selector:
org: org2
```
The selector is `org: org2` that is defined in the specification of the Peer's Deployment.
```yaml
template:
metadata:
labels:
app: org2-peer1
org: org2
```
## Kube Proxy Configuration
The proxy configuration is set to be `ipvs`. This gives a lot more scope for different load balancing algorithms.
"Round Robin" is the default configuration (as used in this test network). For more information check this [deep dive](https://kubernetes.io/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive) on the Kubernetes blog.
For this KIND cluster, this is configured by updating the cluster configuration, add the following yaml.
```yaml
networking:
kubeProxyMode: "ipvs"
```
## Application and TLS Configuration
It is important that applications connect to the `org2-peer-gateway-svc` or `org1-peer-gateway-svc` rather that specific peer services. That way the service can load balance. However if TLS used, errors will occur as the host name that is connected to is different to that used by the application.
The solution is to add the additional servicename to the hosts field in the SAN section of the TLS certificate. As an example here is the command that is used to create the TLS certificate for org1-peer1. Note the
```bash
fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-ca --csr.hosts org1-peer1,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp
```
## Summary
The FabricGateway and updated SDKs, improve the connection from a client application to Fabric, by needing only a single connection to one peer. By using a K8S service fronting two or more peer pods, a degree of load-balancing can be achieved. Remember that this will only be load balanced when the connection is first created. If a single peer becomes heavily loaded, K8S will not move any existing connection.
To achieve this you would need to have a monitoring system that can trigger applications to disconnect and reconnect.
If the connection drops, the application can reconnect and will get to a working peer.

261
test-network-k8s/docs/KUBERNETES.md
View file

@ -1,261 +0,0 @@
# Kubernetes
To get started with the Kube test network, you will need access to a Kubernetes cluster.
## TL/DR :
```
$ ./network kind
Initializing KIND cluster "kind":
✅ - Creating cluster "kind" ...
✅ - Launching ingress controller ...
✅ - Launching cert-manager ...
✅ - Launching container registry "kind-registry" at localhost:5000 ...
✅ - Waiting for cert-manager ...
✅ - Waiting for ingress controller ...
🏁 - Cluster is ready.
```
and :
```
$ ./network unkind
Deleting cluster "kind":
☠️ - Deleting KIND cluster kind ...
🏁 - Cluster is gone.
```
## Kube Context:
For illustration purposes, this project attempts in all cases to _keep it simple_ as the
general rule. By default, we will rely on KIND ([Kubernetes IN Docker](https://kind.sigs.k8s.io))
as a mechanism to quickly spin up ephemeral, short-lived clusters for development and
illustration.
To maximize portability across revisions, vendor distributions, hardware profiles, and
network topologies, this project relies _exclusively_ on scripted interaction with the
Kube API controller to reflect updates in a remote cluster. While this may not be the
ideal technique for managing production workloads, the objective of this guide is to provide
clarity on the nuances of Fabric / Kubernetes deployments, rather than an opinionated
perspective on state of the art techniques for cloud Dev/Ops. Targeting
the core Kube APIs means that there is a good chance that the systems will work "as-is"
simply by setting the kubectl context to reference a cloud-native cluster (e.g. OCP, IKS,
AWS, etc.)
If you don't have access to an existing cluster, or want to set up a short-lived cluster
for development, testing, or CI, you can create a new cluster with:
```shell
$ ./network kind
$ ./network cluster init
```
By default, `kind` will set the current Kube context to reference the new cluster. Any
interaction with `kubectl` (or kube-context aware SDKs) will inherit the current context.
```shell
$ kubectl cluster-info
Kubernetes control plane is running at https://127.0.0.1:55346
CoreDNS is running at https://127.0.0.1:55346/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
```
When you are done with the cluster, tear it down with:
```shell
$ ./network unkind
```
or:
```shell
$ kind delete cluster
```
## Rancher Desktop and k3s
In addition to KIND, the Kube Test Network runs on the k3s Kubernetes provided by [Rancher Desktop](https://rancherdesktop.io).
To run natively on k3s, skip the creation of a KIND cluster and:
1. In Rancher's Kubernetes Settings:
1. Disable Traefik
2. Select the dockerd (moby) container runtime
3. Increase Memory allocation to 8 GRAM
4. Increase CPU allocation to 8 CPU
2. Reset Kubernetes
3. Initialize the Nginx ingress and cert-manager:
```shell
export TEST_NETWORK_CLUSTER_RUNTIME="k3s"
./network cluster init
```
- containerd is also a viable runtime. When building images for chaincode-as-a-service, the `--namespace k8s.io`
argument must be applied to the `nerdctl` CLI.
- For use with containerd:
```shell
export TEST_NETWORK_CLUSTER_RUNTIME="k3s"
export TEST_NETWORK_CONTAINER_NAMESPACE="--namespace k8s.io"
export CONTAINER_CLI="nerdctl"
./network cluster init
```
## Test Network Structure
To emulate a more realistic example of multi-party collaboration, the test network
forms a blockchain consensus group spanning three virtual organizations. Network I/O between the
blockchain nodes is entirely constrained to Kubernetes private networks, and consuming applications
make use of a Kubernetes / Nginx ingress controller for external visibility.
In k8s terms:
- The blockchain is contained within a single Kubernetes `Cluster`.
- Blockchain services (nodes, orderers, chaincode, etc.) reside within a single `Namespace`.
- Each organization maintains a distinct, independent `PersistentVolumeClaim` for TLS certificates,
local MSP, private data, and transaction ledgers.
- Smart Contracts rely exclusively on the [Chaincode-as-a-Service](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html) and [External Builder](https://hyperledger-fabric.readthedocs.io/en/latest/cc_launcher.html)
patterns, running in the cluster as Kube `Deployments` with companion `Services`.
- An HTTP(s) `Ingress` and companion gateway application is required for external access to the blockchain.
When running the test network locally, the `./network kind` bootstrap will configure the system with
an [Nginx ingress controller](link), a private [Container Registry](link), and persistent volumes / claims for
host-local organization storage.
Behind the scenes, `./network kind` is running:
```shell
# Create the KIND cluster and nginx ingress controller bound to :80 and :443
kind create cluster --name ${TEST_NETWORK_CLUSTER_NAME:-kind} --config scripts/kind-config.yaml
# Create the Kube namespace
kubectl create namespace ${TEST_NETWORK_NAMESPACE:-test-network}
# Create host persistent volumes (tied the kind-control-plane docker image lifetime)
kubectl create -f kube/pv-fabric-org0.yaml
kubectl create -f kube/pv-fabric-org1.yaml
kubectl create -f kube/pv-fabric-org2.yaml
# Create persistent volume claims binding to the host (docker) volumes
kubectl -n $NS create -f kube/pvc-fabric-org0.yaml
kubectl -n $NS create -f kube/pvc-fabric-org1.yaml
kubectl -n $NS create -f kube/pvc-fabric-org2.yaml
```
## Container Registry
The [kube yaml descriptors](../kube) generally rely on the public Fabric images maintained at the public
Docker and GitHub container registries. For casual usage, the test network will bootstrap and launch CAs,
peers, orderers, chaincode, and sample applications without any additional configuration.
While public images are made available for pre-canned samples, there will undoubtedly be cases
where you would like to build custom chaincode, gateway client applications, or custom builds of core
Fabric binaries without uploading your code to a public registry. For this purpose, the Kube test
network includes a [Local Registry](https://kind.sigs.k8s.io/docs/user/local-registry/) available for
you to _quickly_ deploy custom images directly into the cluster without uploading your code to the
Internet.
By default, the [kind.sh](../scripts/kind.sh) bootstrap will configure and link up a local container
registry running at `localhost:5000/`. Images pushed to this registry will be immediately available
to Pods deployed to the local cluster.
For dev/test/CI based flows using an external registry, the traditional Kubernetes practice of
[Adding ImagePullSecrets to a service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account)
still applies.
In some environments, KIND may encounter issues loading the Fabric docker images from the public container
registries. In addition, for Fabric development it can be advantageous to work with Docker images built
locally, bypassing the public images entirely. For these scenarios, images may also be [directly loaded](https://kind.sigs.k8s.io/docs/user/quick-start/#loading-an-image-into-your-cluster)
into the KIND image plane, bypassing the container registry.
The `./network` script supports these additional modes via:
1. For network-constrained environments, pull all images to the local docker cache and load to KIND:
```shell
export TEST_NETWORK_STAGE_DOCKER_IMAGES=true
./network kind
./network up
```
2. For alternate registries (e.g. local or Fabric CI/CD builds):
```shell
./network kind
export TEST_NETWORK_FABRIC_CONTAINER_REGISTRY=hyperledger-fabric.jfrog.io
export TEST_NETWORK_FABRIC_VERSION=amd64-latest
export TEST_NETWORK_FABRIC_CA_VERSION=amd64-latest
./network up
```
3. For working with Fabric images built locally:
```shell
./network kind
make docker # in hyperledger/fabric
export TEST_NETWORK_FABRIC_VERSION=2.4.0
./network cluster load-images
./network up
```
## Nginx Ingress Controller
When Fabric nodes communicate within the k8s cluster, TCP sockets are established via Kube DNS service
aliases (e.g. grpcs://org1-peer1.test-network.svc.cluster.local:443) and traverse private K8s network routes.
For access from _external clients_, all traffic into the network nodes are routed into the correct pod by
virtue of an Nginx ingress controller bound to the host OS ports :80 and :443. To differentiate between
services, the Nginx provides a "layer 6" traffic router based on the http(s) host alias. In addition to
constructing Deployments, Pods, and Services, each Fabric node exposes a set of `Ingress` routes binding
the virtual host name to the corresponding endpoint.
TLS traffic tunneled through the ingress controller has been configured in "ssl-passthrough" mode. For
secure access to services, client applications must present the TLS root certificate of the appropriate
organization when connecting to peers, orderers, and CAs.
## What is `*.localho.st` ?
In order to expose a dynamic set of DNS host aliases matching the Nginx ingress controller, the test network
employs the public DNS wildcard domain `*.localho.st` to resolve host and subdomains to the local loopback
address 127.0.0.1.
Using this DNS wildcard alias means that all ingress points bound to the *.localho.st domain will resolve to your
local host, conveniently routing traffic into the KIND cluster on ports :80 and :443.
To override the *.localho.st network ingress domain (for example in cloud-based environments supporting a DNS
wildcard resolver) set the `TEST_NETWORK_DOMAIN` environment variable before invoking `./network`
targets. E.g.:
```shell
export TEST_NETWORK_DOMAIN=lvh.me
./network up
curl -s --insecure https://org0-ca.lvh.me/cainfo | jq
```
## Cloud Vendors
While the test network primarily targets KIND clusters, the singular reliance on the Kube API plane
means that it should also work without modification on any modern cloud-based or bare metal
Kubernetes distribution. While supporting the entire ecosystem of cloud vendors is not in scope
for this sample project, we'd love to hear feedback, success stories, or bugs related to applying the
test network to additional platforms.
In general, at a high-level the steps required to port the test network to ANY kube vendor are:
- Configure an HTTP `Ingress` for access to any gateway, REST, or companion blockchain applications.
- Register `PersistentVolumeClaims` for each of the organizations in the test network.
- Create a `Namespace` for each instance of the test network.
- Upload your chaincode, gateway clients, and application logic to an external Container Registry.
- Run with a `ServiceAccount` and role bindings suitable for creating `Pods`, `Deployments`, and `Services`.
## Next : [Fabric Certificate Authorities](CA.md)

47
test-network-k8s/docs/README.md
View file

@ -1,47 +0,0 @@
# Kubernetes Test Network
Starting in release 2.0, Hyperledger introduced the [test-network](https://hyperledger-fabric.readthedocs.io/en/latest/test_network.html)
to serve as both an accelerator and learning resource for running Fabric networks. In addition to
providing a study guide for operational patterns, the test-network provided a baseline environment for members of
the Fabric community to quickly get up to speed with a working, local system, author smart contracts, and develop
simple blockchain applications.
As a supplement to the docker-compose based test-network, this guide presents an equivalent Fabric network
suitable for running sample applications and chaincode, developing Gateway and Chaincode-as-a-Service applications,
and harmonizing CI and deployment flows with a unified container framework - Kubernetes.
Similar to Fabric, Kubernetes introduces a steep learning curve and presents a dizzying array of operational
flexibility. In this guide, we'll outline the design considerations in the [`./network`](../network)
scripts, provide a supplement to the [Fabric CA Deployment Guide](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy.html),
and build up to a reference model for realistic production deployments on Kubernetes.
_Ahoy!_
## Network Topology
The Kube test network establishes as consortium among a dedicated ordering organization and two peer organizations.
Participation in the network is managed over a channel, and transactions are committed to the blockchain ledgers by
invoking the [asset-transfer-basic](https://github.com/hyperledgendary/fabric-ccaas-asset-transfer-basic)
_Chaincode-as-a-Service_ running in a shared Kubernetes namespace.
![Test Network](images/test-network.png)
## Detailed Guides
- [Working with Kubernetes](KUBERNETES.md)
- [Certificate Authorities](CA.md)
- [Planning for a CA](CA.md#planning-for-a-ca)
- [Deploy the TLS CAs](CA.md#deploy-tls-ca-issuers)
- [Deploy the ECert CAs](CA.md#deploy-the-organization-ca)
- [Launching the Test Network](TEST_NETWORK.md)
- [Registering and Enrolling Identities](CA.md#registering-and-enrolling-identities)
- [Assembling Node MSPs](TEST_NETWORK.md#fabric-node-msp-context)
- [Deploy Orderers and Peers](TEST_NETWORK.md#starting-peers-and-orderers)
- [Working with Channels](CHANNELS.md)
- [Working with Chaincode](CHAINCODE.md)
- [Debugging Chaincode](CHAINCODE_AS_A_SERVICE.md)
- [Working with Applications](APPLICATIONS.md)
- [High Availability](HIGH_AVAILABILITY.md)
- [Benchmarking the performance using Hyperledger Caliper](CALIPER.md)

183
test-network-k8s/docs/TEST_NETWORK.md
View file

@ -1,183 +0,0 @@
## Network Overview
After we have set up a series of TLS and ECert CA services, we'll use the CAs to generate
[Local MSP](https://hyperledger-fabric.readthedocs.io/en/latest/membership/membership.html#local-msps) structures for
all of the nodes, using the local MSPs to launch our network peers and orderers.
### TL/DR :
```
./network up
...
✅ - Creating local node MSP ...
✅ - Launching orderers ...
✅ - Launching peers ...
🏁 - Network is ready.
```
## Fabric Node MSP Context
Before we launch the network peers and orderers, each node in the network needs to have available:
- TLS Root Certificates for all organizations in the network
- TLS Certificates and Signing Keys for SSL server/hostname verification of the network node
- Enrollment Certificates validating the network node identity (local MSP)
- Enrollment Certificates for an `Admin` identity / role for the organization.
In order to create the local node MSP, we must first register and enroll the node identities with the ECert CAs, and
then organize the TLS and MSP certificates into a location suitable for launching the network services.
The key steps in this process are:
- [Registering and enrolling identities with a CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#registering-and-enrolling-identities-with-a-ca)
- [Create the local MSP of a node](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#create-the-local-msp-of-a-node)
In the test network, each organization includes a function that wraps the registration, enrollment, and MSP aggregation
into a series of fabric-ca-client calls. [The script](../scripts/test_network.sh) will be executed directly on the
org's ECert CA pod, with access to the persistent volume for storage of the MSP and TLS certificates. While this is
largely boilerplate scripting, the process is straightforward: For each node in the network, we'll use the CAs to
generate TLS+MSP certificates, bundling into an MSP with a `config.yaml` specifying the fabric roles associated with
the target usage in the network.
For example, the ordering organization sets up the node local MSP with:
```shell
# Each identity in the network needs a registration and enrollment.
fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp
fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp
fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp
fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp
fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp
fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp
# Create an MSP config.yaml (why is this not generated by the enrollment by fabric-ca-client?)
echo "NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/org0-ca.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/org0-ca.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/org0-ca.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/org0-ca.pem
OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml
cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp/config.yaml
cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp/config.yaml
```
## External Chaincode Builders
Running Fabric in Kubernetes places some unique constraints on the Chaincode lifecycle:
- Many cloud-native vendors rely on [containerd.io](https://containerd.io) to manage the lifecycle of containers
within a cluster. By contrast, Fabric assumes the presence of a Docker daemon to compile and launch chaincode
containers. Without a local Docker daemon, Fabric's default chaincode pipeline is doomed!
- For security and operational concerns, it is a "non-starter" to run a docker daemon on Kubernetes worker nodes.
- For cloud-ready development, test, validation, CI/CD, and production practices, the use of the
[Chaincode as a Service](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html) pattern provides a
_vastly superior user experience_.
- Running Chaincode builds in Docker in Docker, running in Kubernetes in Docker is ... interesting. Let's
step back and _keep it simple_.
In the Kubernetes Test Network, we've incorporated the default `ccaas` external builder
(See [fabric #2884](https://github.com/hyperledger/fabric/issues/2884)) as an accelerator for working with
Chaincode-as-a-Service on Kubernetes. For `ccaas` smart contracts, when chaincode is installed on a peer, the
external builder binaries will be invoked, bypassing the reliance on a local Docker daemon running in Kubernetes.
This configuration is accomplished by registering an external builder in the peer core.yaml:
```yaml
externalBuilders:
- name: ccaas_builder
path: /opt/hyperledger/ccaas_builder
propagateEnvironment:
- CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG
```
To trigger the external builder for a chaincode service, set the metadata.json `type` attribute to `ccaas`. E.g.:
```json
{
"type": "ccaas",
"label": "basic_1.0"
}
```
- [x] Pro tip: Use the companion container registry at `localhost:5000` to deploy custom chaincode into the test network.
- [x] Pro tip: Deploy a chaincode with `address: host.docker.internal:9999` and attach your chaincode in a debugger.
## Starting Peers and Orderers
```shell
✅ - Launching orderers ...
✅ - Launching peers ...
```
Once the local MSP structures for the network nodes have been created, the orderers and peers may be launched in the
namespace. System nodes will read base configuration files (orderer.yaml and core.yaml) from the organization
config folder, made available in Kubernetes as the `${org}-config` config map.
Each orderer and peer creates one `Deployment`, `Pod`, and `Service` in the namespace. In addition, each org
defines an `orgN-peerM-config` `ConfigMap` with environment variable overrides replacing the default settings
in the core.yaml file. Note that each node's [environment](../kube/org1/org1-peer1.yaml) includes pointers to the
node local MSP folders, certificates, and TLS signing keys that we generated above.
Note that the deployment yaml files include some basic template substitution and parameters. For simplicity and
clarity, we elected to use basic string substitution with `envsubst`, rather than introduce a Kube template
binding system (e.g. Helm, Kustomize, Kapitan, Ansible, etc.) for manipulating yaml templates. Any environment
variables declared in the `./network` script will be applied to these k8s templates. E.g.:
```shell
export FABRIC_VERSION=2.4.2
...
cat kube/org0/org0-orderer1.yaml | envsubst | kubectl -n $NS -f -
cat kube/org0/org0-orderer2.yaml | envsubst | kubectl -n $NS -f -
cat kube/org0/org0-orderer3.yaml | envsubst | kubectl -n $NS -f -
# Wait for the orderers to completely start before launching the network peer nodes.
kubectl -n $NS rollout status deploy/org0-orderer1
kubectl -n $NS rollout status deploy/org0-orderer2
kubectl -n $NS rollout status deploy/org0-orderer3
```
## Next Steps :
After the peers and orderers have started, the Kube namespace includes pods, deployments, and service bindings for:
- Org0 (org0.example.com):
- ECert Certificate Authority : https://org0-ca
- Orderer1 : grpcs://org0-orderer1
- Orderer2 : grpcs://org0-orderer2
- Orderer3 : grpcs://org0-orderer3
- Org1 (org1.example.com):
- ECert Certificate Authority : https://org1-ca
- Peer Node 1 : grpcs://org1-peer1
- Peer Node 2 : grpcs://org1-peer2
- Org2 (org2.example.com):
- ECert Certificate Authority : https://org2-ca
- Peer Node 1 : grpcs://org2-peer1
- Peer Node 2 : grpcs://org2-peer2
### Next : [Working With Channels](CHANNELS.md)

BIN
test-network-k8s/docs/images/test-network.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 220 KiB

48
test-network-k8s/kube/application-deployment.yaml
View file

@ -1,48 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: application-deployment
spec:
replicas: 1
selector:
matchLabels:
app: application-deployment
template:
metadata:
labels:
app: application-deployment
spec:
containers:
- name: main
image: <image name goes here>
imagePullPolicy: Always
envFrom:
- configMapRef:
name: app-fabric-org1-v1-map
resources:
requests:
memory: "50Mi"
cpu: "0.1"
volumeMounts:
- name: fabricids
mountPath: /fabric/application/wallet
- name: fabric-ccp
mountPath: /fabric/application/gateways
- name: tlscerts
mountPath: /fabric/tlscacerts
volumes:
- name: fabric-ccp
configMap:
name: app-fabric-ccp-v1-map
- name: fabricids
configMap:
name: app-fabric-ids-v1-map
- name: tlscerts
configMap:
name: app-fabric-tls-v1-map

27
test-network-k8s/kube/fabric-builder-role.yaml
View file

@ -1,27 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: fabric-builder-role
rules:
- apiGroups:
- ""
- apps
- batch
resources:
- pods
- jobs
- configmaps
- secrets
verbs:
- get
- list
- watch
- create
- delete
- patch

18
test-network-k8s/kube/fabric-builder-rolebinding.yaml
View file

@ -1,18 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: fabric-builder-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: fabric-builder-role
subjects:
- namespace: ${ORG1_NS}
kind: ServiceAccount
name: default

261
test-network-k8s/kube/fabric-rest-sample.yaml
View file

@ -1,261 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: v1
kind: ConfigMap
metadata:
name: fabric-rest-sample-config-example
data:
HLF_CONNECTION_PROFILE_ORG1: |
{
"name": "Org1",
"version": "1.0.0",
"client": {
"organization": "Org1",
"connection": {
"timeout": {
"peer": {
"endorser": "500"
}
}
}
},
"organizations": {
"Org1": {
"mspid": "Org1MSP",
"peers": [
"org1-peers"
],
"certificateAuthorities": [
"org1-ca"
]
}
},
"peers": {
"org1-peers": {
"url": "grpcs://org1-peer-gateway-svc:7051",
"tlsCACerts": {
"pem": "-----BEGIN CERTIFICATE-----\\nMIICvzCCAmWgAwIBAgIULJGws7jbEY6ruSgDuvi9L7VphvIwCgYIKoZIzj0EAwIw\\naDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt\\nY2Etc2VydmVyMB4XDTIxMDkyMDE2MDkwMFoXDTIyMDkyMDE2MTQwMFowYDELMAkG\\nA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl\\ncmxlZGdlcjENMAsGA1UECxMEcGVlcjETMBEGA1UEAxMKb3JnMS1wZWVyMTBZMBMG\\nByqGSM49AgEGCCqGSM49AwEHA0IABL9e3GZBf1MeoObGxwSHkcgDEjMo+/13Qc4u\\nfSG2MKrveHBIEA4MRkHNqd+sTjoz0/1B15y2n+RiPo8uJvlyC/CjgfQwgfEwDgYD\\nVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV\\nHRMBAf8EAjAAMB0GA1UdDgQWBBSeytspiXlEzMAsnF9/wxqc9fydETAfBgNVHSME\\nGDAWgBQwru1VH0OwH3dxfPdD8w74ZIlLRzAVBgNVHREEDjAMggpvcmcxLXBlZXIx\\nMFsGCCoDBAUGBwgBBE97ImF0dHJzIjp7ImhmLkFmZmlsaWF0aW9uIjoiIiwiaGYu\\nRW5yb2xsbWVudElEIjoib3JnMS1wZWVyMSIsImhmLlR5cGUiOiJwZWVyIn19MAoG\\nCCqGSM49BAMCA0gAMEUCIQDJEjPxceCfXU5B/emrHE4JbEzrZKxLVViBWCNMsHiR\\nFgIgY+8jsvr3rlBPkpRhl8CtT2DgaP7iWvovtMYsPKhLAqk=\\n-----END CERTIFICATE-----\\n"
},
"grpcOptions": {
"grpc-wait-for-ready-timeout": 100000,
"ssl-target-name-override": "org1-peer-gateway-svc",
"hostnameOverride": "org1-peer-gateway-svc"
}
}
},
"certificateAuthorities": {
"org1-ca": {
"url": "https://org1-ca",
"caName": "org1-ca",
"tlsCACerts": {
"pem": "TODO"
},
"httpOptions": {
"verify": "false"
}
}
}
}
HLF_CERTIFICATE_ORG1: |
-----BEGIN CERTIFICATE-----
MIIC2DCCAn6gAwIBAgIUTfcXDyxCS+2EQnznfjERUo4Vri8wCgYIKoZIzj0EAwIw
aDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK
EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt
Y2Etc2VydmVyMB4XDTIxMDkyMDExNDEwMFoXDTIyMDkyMDExNDYwMFowYTELMAkG
A1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl
cmxlZGdlcjEOMAwGA1UECxMFYWRtaW4xEzARBgNVBAMTCm9yZzEtYWRtaW4wWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAAT8zvJEg3FgJ5iUA5GO+n/j48bL83STpz7N
TqejWIZNVTraxE4fjT6traKiswme7gT2NY9Jl0Dj4tbif9l2I9+Oo4IBCzCCAQcw
DgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFO1zWPynvyER
n9ml6XV5VvC9tIjTMB8GA1UdIwQYMBaAFPbIrI+lh8KayoRpW1YStWMhzJZSMCcG
A1UdEQQgMB6CHG9yZzEtdGxzLWNhLTg1NjdiOTg5OWYtdzU3amYwfgYIKgMEBQYH
CAEEcnsiYXR0cnMiOnsiYWJhYy5pbml0IjoidHJ1ZSIsImFkbWluIjoidHJ1ZSIs
ImhmLkFmZmlsaWF0aW9uIjoiIiwiaGYuRW5yb2xsbWVudElEIjoib3JnMS1hZG1p
biIsImhmLlR5cGUiOiJhZG1pbiJ9fTAKBggqhkjOPQQDAgNIADBFAiEAv99I2J9t
WtOmIzpYix8OFl4Z+ZGRHtay83ux//sZP+MCID02hFqnNpOL/ggGFaDVpVQ/eu0t
KTfVxZEMyZnJtAhp
-----END CERTIFICATE-----
HLF_PRIVATE_KEY_ORG1: |
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg7Lb+jwZqhxT3x0lT
FpU0QSmioptgfv8TI2RP5Mjp9UKhRANCAAT8zvJEg3FgJ5iUA5GO+n/j48bL83ST
pz7NTqejWIZNVTraxE4fjT6traKiswme7gT2NY9Jl0Dj4tbif9l2I9+O
-----END PRIVATE KEY-----
HLF_CONNECTION_PROFILE_ORG2: |
{
"name": "Org2",
"version": "1.0.0",
"client": {
"organization": "Org2",
"connection": {
"timeout": {
"peer": {
"endorser": "300"
}
}
}
},
"organizations": {
"Org2": {
"mspid": "Org2MSP",
"peers": [
"org2-peers"
],
"certificateAuthorities": [
"org2-ca"
]
}
},
"peers": {
"org2-peers": {
"url": "org2-peer-gateway-svc:7051",
"tlsCACerts": {
"pem": "-----BEGIN CERTIFICATE-----\\nMIICKDCCAc6gAwIBAgIUJJ4wGOSCfw8XOOIx29o67wBpFB4wCgYIKoZIzj0EAwIw\\naDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt\\nY2Etc2VydmVyMB4XDTIxMDkyMDExNDEwMFoXDTM2MDkxNjExNDEwMFowaDELMAkG\\nA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl\\ncmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2Vy\\ndmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyzGJLZX6pe59QAIBacjfzU4I\\nHezBYLyEu4ySpFx4xwxNLE4BWqLhB1VaOuenSQATM8pmSAy7i1830oM9elKWK6NW\\nMFQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\\nFEoAAhmjq/3M8CFPc7N8SL53erL5MA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E\\nAwIDSAAwRQIhAJQ5PJOT4Gg8oiBU2KthMPkZqOLeu3Li4S3yBpLFgbsgAiB960P2\\nXPMu3HLoNXrktYOL9JzWlGyYRSPAnkap5Bsj0w==\\n-----END CERTIFICATE-----\\n"
},
"grpcOptions": {
"ssl-target-name-override": "org2-peer-gateway-svc",
"hostnameOverride": "org2-peer-gateway-svc"
}
}
},
"certificateAuthorities": {
"org2-ca": {
"url": "https://org2-ca",
"caName": "org2-ca",
"tlsCACerts": {
"pem": ["-----BEGIN CERTIFICATE-----\\nMIICKDCCAc6gAwIBAgIUJAF4fQK1KsnvdaUjau462D/5HPYwCgYIKoZIzj0EAwIw\\naDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt\\nY2Etc2VydmVyMB4XDTIxMDkxOTExMTcwMFoXDTM2MDkxNTExMTcwMFowaDELMAkG\\nA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl\\ncmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2Vy\\ndmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8bLvzagP3YANMGHVomZoGCQD\\nRgM3SenagZQ4IWqNQJSV3yTxzdgAWnPhwc+B/HdAOvAq2Oz54FmiSL9dAJoivqNW\\nMFQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\\nFDdBAwT47jtbj48aXdMfRvMPbD5tMA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E\\nAwIDSAAwRQIhAITSk4lYWqu12jZkR94aNoKT36ctaeKHuRvXs7m2qaHSAiAtUPO7\\nXlHtI9SDTRvI4DNSb2O7y7+B3WxVeCx50fivDw==\\n-----END CERTIFICATE-----\\n"]
},
"httpOptions": {
"verify": "false"
}
}
}
}
HLF_CERTIFICATE_ORG2: |
-----BEGIN CERTIFICATE-----
MIIC2DCCAn6gAwIBAgIUY/B19uAV6H5zK4bgqF/BcYC79eEwCgYIKoZIzj0EAwIw
aDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK
EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt
Y2Etc2VydmVyMB4XDTIxMDkyMDExNDEwMFoXDTIyMDkyMDExNDYwMFowYTELMAkG
A1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl
cmxlZGdlcjEOMAwGA1UECxMFYWRtaW4xEzARBgNVBAMTCm9yZzItYWRtaW4wWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAARKTC+25gFIgbLQgSQSec3DaUJOZS6aHBAi
0bmArVbMOxLUBT/W42ycXzfFJ9c0UAEZecDu8jxgBfEGWcbeWWMXo4IBCzCCAQcw
DgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGIXcrVhcyJ9
WTH2zgc9/RdE1hJsMB8GA1UdIwQYMBaAFFS96ExY5RWOcsODBAfXZe+FQIq0MCcG
A1UdEQQgMB6CHG9yZzItdGxzLWNhLTY5Yzg1Zjg5YmMtNzIyZ2cwfgYIKgMEBQYH
CAEEcnsiYXR0cnMiOnsiYWJhYy5pbml0IjoidHJ1ZSIsImFkbWluIjoidHJ1ZSIs
ImhmLkFmZmlsaWF0aW9uIjoiIiwiaGYuRW5yb2xsbWVudElEIjoib3JnMi1hZG1p
biIsImhmLlR5cGUiOiJhZG1pbiJ9fTAKBggqhkjOPQQDAgNIADBFAiEAhrXwM7Ng
IGxgF8irY7NbkQp1xqphy3tv6JbK6HPF+O8CIELMkzOclVK2rRC1K5PF99G7Cmmm
KsVw31cJcV4NTDI7
-----END CERTIFICATE-----
HLF_PRIVATE_KEY_ORG2: |
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPJgLniT9EqcaUNbi
F3EqGyBP9LDg1baXR/5dV6xedt+hRANCAARKTC+25gFIgbLQgSQSec3DaUJOZS6a
HBAi0bmArVbMOxLUBT/W42ycXzfFJ9c0UAEZecDu8jxgBfEGWcbeWWMX
-----END PRIVATE KEY-----
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: fabric-rest-sample
spec:
replicas: 1
selector:
matchLabels:
app: fabric-rest-sample
template:
metadata:
labels:
app: fabric-rest-sample
spec:
containers:
- name: main
image: ghcr.io/hyperledger/fabric-rest-sample
imagePullPolicy: IfNotPresent
env:
- name: LOG_LEVEL
value: debug
- name: HFC_LOGGING
value: '{ "debug": "console" }'
- name: PORT
value: "3000"
- name: RETRY_DELAY
value: "3000"
- name: MAX_RETRY_COUNT
value: "5"
- name: HLF_COMMIT_TIMEOUT
value: "3000"
- name: HLF_ENDORSE_TIMEOUT
value: "30"
- name: REDIS_HOST
value: "localhost"
- name: REDIS_PORT
value: "6379"
- name: ORG1_APIKEY
value: "97834158-3224-4CE7-95F9-A148C886653E"
- name: ORG2_APIKEY
value: "BC42E734-062D-4AEE-A591-5973CB763430"
- name: AS_LOCAL_HOST
value: "false"
- name: HLF_CHAINCODE_NAME
value: "asset-transfer-basic"
# - name: REDIS_USERNAME
# value: redisuser
# - name: REDIS_PASSWORD
# value: redispasword
envFrom:
- configMapRef:
name: fabric-rest-sample-config
ports:
- containerPort: 3000
- name: redis
image: redis:6.2.5
ports:
- containerPort: 6379
---
apiVersion: v1
kind: Service
metadata:
name: fabric-rest-sample
spec:
ports:
- name: http
port: 3000
protocol: TCP
selector:
app: fabric-rest-sample
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
labels:
app: fabric-rest-sample
name: fabric-rest-sample
spec:
ingressClassName: nginx
rules:
- host: fabric-rest-sample.${DOMAIN}
http:
paths:
- backend:
service:
name: fabric-rest-sample
port:
name: http
path: /
pathType: ImplementationSpecific

683
test-network-k8s/kube/ingress-nginx-k3s.yaml
View file

@ -1,683 +0,0 @@
#GENERATED FOR K8S 1.20
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- ingress-controller-leader
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-ssl-passthrough
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

694
test-network-k8s/kube/ingress-nginx-kind.yaml
View file

@ -1,694 +0,0 @@
#GENERATED FOR K8S 1.20
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- ingress-controller-leader
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
spec:
containers:
- args:
- /nginx-ingress-controller
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --watch-ingress-without-class=true
- --publish-status-address=localhost
- --enable-ssl-passthrough
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
hostPort: 80
name: http
protocol: TCP
- containerPort: 443
hostPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
ingress-ready: "true"
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 0
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.2
helm.sh/chart: ingress-nginx-4.0.18
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

10
test-network-k8s/kube/ns-test-network.yaml
View file

@ -1,10 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: v1
kind: Namespace
metadata:
name: test-network

124
test-network-k8s/kube/org0/org0-ca.yaml
View file

@ -1,124 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org0-ca-tls-cert
spec:
isCA: false
privateKey:
algorithm: ECDSA
size: 256
dnsNames:
- localhost
- org0-ca
- org0-ca.${ORG0_NS}.svc.cluster.local
- org0-ca.${DOMAIN}
ipAddresses:
- 127.0.0.1
secretName: org0-ca-tls-cert
issuerRef:
name: org0-tls-cert-issuer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: org0-ca
spec:
replicas: 1
selector:
matchLabels:
app: org0-ca
template:
metadata:
labels:
app: org0-ca
spec:
containers:
- name: main
image: ${FABRIC_CONTAINER_REGISTRY}/fabric-ca:${FABRIC_CA_VERSION}
imagePullPolicy: IfNotPresent
env:
- name: FABRIC_CA_SERVER_CA_NAME
value: "org0-ca"
- name: FABRIC_CA_SERVER_DEBUG
value: "false"
- name: FABRIC_CA_SERVER_HOME
value: "/var/hyperledger/fabric-ca-server"
- name: FABRIC_CA_SERVER_TLS_CERTFILE
value: "/var/hyperledger/fabric/config/tls/tls.crt"
- name: FABRIC_CA_SERVER_TLS_KEYFILE
value: "/var/hyperledger/fabric/config/tls/tls.key"
- name: FABRIC_CA_CLIENT_HOME
value: "/var/hyperledger/fabric-ca-client"
ports:
- containerPort: 443
volumeMounts:
- name: fabric-volume
mountPath: /var/hyperledger
- name: fabric-config
mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
subPath: fabric-ca-server-config.yaml
- name: tls-cert-volume
mountPath: /var/hyperledger/fabric/config/tls
readOnly: true
readinessProbe:
tcpSocket:
port: 443
initialDelaySeconds: 2
periodSeconds: 5
volumes:
- name: fabric-volume
persistentVolumeClaim:
claimName: fabric-org0
- name: fabric-config
configMap:
name: org0-config
- name: tls-cert-volume
secret:
secretName: org0-ca-tls-cert
---
apiVersion: v1
kind: Service
metadata:
name: org0-ca
spec:
ports:
- name: https
port: 443
protocol: TCP
selector:
app: org0-ca
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
labels:
app: org0-ca
name: org0-ca
spec:
ingressClassName: nginx
rules:
- host: org0-ca.${DOMAIN}
http:
paths:
- backend:
service:
name: org0-ca
port:
name: https
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- org0-ca.${DOMAIN}

32
test-network-k8s/kube/org0/org0-job-scrub-fabric-volumes.yaml
View file

@ -1,32 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: batch/v1
kind: Job
metadata:
name: job-scrub-fabric-volumes
spec:
backoffLimit: 0
completions: 1
template:
metadata:
name: job-scrub-fabric-volumes
spec:
restartPolicy: "Never"
containers:
- name: main
image: busybox:latest
command:
- sh
- -c
- "rm -rvf /mnt/fabric-*/*"
volumeMounts:
- name: fabric-org0-volume
mountPath: /mnt/fabric-org0
volumes:
- name: fabric-org0-volume
persistentVolumeClaim:
claimName: fabric-org0

159
test-network-k8s/kube/org0/org0-orderer1.yaml
View file

@ -1,159 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org0-orderer1-tls-cert
namespace: ${ORG0_NS}
spec:
isCA: false
privateKey:
algorithm: ECDSA
size: 256
dnsNames:
- localhost
- org0-orderer1
- org0-orderer1.${ORG0_NS}.svc.cluster.local
- org0-orderer1.${DOMAIN}
- org0-orderer1-admin.${DOMAIN}
ipAddresses:
- 127.0.0.1
secretName: org0-orderer1-tls-cert
issuerRef:
name: org0-tls-cert-issuer
---
apiVersion: v1
kind: ConfigMap
metadata:
name: org0-orderer1-env
data:
FABRIC_CFG_PATH: /var/hyperledger/fabric/config
FABRIC_LOGGING_SPEC: INFO # debug:cauthdsl,policies,msp,common.configtx,common.channelconfig=info
ORDERER_GENERAL_LISTENADDRESS: 0.0.0.0
ORDERER_GENERAL_LISTENPORT: "6050"
ORDERER_GENERAL_LOCALMSPID: OrdererMSP
ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp
ORDERER_GENERAL_TLS_ENABLED: "true"
ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt
ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt
ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key
ORDERER_GENERAL_BOOTSTRAPMETHOD: none
ORDERER_ADMIN_TLS_ENABLED: "true"
ORDERER_ADMIN_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt
ORDERER_ADMIN_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt
ORDERER_ADMIN_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key
# Authenticate client connections with the org's ecert / admin user enrollments
ORDERER_ADMIN_TLS_CLIENTROOTCAS: "[/var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/cacerts/org0-ca.pem]"
ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer1
ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer1/etcdraft/wal
ORDERER_CONSENSUS_SNAPDIR: /var/hyperledger/fabric/data/orderer1/etcdraft/wal
ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:8443
ORDERER_ADMIN_LISTENADDRESS: 0.0.0.0:9443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: org0-orderer1
spec:
replicas: 1
selector:
matchLabels:
app: org0-orderer1
template:
metadata:
labels:
app: org0-orderer1
spec:
containers:
- name: main
image: ${FABRIC_CONTAINER_REGISTRY}/fabric-orderer:${FABRIC_VERSION}
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: org0-orderer1-env
ports:
- containerPort: 6050
- containerPort: 8443
- containerPort: 9443
volumeMounts:
- name: fabric-volume
mountPath: /var/hyperledger
- name: fabric-config
mountPath: /var/hyperledger/fabric/config
- name: tls-cert-volume
mountPath: /var/hyperledger/fabric/config/tls
readOnly: true
volumes:
- name: fabric-volume
persistentVolumeClaim:
claimName: fabric-org0
- name: fabric-config
configMap:
name: org0-config
- name: tls-cert-volume
secret:
secretName: org0-orderer1-tls-cert
---
apiVersion: v1
kind: Service
metadata:
name: org0-orderer1
spec:
ports:
- name: general
port: 6050
protocol: TCP
- name: operations
port: 8443
protocol: TCP
- name: admin
port: 9443
protocol: TCP
selector:
app: org0-orderer1
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
labels:
app: org0-orderer1
name: org0-orderer1
spec:
ingressClassName: nginx
rules:
- host: org0-orderer1.${DOMAIN}
http:
paths:
- backend:
service:
name: org0-orderer1
port:
name: general
path: /
pathType: ImplementationSpecific
- host: org0-orderer1-admin.${DOMAIN}
http:
paths:
- backend:
service:
name: org0-orderer1
port:
name: admin
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- org0-orderer1.${DOMAIN}
- hosts:
- org0-orderer1-admin.${DOMAIN}

159
test-network-k8s/kube/org0/org0-orderer2.yaml
View file

@ -1,159 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org0-orderer2-tls-cert
namespace: ${ORG0_NS}
spec:
isCA: false
privateKey:
algorithm: ECDSA
size: 256
dnsNames:
- localhost
- org0-orderer2
- org0-orderer2.${ORG0_NS}.svc.cluster.local
- org0-orderer2.${DOMAIN}
- org0-orderer2-admin.${DOMAIN}
ipAddresses:
- 127.0.0.1
secretName: org0-orderer2-tls-cert
issuerRef:
name: org0-tls-cert-issuer
---
apiVersion: v1
kind: ConfigMap
metadata:
name: org0-orderer2-env
data:
FABRIC_CFG_PATH: /var/hyperledger/fabric/config
FABRIC_LOGGING_SPEC: INFO # debug:cauthdsl,policies,msp,common.configtx,common.channelconfig=info
ORDERER_GENERAL_LISTENADDRESS: 0.0.0.0
ORDERER_GENERAL_LISTENPORT: "6050"
ORDERER_GENERAL_LOCALMSPID: OrdererMSP
ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp
ORDERER_GENERAL_TLS_ENABLED: "true"
ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt
ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt
ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key
ORDERER_GENERAL_BOOTSTRAPMETHOD: none
ORDERER_ADMIN_TLS_ENABLED: "true"
ORDERER_ADMIN_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt
ORDERER_ADMIN_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt
ORDERER_ADMIN_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key
# Authenticate client connections with the org's ecert / admin user enrollments
ORDERER_ADMIN_TLS_CLIENTROOTCAS: "[/var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp/cacerts/org0-ca.pem]"
ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer2
ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer2/etcdraft/wal
ORDERER_CONSENSUS_SNAPDIR: /var/hyperledger/fabric/data/orderer2/etcdraft/wal
ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:8443
ORDERER_ADMIN_LISTENADDRESS: 0.0.0.0:9443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: org0-orderer2
spec:
replicas: 1
selector:
matchLabels:
app: org0-orderer2
template:
metadata:
labels:
app: org0-orderer2
spec:
containers:
- name: main
image: ${FABRIC_CONTAINER_REGISTRY}/fabric-orderer:${FABRIC_VERSION}
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: org0-orderer2-env
ports:
- containerPort: 6050
- containerPort: 8443
- containerPort: 9443
volumeMounts:
- name: fabric-volume
mountPath: /var/hyperledger
- name: fabric-config
mountPath: /var/hyperledger/fabric/config
- name: tls-cert-volume
mountPath: /var/hyperledger/fabric/config/tls
readOnly: true
volumes:
- name: fabric-volume
persistentVolumeClaim:
claimName: fabric-org0
- name: fabric-config
configMap:
name: org0-config
- name: tls-cert-volume
secret:
secretName: org0-orderer2-tls-cert
---
apiVersion: v1
kind: Service
metadata:
name: org0-orderer2
spec:
ports:
- name: general
port: 6050
protocol: TCP
- name: operations
port: 8443
protocol: TCP
- name: admin
port: 9443
protocol: TCP
selector:
app: org0-orderer2
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
labels:
app: org0-orderer2
name: org0-orderer2
spec:
ingressClassName: nginx
rules:
- host: org0-orderer2.${DOMAIN}
http:
paths:
- backend:
service:
name: org0-orderer2
port:
name: general
path: /
pathType: ImplementationSpecific
- host: org0-orderer2-admin.${DOMAIN}
http:
paths:
- backend:
service:
name: org0-orderer2
port:
name: admin
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- org0-orderer2.${DOMAIN}
- hosts:
- org0-orderer2-admin.${DOMAIN}

159
test-network-k8s/kube/org0/org0-orderer3.yaml
View file

@ -1,159 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org0-orderer3-tls-cert
namespace: ${ORG0_NS}
spec:
isCA: false
privateKey:
algorithm: ECDSA
size: 256
dnsNames:
- localhost
- org0-orderer3
- org0-orderer3.${ORG0_NS}.svc.cluster.local
- org0-orderer3.${DOMAIN}
- org0-orderer3-admin.${DOMAIN}
ipAddresses:
- 127.0.0.1
secretName: org0-orderer3-tls-cert
issuerRef:
name: org0-tls-cert-issuer
---
apiVersion: v1
kind: ConfigMap
metadata:
name: org0-orderer3-env
data:
FABRIC_CFG_PATH: /var/hyperledger/fabric/config
FABRIC_LOGGING_SPEC: INFO # debug:cauthdsl,policies,msp,common.configtx,common.channelconfig=info
ORDERER_GENERAL_LISTENADDRESS: 0.0.0.0
ORDERER_GENERAL_LISTENPORT: "6050"
ORDERER_GENERAL_LOCALMSPID: OrdererMSP
ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp
ORDERER_GENERAL_TLS_ENABLED: "true"
ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt
ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt
ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key
ORDERER_GENERAL_BOOTSTRAPMETHOD: none
ORDERER_ADMIN_TLS_ENABLED: "true"
ORDERER_ADMIN_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt
ORDERER_ADMIN_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt
ORDERER_ADMIN_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key
# Authenticate client connections with the org's ecert / admin user enrollments
ORDERER_ADMIN_TLS_CLIENTROOTCAS: "[/var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp/cacerts/org0-ca.pem]"
ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer3
ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer3/etcdraft/wal
ORDERER_CONSENSUS_SNAPDIR: /var/hyperledger/fabric/data/orderer3/etcdraft/wal
ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:8443
ORDERER_ADMIN_LISTENADDRESS: 0.0.0.0:9443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: org0-orderer3
spec:
replicas: 1
selector:
matchLabels:
app: org0-orderer3
template:
metadata:
labels:
app: org0-orderer3
spec:
containers:
- name: main
image: ${FABRIC_CONTAINER_REGISTRY}/fabric-orderer:${FABRIC_VERSION}
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: org0-orderer3-env
ports:
- containerPort: 6050
- containerPort: 8443
- containerPort: 9443
volumeMounts:
- name: fabric-volume
mountPath: /var/hyperledger
- name: fabric-config
mountPath: /var/hyperledger/fabric/config
- name: tls-cert-volume
mountPath: /var/hyperledger/fabric/config/tls
readOnly: true
volumes:
- name: fabric-volume
persistentVolumeClaim:
claimName: fabric-org0
- name: fabric-config
configMap:
name: org0-config
- name: tls-cert-volume
secret:
secretName: org0-orderer3-tls-cert
---
apiVersion: v1
kind: Service
metadata:
name: org0-orderer3
spec:
ports:
- name: general
port: 6050
protocol: TCP
- name: operations
port: 8443
protocol: TCP
- name: admin
port: 9443
protocol: TCP
selector:
app: org0-orderer3
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
labels:
app: org0-orderer3
name: org0-orderer3
spec:
ingressClassName: nginx
rules:
- host: org0-orderer3.${DOMAIN}
http:
paths:
- backend:
service:
name: org0-orderer3
port:
name: general
path: /
pathType: ImplementationSpecific
- host: org0-orderer3-admin.${DOMAIN}
http:
paths:
- backend:
service:
name: org0-orderer3
port:
name: admin
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- org0-orderer3.${DOMAIN}
- hosts:
- org0-orderer3-admin.${DOMAIN}

34
test-network-k8s/kube/org0/org0-tls-cert-issuer.yaml
View file

@ -1,34 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org0-tls-cert-issuer
spec:
isCA: true
privateKey:
algorithm: ECDSA
size: 256
commonName: org0.example.com
secretName: org0-tls-cert-issuer-secret
issuerRef:
name: root-tls-cert-issuer
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: org0-tls-cert-issuer
spec:
ca:
secretName: org0-tls-cert-issuer-secret

124
test-network-k8s/kube/org1/org1-ca.yaml
View file

@ -1,124 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org1-ca-tls-cert
spec:
isCA: false
privateKey:
algorithm: ECDSA
size: 256
dnsNames:
- localhost
- org1-ca
- org1-ca.${ORG1_NS}.svc.cluster.local
- org1-ca.${DOMAIN}
ipAddresses:
- 127.0.0.1
secretName: org1-ca-tls-cert
issuerRef:
name: org1-tls-cert-issuer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: org1-ca
spec:
replicas: 1
selector:
matchLabels:
app: org1-ca
template:
metadata:
labels:
app: org1-ca
spec:
containers:
- name: main
image: ${FABRIC_CONTAINER_REGISTRY}/fabric-ca:${FABRIC_CA_VERSION}
imagePullPolicy: IfNotPresent
env:
- name: FABRIC_CA_SERVER_CA_NAME
value: "org1-ca"
- name: FABRIC_CA_SERVER_DEBUG
value: "false"
- name: FABRIC_CA_SERVER_HOME
value: "/var/hyperledger/fabric-ca-server"
- name: FABRIC_CA_SERVER_TLS_CERTFILE
value: "/var/hyperledger/fabric/config/tls/tls.crt"
- name: FABRIC_CA_SERVER_TLS_KEYFILE
value: "/var/hyperledger/fabric/config/tls/tls.key"
- name: FABRIC_CA_CLIENT_HOME
value: "/var/hyperledger/fabric-ca-client"
ports:
- containerPort: 443
volumeMounts:
- name: fabric-volume
mountPath: /var/hyperledger
- name: fabric-config
mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
subPath: fabric-ca-server-config.yaml
- name: tls-cert-volume
mountPath: /var/hyperledger/fabric/config/tls
readOnly: true
readinessProbe:
tcpSocket:
port: 443
initialDelaySeconds: 2
periodSeconds: 5
volumes:
- name: fabric-volume
persistentVolumeClaim:
claimName: fabric-org1
- name: fabric-config
configMap:
name: org1-config
- name: tls-cert-volume
secret:
secretName: org1-ca-tls-cert
---
apiVersion: v1
kind: Service
metadata:
name: org1-ca
spec:
ports:
- name: https
port: 443
protocol: TCP
selector:
app: org1-ca
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
labels:
app: org1-ca
name: org1-ca
spec:
ingressClassName: nginx
rules:
- host: org1-ca.${DOMAIN}
http:
paths:
- backend:
service:
name: org1-ca
port:
name: https
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- org1-ca.${DOMAIN}

46
test-network-k8s/kube/org1/org1-cc-template.yaml
View file

@ -1,46 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: org1{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}}
spec:
replicas: 1
selector:
matchLabels:
app: org1{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}}
template:
metadata:
labels:
app: org1{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}}
spec:
containers:
- name: main
image: {{CHAINCODE_IMAGE}}
imagePullPolicy: IfNotPresent
env:
- name: CHAINCODE_SERVER_ADDRESS
value: 0.0.0.0:9999
- name: CHAINCODE_ID
value: {{CHAINCODE_ID}}
- name: CORE_CHAINCODE_ID_NAME
value: {{CHAINCODE_ID}}
ports:
- containerPort: 9999
---
apiVersion: v1
kind: Service
metadata:
name: org1{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}}
spec:
ports:
- name: chaincode
port: 9999
protocol: TCP
selector:
app: org1{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}}

34
test-network-k8s/kube/org1/org1-install-k8s-builder.yaml
View file

@ -1,34 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: batch/v1
kind: Job
metadata:
name: org1-install-k8s-builder
spec:
ttlSecondsAfterFinished: 600
backoffLimit: 0
completions: 1
template:
metadata:
name: org1-install-k8s-builder
spec:
restartPolicy: "Never"
containers:
- name: main
image: ${K8S_CHAINCODE_BUILDER_IMAGE}:${K8S_CHAINCODE_BUILDER_VERSION}
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- "mkdir -p /mnt/fabric-org1/fabric/external_builders && cp -rv /opt/hyperledger/k8s_builder /mnt/fabric-org1/fabric/external_builders/"
volumeMounts:
- name: fabric-org1-volume
mountPath: /mnt/fabric-org1
volumes:
- name: fabric-org1-volume
persistentVolumeClaim:
claimName: fabric-org1

32
test-network-k8s/kube/org1/org1-job-scrub-fabric-volumes.yaml
View file

@ -1,32 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: batch/v1
kind: Job
metadata:
name: job-scrub-fabric-volumes
spec:
backoffLimit: 0
completions: 1
template:
metadata:
name: job-scrub-fabric-volumes
spec:
restartPolicy: "Never"
containers:
- name: main
image: busybox:latest
command:
- sh
- -c
- "rm -rvf /mnt/fabric-*/*"
volumeMounts:
- name: fabric-org1-volume
mountPath: /mnt/fabric-org1
volumes:
- name: fabric-org1-volume
persistentVolumeClaim:
claimName: fabric-org1

184
test-network-k8s/kube/org1/org1-peer1.yaml
View file

@ -1,184 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org1-peer1-tls-cert
namespace: ${ORG1_NS}
spec:
isCA: false
privateKey:
algorithm: ECDSA
size: 256
dnsNames:
- localhost
- org1-peer1
- org1-peer1.${ORG1_NS}.svc.cluster.local
- org1-peer1.${DOMAIN}
- org1-peer-gateway-svc
- org1-peer-gateway-svc.${DOMAIN}
ipAddresses:
- 127.0.0.1
secretName: org1-peer1-tls-cert
issuerRef:
name: org1-tls-cert-issuer
---
apiVersion: v1
kind: ConfigMap
metadata:
name: org1-peer1-config
data:
FABRIC_CFG_PATH: /var/hyperledger/fabric/config
FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info"
CORE_PEER_TLS_ENABLED: "true"
CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/config/tls/tls.crt
CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/config/tls/tls.key
CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/config/tls/ca.crt
CORE_PEER_ID: org1-peer1.org1.example.com
CORE_PEER_ADDRESS: org1-peer1:7051
CORE_PEER_LISTENADDRESS: 0.0.0.0:7051
CORE_PEER_CHAINCODEADDRESS: org1-peer1:7052
CORE_PEER_CHAINCODELISTENADDRESS: 0.0.0.0:7052
# bootstrap peer is the other peer in the same org
CORE_PEER_GOSSIP_BOOTSTRAP: org1-peer2:7051
CORE_PEER_GOSSIP_EXTERNALENDPOINT: org1-peer1.${ORG1_NS}.svc.cluster.local:7051
CORE_PEER_LOCALMSPID: Org1MSP
CORE_PEER_MSPCONFIGPATH: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp
CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443
CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org1-peer1.org1.example.com
CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org1-peer1.org1.example.com/snapshots
CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG: "{\"peername\":\"org1peer1\"}"
FABRIC_K8S_BUILDER_OBJECT_NAME_PREFIX: org1-peer1-cc
CORE_LEDGER_STATE_STATEDATABASE: CouchDB
CORE_LEDGER_STATE_COUCHDBCONFIG_MAXRETRIESONSTARTUP: "20"
CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS: localhost:5984
CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME: admin
CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD: adminpw
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: org1-peer1
spec:
replicas: 1
selector:
matchLabels:
app: org1-peer1
template:
metadata:
labels:
app: org1-peer1
org: org1
spec:
containers:
- name: main
image: ${FABRIC_PEER_IMAGE}
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: org1-peer1-config
ports:
- containerPort: 7051
- containerPort: 7052
- containerPort: 9443
volumeMounts:
- name: fabric-volume
mountPath: /var/hyperledger
- name: fabric-config
mountPath: /var/hyperledger/fabric/config
- name: tls-cert-volume
mountPath: /var/hyperledger/fabric/config/tls
readOnly: true
- name: couchdb
image: couchdb:${COUCHDB_VERSION}
imagePullPolicy: IfNotPresent
env:
- name: "COUCHDB_USER"
value: "admin"
- name: "COUCHDB_PASSWORD"
value: "adminpw"
ports:
- containerPort: 5984
volumes:
- name: fabric-volume
persistentVolumeClaim:
claimName: fabric-org1
- name: fabric-config
configMap:
name: org1-config
- name: tls-cert-volume
secret:
secretName: org1-peer1-tls-cert
---
apiVersion: v1
kind: Service
metadata:
name: org1-peer1
spec:
ports:
- name: grpc
port: 7051
protocol: TCP
- name: chaincode
port: 7052
protocol: TCP
- name: operations
port: 9443
protocol: TCP
selector:
app: org1-peer1
---
apiVersion: v1
kind: Service
metadata:
name: org1-peer-gateway-svc
spec:
ports:
- name: grpc
port: 7051
protocol: TCP
selector:
org: org1
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
labels:
app: org1-peer1
name: org1-peer1
spec:
ingressClassName: nginx
rules:
- host: org1-peer1.${DOMAIN}
http:
paths:
- backend:
service:
name: org1-peer1
port:
name: grpc
path: /
pathType: ImplementationSpecific
- host: org1-peer-gateway-svc.${DOMAIN}
http:
paths:
- backend:
service:
name: org1-peer-gateway-svc
port:
name: grpc
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- org1-peer1.${DOMAIN}
- hosts:
- org1-peer-gateway-svc.${DOMAIN}

161
test-network-k8s/kube/org1/org1-peer2.yaml
View file

@ -1,161 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org1-peer2-tls-cert
namespace: ${ORG1_NS}
spec:
isCA: false
privateKey:
algorithm: ECDSA
size: 256
dnsNames:
- localhost
- org1-peer2
- org1-peer-gateway-svc
- org1-peer2.${ORG1_NS}.svc.cluster.local
- org1-peer2.${DOMAIN}
- org1-peer2-gateway-svc.${DOMAIN}
ipAddresses:
- 127.0.0.1
secretName: org1-peer2-tls-cert
issuerRef:
name: org1-tls-cert-issuer
---
apiVersion: v1
kind: ConfigMap
metadata:
name: org1-peer2-config
data:
FABRIC_CFG_PATH: /var/hyperledger/fabric/config
FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info"
CORE_PEER_TLS_ENABLED: "true"
CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/config/tls/tls.crt
CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/config/tls/tls.key
CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/config/tls/ca.crt
CORE_PEER_ID: org1-peer2.org1.example.com
CORE_PEER_ADDRESS: org1-peer2:7051
CORE_PEER_LISTENADDRESS: 0.0.0.0:7051
CORE_PEER_CHAINCODEADDRESS: org1-peer2:7052
CORE_PEER_CHAINCODELISTENADDRESS: 0.0.0.0:7052
# bootstrap peer is the other peer in the same org
CORE_PEER_GOSSIP_BOOTSTRAP: org1-peer1:7051
CORE_PEER_GOSSIP_EXTERNALENDPOINT: org1-peer2.${ORG1_NS}.svc.cluster.local:7051
CORE_PEER_LOCALMSPID: Org1MSP
CORE_PEER_MSPCONFIGPATH: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp
CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443
CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org1-peer2.org1.example.com
CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org1-peer2.org1.example.com/snapshots
CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG: "{\"peername\":\"org1peer2\"}"
FABRIC_K8S_BUILDER_OBJECT_NAME_PREFIX: org1-peer2-cc
CORE_LEDGER_STATE_STATEDATABASE: CouchDB
CORE_LEDGER_STATE_COUCHDBCONFIG_MAXRETRIESONSTARTUP: "20"
CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS: localhost:5984
CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME: admin
CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD: adminpw
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: org1-peer2
spec:
replicas: 1
selector:
matchLabels:
app: org1-peer2
template:
metadata:
labels:
app: org1-peer2
org: org1
spec:
containers:
- name: main
image: ${FABRIC_PEER_IMAGE}
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: org1-peer2-config
ports:
- containerPort: 7051
- containerPort: 7052
- containerPort: 9443
volumeMounts:
- name: fabric-volume
mountPath: /var/hyperledger
- name: fabric-config
mountPath: /var/hyperledger/fabric/config
- name: tls-cert-volume
mountPath: /var/hyperledger/fabric/config/tls
readOnly: true
- name: couchdb
image: couchdb:${COUCHDB_VERSION}
imagePullPolicy: IfNotPresent
env:
- name: "COUCHDB_USER"
value: "admin"
- name: "COUCHDB_PASSWORD"
value: "adminpw"
ports:
- containerPort: 5984
volumes:
- name: fabric-volume
persistentVolumeClaim:
claimName: fabric-org1
- name: fabric-config
configMap:
name: org1-config
- name: tls-cert-volume
secret:
secretName: org1-peer2-tls-cert
---
apiVersion: v1
kind: Service
metadata:
name: org1-peer2
spec:
ports:
- name: grpc
port: 7051
protocol: TCP
- name: chaincode
port: 7052
protocol: TCP
- name: operations
port: 9443
protocol: TCP
selector:
app: org1-peer2
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
labels:
app: org1-peer2
name: org1-peer2
spec:
ingressClassName: nginx
rules:
- host: org1-peer2.${DOMAIN}
http:
paths:
- backend:
service:
name: org1-peer2
port:
name: grpc
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- org1-peer2.${DOMAIN}

32
test-network-k8s/kube/org1/org1-tls-cert-issuer.yaml
View file

@ -1,32 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org1-tls-cert-issuer
spec:
isCA: true
privateKey:
algorithm: ECDSA
size: 256
commonName: org1.example.com
secretName: org1-tls-cert-issuer-secret
issuerRef:
name: root-tls-cert-issuer
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: org1-tls-cert-issuer
spec:
ca:
secretName: org1-tls-cert-issuer-secret

124
test-network-k8s/kube/org2/org2-ca.yaml
View file

@ -1,124 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org2-ca-tls-cert
spec:
isCA: false
privateKey:
algorithm: ECDSA
size: 256
dnsNames:
- localhost
- org2-ca
- org2-ca.${ORG2_NS}.svc.cluster.local
- org2-ca.${DOMAIN}
ipAddresses:
- 127.0.0.1
secretName: org2-ca-tls-cert
issuerRef:
name: org2-tls-cert-issuer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: org2-ca
spec:
replicas: 1
selector:
matchLabels:
app: org2-ca
template:
metadata:
labels:
app: org2-ca
spec:
containers:
- name: main
image: ${FABRIC_CONTAINER_REGISTRY}/fabric-ca:${FABRIC_CA_VERSION}
imagePullPolicy: IfNotPresent
env:
- name: FABRIC_CA_SERVER_CA_NAME
value: "org2-ca"
- name: FABRIC_CA_SERVER_DEBUG
value: "false"
- name: FABRIC_CA_SERVER_HOME
value: "/var/hyperledger/fabric-ca-server"
- name: FABRIC_CA_SERVER_TLS_CERTFILE
value: "/var/hyperledger/fabric/config/tls/tls.crt"
- name: FABRIC_CA_SERVER_TLS_KEYFILE
value: "/var/hyperledger/fabric/config/tls/tls.key"
- name: FABRIC_CA_CLIENT_HOME
value: "/var/hyperledger/fabric-ca-client"
ports:
- containerPort: 443
volumeMounts:
- name: fabric-volume
mountPath: /var/hyperledger
- name: fabric-config
mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
subPath: fabric-ca-server-config.yaml
- name: tls-cert-volume
mountPath: /var/hyperledger/fabric/config/tls
readOnly: true
readinessProbe:
tcpSocket:
port: 443
initialDelaySeconds: 2
periodSeconds: 5
volumes:
- name: fabric-volume
persistentVolumeClaim:
claimName: fabric-org2
- name: fabric-config
configMap:
name: org2-config
- name: tls-cert-volume
secret:
secretName: org2-ca-tls-cert
---
apiVersion: v1
kind: Service
metadata:
name: org2-ca
spec:
ports:
- name: https
port: 443
protocol: TCP
selector:
app: org2-ca
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
labels:
app: org2-ca
name: org2-ca
spec:
ingressClassName: nginx
rules:
- host: org2-ca.${DOMAIN}
http:
paths:
- backend:
service:
name: org2-ca
port:
name: https
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- org2-ca.${DOMAIN}

46
test-network-k8s/kube/org2/org2-cc-template.yaml
View file

@ -1,46 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: org2{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}}
spec:
replicas: 1
selector:
matchLabels:
app: org2{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}}
template:
metadata:
labels:
app: org2{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}}
spec:
containers:
- name: main
image: {{CHAINCODE_IMAGE}}
imagePullPolicy: IfNotPresent
env:
- name: CHAINCODE_SERVER_ADDRESS
value: 0.0.0.0:9999
- name: CHAINCODE_ID
value: {{CHAINCODE_ID}}
- name: CORE_CHAINCODE_ID_NAME
value: {{CHAINCODE_ID}}
ports:
- containerPort: 9999
---
apiVersion: v1
kind: Service
metadata:
name: org2{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}}
spec:
ports:
- name: chaincode
port: 9999
protocol: TCP
selector:
app: org2{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}}

34
test-network-k8s/kube/org2/org2-install-k8s-builder.yaml
View file

@ -1,34 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: batch/v1
kind: Job
metadata:
name: org2-install-k8s-builder
spec:
ttlSecondsAfterFinished: 600
backoffLimit: 0
completions: 1
template:
metadata:
name: org2-install-k8s-builder
spec:
restartPolicy: "Never"
containers:
- name: main
image: ${K8S_CHAINCODE_BUILDER_IMAGE}:${K8S_CHAINCODE_BUILDER_VERSION}
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- "mkdir -p /mnt/fabric-org2/fabric/external_builders && cp -rv /opt/hyperledger/k8s_builder /mnt/fabric-org2/fabric/external_builders/"
volumeMounts:
- name: fabric-org2-volume
mountPath: /mnt/fabric-org2
volumes:
- name: fabric-org2-volume
persistentVolumeClaim:
claimName: fabric-org2

33
test-network-k8s/kube/org2/org2-job-scrub-fabric-volumes.yaml
View file

@ -1,33 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: batch/v1
kind: Job
metadata:
name: job-scrub-fabric-volumes
spec:
backoffLimit: 0
completions: 1
template:
metadata:
name: job-scrub-fabric-volumes
spec:
restartPolicy: "Never"
containers:
- name: main
image: busybox:latest
command:
- sh
- -c
- "rm -rvf /mnt/fabric-*/*"
volumeMounts:
- name: fabric-org2-volume
mountPath: /mnt/fabric-org2
volumes:
- name: fabric-org2-volume
persistentVolumeClaim:
claimName: fabric-org2

184
test-network-k8s/kube/org2/org2-peer1.yaml
View file

@ -1,184 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org2-peer1-tls-cert
namespace: ${ORG2_NS}
spec:
isCA: false
privateKey:
algorithm: ECDSA
size: 256
dnsNames:
- localhost
- org2-peer1
- org2-peer1.${ORG2_NS}.svc.cluster.local
- org2-peer1.${DOMAIN}
- org2-peer-gateway-svc
- org2-peer-gateway-svc.${DOMAIN}
ipAddresses:
- 127.0.0.1
secretName: org2-peer1-tls-cert
issuerRef:
name: org2-tls-cert-issuer
---
apiVersion: v1
kind: ConfigMap
metadata:
name: org2-peer1-config
data:
FABRIC_CFG_PATH: /var/hyperledger/fabric/config
FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info"
CORE_PEER_TLS_ENABLED: "true"
CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/config/tls/tls.crt
CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/config/tls/tls.key
CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/config/tls/ca.crt
CORE_PEER_ID: org2-peer1.org2.example.com
CORE_PEER_ADDRESS: org2-peer1:7051
CORE_PEER_LISTENADDRESS: 0.0.0.0:7051
CORE_PEER_CHAINCODEADDRESS: org2-peer1:7052
CORE_PEER_CHAINCODELISTENADDRESS: 0.0.0.0:7052
# bootstrap peer is the other peer in the same org
CORE_PEER_GOSSIP_BOOTSTRAP: org2-peer2:7051
CORE_PEER_GOSSIP_EXTERNALENDPOINT: org2-peer1.${ORG2_NS}.svc.cluster.local:7051
CORE_PEER_LOCALMSPID: Org2MSP
CORE_PEER_MSPCONFIGPATH: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp
CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443
CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org2-peer1.org2.example.com
CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org2-peer1.org2.example.com/snapshots
CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG: "{\"peername\":\"org2peer1\"}"
FABRIC_K8S_BUILDER_OBJECT_NAME_PREFIX: org2-peer1-cc
CORE_LEDGER_STATE_STATEDATABASE: CouchDB
CORE_LEDGER_STATE_COUCHDBCONFIG_MAXRETRIESONSTARTUP: "20"
CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS: localhost:5984
CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME: admin
CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD: adminpw
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: org2-peer1
spec:
replicas: 1
selector:
matchLabels:
app: org2-peer1
template:
metadata:
labels:
app: org2-peer1
org: org2
spec:
containers:
- name: main
image: ${FABRIC_PEER_IMAGE}
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: org2-peer1-config
ports:
- containerPort: 7051
- containerPort: 7052
- containerPort: 9443
volumeMounts:
- name: fabric-volume
mountPath: /var/hyperledger
- name: fabric-config
mountPath: /var/hyperledger/fabric/config
- name: tls-cert-volume
mountPath: /var/hyperledger/fabric/config/tls
readOnly: true
- name: couchdb
image: couchdb:${COUCHDB_VERSION}
imagePullPolicy: IfNotPresent
env:
- name: "COUCHDB_USER"
value: "admin"
- name: "COUCHDB_PASSWORD"
value: "adminpw"
ports:
- containerPort: 5984
volumes:
- name: fabric-volume
persistentVolumeClaim:
claimName: fabric-org2
- name: fabric-config
configMap:
name: org2-config
- name: tls-cert-volume
secret:
secretName: org2-peer1-tls-cert
---
apiVersion: v1
kind: Service
metadata:
name: org2-peer1
spec:
ports:
- name: grpc
port: 7051
protocol: TCP
- name: chaincode
port: 7052
protocol: TCP
- name: operations
port: 9443
protocol: TCP
selector:
app: org2-peer1
---
apiVersion: v1
kind: Service
metadata:
name: org2-peer-gateway-svc
spec:
ports:
- name: grpc
port: 7051
protocol: TCP
selector:
org: org2
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
labels:
app: org2-peer1
name: org2-peer1
spec:
ingressClassName: nginx
rules:
- host: org2-peer1.${DOMAIN}
http:
paths:
- backend:
service:
name: org2-peer1
port:
name: grpc
path: /
pathType: ImplementationSpecific
- host: org2-peer-gateway-svc.${DOMAIN}
http:
paths:
- backend:
service:
name: org2-peer-gateway-svc
port:
name: grpc
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- org2-peer1.${DOMAIN}
- hosts:
- org2-peer-gateway-svc.${DOMAIN}

159
test-network-k8s/kube/org2/org2-peer2.yaml
View file

@ -1,159 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org2-peer2-tls-cert
namespace: ${ORG2_NS}
spec:
isCA: false
privateKey:
algorithm: ECDSA
size: 256
dnsNames:
- localhost
- org2-peer2
- org2-peer-gateway-svc
- org2-peer2.${ORG2_NS}.svc.cluster.local
- org2-peer2.${DOMAIN}
ipAddresses:
- 127.0.0.1
secretName: org2-peer2-tls-cert
issuerRef:
name: org2-tls-cert-issuer
---
apiVersion: v1
kind: ConfigMap
metadata:
name: org2-peer2-config
data:
FABRIC_CFG_PATH: /var/hyperledger/fabric/config
FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info"
CORE_PEER_TLS_ENABLED: "true"
CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/config/tls/tls.crt
CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/config/tls/tls.key
CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/config/tls/ca.crt
CORE_PEER_ID: org2-peer2.org2.example.com
CORE_PEER_ADDRESS: org2-peer2:7051
CORE_PEER_LISTENADDRESS: 0.0.0.0:7051
CORE_PEER_CHAINCODEADDRESS: org2-peer2:7052
CORE_PEER_CHAINCODELISTENADDRESS: 0.0.0.0:7052
# bootstrap peer is the other peer in the same org
CORE_PEER_GOSSIP_BOOTSTRAP: org2-peer1:7051
CORE_PEER_GOSSIP_EXTERNALENDPOINT: org2-peer2.${ORG2_NS}.svc.cluster.local:7051
CORE_PEER_LOCALMSPID: Org2MSP
CORE_PEER_MSPCONFIGPATH: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp
CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443
CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org2-peer2.org2.example.com
CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org2-peer2.org2.example.com/snapshots
CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG: "{\"peername\":\"org2peer2\"}"
FABRIC_K8S_BUILDER_OBJECT_NAME_PREFIX: org2-peer2-cc
CORE_LEDGER_STATE_STATEDATABASE: CouchDB
CORE_LEDGER_STATE_COUCHDBCONFIG_MAXRETRIESONSTARTUP: "20"
CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS: localhost:5984
CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME: admin
CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD: adminpw
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: org2-peer2
spec:
replicas: 1
selector:
matchLabels:
app: org2-peer2
template:
metadata:
labels:
app: org2-peer2
org: org2
spec:
containers:
- name: main
image: ${FABRIC_PEER_IMAGE}
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: org2-peer2-config
ports:
- containerPort: 7051
- containerPort: 7052
- containerPort: 9443
volumeMounts:
- name: fabric-volume
mountPath: /var/hyperledger
- name: fabric-config
mountPath: /var/hyperledger/fabric/config
- name: tls-cert-volume
mountPath: /var/hyperledger/fabric/config/tls
readOnly: true
- name: couchdb
image: couchdb:${COUCHDB_VERSION}
imagePullPolicy: IfNotPresent
env:
- name: "COUCHDB_USER"
value: "admin"
- name: "COUCHDB_PASSWORD"
value: "adminpw"
ports:
- containerPort: 5984
volumes:
- name: fabric-volume
persistentVolumeClaim:
claimName: fabric-org2
- name: fabric-config
configMap:
name: org2-config
- name: tls-cert-volume
secret:
secretName: org2-peer2-tls-cert
---
apiVersion: v1
kind: Service
metadata:
name: org2-peer2
spec:
ports:
- name: grpc
port: 7051
protocol: TCP
- name: chaincode
port: 7052
protocol: TCP
- name: operations
port: 9443
protocol: TCP
selector:
app: org2-peer2
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
labels:
app: org2-peer2
name: org2-peer2
spec:
ingressClassName: nginx
rules:
- host: org2-peer2.${DOMAIN}
http:
paths:
- backend:
service:
name: org2-peer2
port:
name: grpc
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- org2-peer2.${DOMAIN}

32
test-network-k8s/kube/org2/org2-tls-cert-issuer.yaml
View file

@ -1,32 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: org2-tls-cert-issuer
spec:
isCA: true
privateKey:
algorithm: ECDSA
size: 256
commonName: org2.example.com
secretName: org2-tls-cert-issuer-secret
issuerRef:
name: root-tls-cert-issuer
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: org2-tls-cert-issuer
spec:
ca:
secretName: org2-tls-cert-issuer-secret

17
test-network-k8s/kube/pvc-fabric-org0.yaml
View file

@ -1,17 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: fabric-org0
spec:
accessModes:
- ReadWriteOnce
storageClassName: ${STORAGE_CLASS}
resources:
requests:
storage: 1Gi

17
test-network-k8s/kube/pvc-fabric-org1.yaml
View file

@ -1,17 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: fabric-org1
spec:
accessModes:
- ReadWriteOnce
storageClassName: ${STORAGE_CLASS}
resources:
requests:
storage: 1Gi

17
test-network-k8s/kube/pvc-fabric-org2.yaml
View file

@ -1,17 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: fabric-org2
spec:
accessModes:
- ReadWriteOnce
storageClassName: ${STORAGE_CLASS}
resources:
requests:
storage: 1Gi

12
test-network-k8s/kube/root-tls-cert-issuer.yaml
View file

@ -1,12 +0,0 @@
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: root-tls-cert-issuer
spec:
selfSigned: {}

171
test-network-k8s/network
View file

@ -1,171 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
set -o errexit
# todo: better handling for input parameters. Argbash?
# todo: skip storage volume init if deploying to a remote / cloud cluster (ICP IKS ROKS etc...)
# todo: for logging, set up a stack and allow multi-line status output codes
# todo: user:pass auth for tls and ecert bootstrap admins. here and in the server-config.yaml
# todo: refactor chaincode install to support other chaincode routines
# todo: allow the user to specify the chaincode name (hardcoded as 'basic') both in install and invoke/query
# todo: track down a nasty bug whereby the CA service endpoints (kube services) will occasionally reject TCP connections after network down/up. This is patched by introducing a 10s sleep after the deployments are up...
# todo: allow relative paths for input arguments.
cd "$(dirname "$0")"
# Set an environment variable based on an optional override (TEST_NETWORK_${name})
# from the calling shell. If the override is not available, assign the parameter
# to a default value.
function context() {
local name=$1
local default_value=$2
local override_name=TEST_NETWORK_${name}
export ${name}="${!override_name:-${default_value}}"
}
context FABRIC_VERSION 2.5
context FABRIC_CA_VERSION 1.5
context CLUSTER_RUNTIME kind # or k3s for Rancher
context CONTAINER_CLI docker # or nerdctl for containerd
context CONTAINER_NAMESPACE "" # or "--namespace k8s.io" for containerd / nerdctl
context FABRIC_CONTAINER_REGISTRY hyperledger
context FABRIC_PEER_IMAGE ${FABRIC_CONTAINER_REGISTRY}/fabric-peer:${FABRIC_VERSION}
context COUCHDB_VERSION 3.3.3
context NETWORK_NAME test-network
context CLUSTER_NAME kind
context KUBE_NAMESPACE ${NETWORK_NAME}
context NS ${KUBE_NAMESPACE}
context ORG0_NS ${NS}
context ORG1_NS ${NS}
context ORG2_NS ${NS}
context DOMAIN localho.st
context CHANNEL_NAME mychannel
context ORDERER_TIMEOUT 10s # see https://github.com/hyperledger/fabric/issues/3372
context TEMP_DIR ${PWD}/build
context CHAINCODE_BUILDER ccaas # see https://github.com/hyperledgendary/fabric-builder-k8s/blob/main/docs/TEST_NETWORK_K8S.md
context K8S_CHAINCODE_BUILDER_IMAGE ghcr.io/hyperledger-labs/fabric-builder-k8s/k8s-fabric-peer
context K8S_CHAINCODE_BUILDER_VERSION 0.14.0 # For Fabric v2.5+, 0.11.0 or later should be specified
context LOG_FILE network.log
context DEBUG_FILE network-debug.log
context LOG_ERROR_LINES 2
context LOCAL_REGISTRY_NAME kind-registry
context LOCAL_REGISTRY_INTERFACE 127.0.0.1
context LOCAL_REGISTRY_PORT 5000
context STAGE_DOCKER_IMAGES false
context NGINX_HTTP_PORT 80
context NGINX_HTTPS_PORT 443
context RCAADMIN_USER rcaadmin
context RCAADMIN_PASS rcaadminpw
function print_help() {
set +x
log
log "--- Fabric Information"
log "Fabric Version \t\t: ${FABRIC_VERSION}"
log "Fabric CA Version \t: ${FABRIC_CA_VERSION}"
log "Container Registry \t: ${FABRIC_CONTAINER_REGISTRY}"
log "Network name \t\t: ${NETWORK_NAME}"
log "Ingress domain \t\t: ${DOMAIN}"
log "Channel name \t\t: ${CHANNEL_NAME}"
log
log "--- Cluster Information"
log "Cluster runtime \t: ${CLUSTER_RUNTIME}"
log "Cluster name \t\t: ${CLUSTER_NAME}"
log "Cluster namespace \t: ${NS}"
log "Fabric Registry \t: ${FABRIC_CONTAINER_REGISTRY}"
log "Local Registry \t\t: ${LOCAL_REGISTRY_NAME}"
log "Local Registry port \t: ${LOCAL_REGISTRY_PORT}"
log "nginx http port \t: ${NGINX_HTTP_PORT}"
log "nginx https port \t: ${NGINX_HTTPS_PORT}"
log
log "--- Script Information"
log "Log file \t\t: ${LOG_FILE}"
log "Debug log file \t\t: ${DEBUG_FILE}"
log
echo todo: help output, parse mode, flags, env, etc.
}
. scripts/utils.sh
. scripts/prereqs.sh
. scripts/kind.sh
. scripts/cluster.sh
. scripts/fabric_config.sh
. scripts/fabric_CAs.sh
. scripts/test_network.sh
. scripts/channel.sh
. scripts/chaincode.sh
. scripts/rest_sample.sh
. scripts/application_connection.sh
# check for kind, kubectl, etc.
check_prereqs
# Initialize the logging system - control output to 'network.log' and everything else to 'network-debug.log'
logging_init
## Parse mode
if [[ $# -lt 1 ]] ; then
print_help
exit 0
else
MODE=$1
shift
fi
if [ "${MODE}" == "kind" ]; then
log "Creating KIND cluster \"${CLUSTER_NAME}\":"
kind_init
log "🏁 - KIND cluster is ready"
elif [ "${MODE}" == "unkind" ]; then
log "Deleting KIND cluster \"${CLUSTER_NAME}\":"
kind_unkind
log "🏁 - KIND Cluster is gone."
elif [[ "${MODE}" == "cluster" || "${MODE}" == "k8s" || "${MODE}" == "kube" ]]; then
cluster_command_group $@
elif [ "${MODE}" == "up" ]; then
log "Launching network \"${NETWORK_NAME}\":"
network_up
log "🏁 - Network is ready."
elif [ "${MODE}" == "down" ]; then
log "Shutting down test network \"${NETWORK_NAME}\":"
network_down
log "🏁 - Fabric network is down."
elif [ "${MODE}" == "channel" ]; then
channel_command_group $@
elif [[ "${MODE}" == "chaincode" || "${MODE}" == "cc" ]]; then
chaincode_command_group $@
elif [ "${MODE}" == "anchor" ]; then
update_anchor_peers $@
elif [ "${MODE}" == "rest-easy" ]; then
log "Launching fabric-rest-sample application:"
launch_rest_sample
log "🏁 - Fabric REST sample is ready."
elif [ "${MODE}" == "application" ]; then
log "Getting application connection information:"
application_connection
log "🏁 - Application connection information ready."
else
print_help
exit 1
fi

124
test-network-k8s/scripts/application_connection.sh
View file

@ -1,124 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
function app_one_line_pem {
echo "`awk 'NF {sub(/\\n/, ""); printf "%s\\\\\\\n",$0;}' $1`"
}
function app_json_ccp {
local ORG=$1
local PP=$(one_line_pem $2)
local CP=$(one_line_pem $3)
sed -e "s/\${ORG}/$ORG/" \
-e "s#\${PEERPEM}#$PP#" \
-e "s#\${CAPEM}#$CP#" \
scripts/ccp-template.json
}
function app_id {
local MSP=$1
local CERT=$(one_line_pem $2)
local PK=$(one_line_pem $3)
sed -e "s#\${CERTIFICATE}#$CERT#" \
-e "s#\${PRIVATE_KEY}#$PK#" \
-e "s#\${MSPID}#$MSP#" \
scripts/appuser.id.template
}
function construct_application_configmap() {
push_fn "Constructing application connection profiles"
ENROLLMENT_DIR=${TEMP_DIR}/enrollments
CHANNEL_MSP_DIR=${TEMP_DIR}/channel-msp
mkdir -p build/application/wallet
mkdir -p build/application/gateways
local peer_pem=$CHANNEL_MSP_DIR/peerOrganizations/org1/msp/tlscacerts/tlsca-signcert.pem
local ca_pem=$CHANNEL_MSP_DIR/peerOrganizations/org1/msp/cacerts/ca-signcert.pem
echo "$(json_ccp 1 $peer_pem $ca_pem)" > build/application/gateways/org1_ccp.json
peer_pem=$CHANNEL_MSP_DIR/peerOrganizations/org2/msp/tlscacerts/tlsca-signcert.pem
ca_pem=$CHANNEL_MSP_DIR/peerOrganizations/org2/msp/cacerts/ca-signcert.pem
echo "$(json_ccp 2 $peer_pem $ca_pem)" > build/application/gateways/org2_ccp.json
pop_fn
push_fn "Getting Application Identities"
local cert=$ENROLLMENT_DIR/org1/users/org1admin/msp/signcerts/cert.pem
local pk=$ENROLLMENT_DIR/org1/users/org1admin/msp/keystore/key.pem
echo "$(app_id Org1MSP $cert $pk)" > build/application/wallet/appuser_org1.id
local cert=$ENROLLMENT_DIR/org2/users/org2admin/msp/signcerts/cert.pem
local pk=$ENROLLMENT_DIR/org2/users/org2admin/msp/keystore/key.pem
echo "$(app_id Org2MSP $cert $pk)" > build/application/wallet/appuser_org2.id
pop_fn
push_fn "Creating ConfigMap \"app-fabric-tls-v1-map\" with TLS certificates for the application"
kubectl -n $NS delete configmap app-fabric-tls-v1-map || true
kubectl -n $NS create configmap app-fabric-tls-v1-map --from-file=$CHANNEL_MSP_DIR/peerOrganizations/org1/msp/tlscacerts
pop_fn
push_fn "Creating ConfigMap \"app-fabric-ids-v1-map\" with identities for the application"
kubectl -n $NS delete configmap app-fabric-ids-v1-map || true
kubectl -n $NS create configmap app-fabric-ids-v1-map --from-file=./build/application/wallet
pop_fn
push_fn "Creating ConfigMap \"app-fabric-ccp-v1-map\" with ConnectionProfile for the application"
kubectl -n $NS delete configmap app-fabric-ccp-v1-map || true
kubectl -n $NS create configmap app-fabric-ccp-v1-map --from-file=./build/application/gateways
pop_fn
push_fn "Creating ConfigMap \"app-fabric-org1-v1-map\" with Organization 1 information for the application"
cat <<EOF > build/app-fabric-org1-v1-map.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: app-fabric-org1-v1-map
data:
fabric_channel: ${CHANNEL_NAME}
fabric_contract: ${CHAINCODE_NAME}
fabric_wallet_dir: /fabric/application/wallet
fabric_gateway_hostport: org1-peer-gateway-svc:7051
fabric_gateway_sslHostOverride: org1-peer-gateway-svc
fabric_user: appuser_org1
fabric_gateway_tlsCertPath: /fabric/tlscacerts/tlsca-signcert.pem
EOF
kubectl -n $NS apply -f build/app-fabric-org1-v1-map.yaml
# todo: could add the second org here
pop_fn
}
function application_connection() {
construct_application_configmap
log
log "For k8s applications:"
log "Config Maps created for the application"
log "To deploy your application updated the image name and issue these commands"
log ""
log "kubectl -n $NS apply -f kube/application-deployment.yaml"
log "kubectl -n $NS rollout status deploy/application-deployment"
log
log "For non-k8s applications:"
log "ConnectionPrfiles are in ${PWD}/build/application/gateways"
log "Identities are in ${PWD}/build/application/wallets"
log
}

9
test-network-k8s/scripts/appuser.id.template
View file

@ -1,9 +0,0 @@
{
"credentials": {
"certificate": "${CERTIFICATE}",
"privateKey": "${PRIVATE_KEY}"
},
"mspId": "${MSPID}",
"type": "X.509",
"version": 1
}

49
test-network-k8s/scripts/ccp-template.json
View file

@ -1,49 +0,0 @@
{
"name": "${NS}-org${ORG}",
"version": "1.0.0",
"client": {
"organization": "Org${ORG}",
"connection": {
"timeout": {
"peer": {
"endorser": "300"
}
}
}
},
"organizations": {
"Org${ORG}": {
"mspid": "Org${ORG}MSP",
"peers": [
"org${ORG}-peers"
],
"certificateAuthorities": [
"org${ORG}-ca"
]
}
},
"peers": {
"org${ORG}-peers": {
"url": "grpcs://org${ORG}-peer1.${NS}.svc.cluster.local:7051",
"tlsCACerts": {
"pem": "${PEERPEM}"
},
"grpcOptions": {
"ssl-target-name-override": "org${ORG}-peer1.${NS}.svc.cluster.local",
"hostnameOverride": "org${ORG}-peer1.${NS}.svc.cluster.local"
}
}
},
"certificateAuthorities": {
"org${ORG}-ca": {
"url": "https://org${ORG}-ca:443",
"caName": "org${ORG}-ca",
"tlsCACerts": {
"pem": ["${CAPEM}"]
},
"httpOptions": {
"verify": false
}
}
}
}

399
test-network-k8s/scripts/chaincode.sh
View file

@ -1,399 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
# chaincode "group" commands. Like "main" for chaincode sub-command group.
function chaincode_command_group() {
#set -x
COMMAND=$1
shift
if [ "${COMMAND}" == "deploy" ]; then
log "Deploying chaincode"
deploy_chaincode $@
log "🏁 - Chaincode is ready."
elif [ "${COMMAND}" == "activate" ]; then
log "Activating chaincode"
activate_chaincode $@
log "🏁 - Chaincode is ready."
elif [ "${COMMAND}" == "package" ]; then
log "Packaging chaincode"
package_chaincode $@
log "🏁 - Chaincode package is ready."
elif [ "${COMMAND}" == "id" ]; then
set_chaincode_id $@
log $CHAINCODE_ID
elif [ "${COMMAND}" == "launch" ]; then
log "Launching chaincode services"
launch_chaincode $@
log "🏁 - Chaincode services are ready"
elif [ "${COMMAND}" == "install" ]; then
log "Installing chaincode for org1"
install_chaincode $@
log "🏁 - Chaincode is installed"
elif [ "${COMMAND}" == "approve" ]; then
log "Approving chaincode for org1"
approve_chaincode $@
log "🏁 - Chaincode is approved"
elif [ "${COMMAND}" == "commit" ]; then
log "Committing chaincode for org1"
commit_chaincode $@
log "🏁 - Chaincode is committed"
elif [ "${COMMAND}" == "invoke" ]; then
invoke_chaincode $@ 2>> ${LOG_FILE}
elif [ "${COMMAND}" == "query" ]; then
query_chaincode $@ >> ${LOG_FILE}
elif [ "${COMMAND}" == "metadata" ]; then
query_chaincode_metadata $@ >> ${LOG_FILE}
else
print_help
exit 1
fi
}
# Convenience routine to "do everything" required to bring up a sample CC.
function deploy_chaincode() {
local cc_name=$1
local cc_label=$1
local cc_folder=$(absolute_path $2)
local temp_folder=$(mktemp -d)
local cc_package=${temp_folder}/${cc_name}.tgz
prepare_chaincode_image ${cc_folder} ${cc_name}
package_chaincode ${cc_name} ${cc_label} ${cc_package}
if [ "${CHAINCODE_BUILDER}" == "ccaas" ]; then
set_chaincode_id ${cc_package}
launch_chaincode ${cc_name} ${CHAINCODE_ID} ${CHAINCODE_IMAGE}
fi
activate_chaincode ${cc_name} ${cc_package}
}
# Prepare a chaincode image for use in a builder package.
# Sets the CHAINCODE_IMAGE environment variable
function prepare_chaincode_image() {
local cc_folder=$1
local cc_name=$2
build_chaincode_image ${cc_folder} ${cc_name}
if [ "${CLUSTER_RUNTIME}" == "k3s" ]; then
# For rancher / k3s runtimes, bypass the local container registry and load images directly from the image cache.
export CHAINCODE_IMAGE=${cc_name}
else
# For KIND and k8s-builder environments, publish the image to a local docker registry
export CHAINCODE_IMAGE=localhost:${LOCAL_REGISTRY_PORT}/${cc_name}
publish_chaincode_image ${cc_name} ${CHAINCODE_IMAGE}
fi
}
function build_chaincode_image() {
local cc_folder=$1
local cc_name=$2
push_fn "Building chaincode image ${cc_name}"
$CONTAINER_CLI build ${CONTAINER_NAMESPACE} -t ${cc_name} ${cc_folder}
pop_fn
}
# tag a docker image with a new name and publish to a remote container registry
function publish_chaincode_image() {
local cc_name=$1
local cc_url=$2
push_fn "Publishing chaincode image ${cc_url}"
${CONTAINER_CLI} tag ${cc_name} ${cc_url}
${CONTAINER_CLI} push ${cc_url}
pop_fn
}
# Convenience routine to "do everything other than package and launch" a sample CC.
# When debugging a chaincode server, the process must be launched prior to completing
# the chaincode lifecycle at the peer. This routine provides a route for packaging
# and installing the chaincode out of band, and a single target to complete the peer
# chaincode lifecycle.
function activate_chaincode() {
local cc_name=$1
local cc_package=$2
set_chaincode_id ${cc_package}
install_chaincode ${cc_package}
approve_chaincode ${cc_name} ${CHAINCODE_ID}
commit_chaincode ${cc_name}
}
function query_chaincode() {
local cc_name=$1
shift
set -x
export_peer_context org1 peer1
peer chaincode query \
-n $cc_name \
-C $CHANNEL_NAME \
-c $@ \
${QUERY_EXTRA_ARGS}
}
function query_chaincode_metadata() {
local cc_name=$1
shift
set -x
local args='{"Args":["org.hyperledger.fabric:GetMetadata"]}'
log ''
log 'Org1-Peer1:'
export_peer_context org1 peer1
peer chaincode query -n $cc_name -C $CHANNEL_NAME -c $args
log ''
log 'Org1-Peer2:'
export_peer_context org1 peer2
peer chaincode query -n $cc_name -C $CHANNEL_NAME -c $args
}
function invoke_chaincode() {
local cc_name=$1
shift
export_peer_context org1 peer1
peer chaincode invoke \
-n $cc_name \
-C $CHANNEL_NAME \
-c $@ \
--orderer org0-orderer1.${DOMAIN}:${NGINX_HTTPS_PORT} \
--connTimeout ${ORDERER_TIMEOUT} \
--tls --cafile ${TEMP_DIR}/channel-msp/ordererOrganizations/org0/orderers/org0-orderer1/tls/signcerts/tls-cert.pem \
${INVOKE_EXTRA_ARGS}
sleep 2
}
function package_chaincode() {
if [ "${CHAINCODE_BUILDER}" == "k8s" ]; then
package_k8s_chaincode $@
elif [ "${CHAINCODE_BUILDER}" == "ccaas" ]; then
package_ccaas_chaincode $@
else
log "Unknown CHAINCODE_BUILDER ${CHAINCODE_BUILDER}"
exit 1
fi
}
# The k8s builder expects EXACTLY an IMMUTABLE image digest referencing a SPECIFIC image layer at a container registry.
function package_k8s_chaincode() {
local cc_name=$1
local cc_label=$2
local cc_archive=$3
local cc_folder=$(dirname $cc_archive)
local archive_name=$(basename $cc_archive)
push_fn "Packaging k8s chaincode ${cc_archive}"
mkdir -p ${cc_folder}
# Find the docker image digest associated with the image at the container registry
local cc_digest=$(${CONTAINER_CLI} inspect --format='{{index .RepoDigests 0}}' ${CHAINCODE_IMAGE} | cut -d'@' -f2)
cat << IMAGEJSON-EOF > ${cc_folder}/image.json
{
"name": "${CHAINCODE_IMAGE}",
"digest": "${cc_digest}"
}
IMAGEJSON-EOF
cat << METADATAJSON-EOF > ${cc_folder}/metadata.json
{
"type": "k8s",
"label": "${cc_label}"
}
METADATAJSON-EOF
tar -C ${cc_folder} -zcf ${cc_folder}/code.tar.gz image.json
tar -C ${cc_folder} -zcf ${cc_archive} code.tar.gz metadata.json
rm ${cc_folder}/code.tar.gz
pop_fn
}
function package_ccaas_chaincode() {
local cc_name=$1
local cc_label=$2
local cc_archive=$3
local cc_folder=$(dirname $cc_archive)
local archive_name=$(basename $cc_archive)
push_fn "Packaging ccaas chaincode ${cc_label}"
mkdir -p ${cc_folder}
# Allow the user to override the service URL for the endpoint. This allows, for instance,
# local debugging at the 'host.docker.internal' DNS alias.
local cc_default_address="{{.peername}}-ccaas-${cc_name}:9999"
local cc_address=${TEST_NETWORK_CHAINCODE_ADDRESS:-$cc_default_address}
cat << EOF > ${cc_folder}/connection.json
{
"address": "${cc_address}",
"dial_timeout": "10s",
"tls_required": false
}
EOF
cat << EOF > ${cc_folder}/metadata.json
{
"type": "ccaas",
"label": "${cc_label}"
}
EOF
tar -C ${cc_folder} -zcf ${cc_folder}/code.tar.gz connection.json
tar -C ${cc_folder} -zcf ${cc_archive} code.tar.gz metadata.json
rm ${cc_folder}/code.tar.gz
pop_fn
}
function launch_chaincode_service() {
local org=$1
local peer=$2
local cc_name=$3
local cc_id=$4
local cc_image=$5
push_fn "Launching chaincode container \"${cc_image}\""
# The chaincode endpoint needs to have the generated chaincode ID available in the environment.
# This could be from a config map, a secret, or by directly editing the deployment spec. Here we'll keep
# things simple by using sed to substitute script variables into a yaml template.
cat kube/${org}/${org}-cc-template.yaml \
| sed 's,{{CHAINCODE_NAME}},'${cc_name}',g' \
| sed 's,{{CHAINCODE_ID}},'${cc_id}',g' \
| sed 's,{{CHAINCODE_IMAGE}},'${cc_image}',g' \
| sed 's,{{PEER_NAME}},'${peer}',g' \
| exec kubectl -n $ORG1_NS apply -f -
kubectl -n $ORG1_NS rollout status deploy/${org}${peer}-ccaas-${cc_name}
pop_fn
}
function launch_chaincode() {
local org=org1
local cc_name=$1
local cc_id=$2
local cc_image=$3
launch_chaincode_service ${org} peer1 ${cc_name} ${cc_id} ${cc_image}
launch_chaincode_service ${org} peer2 ${cc_name} ${cc_id} ${cc_image}
}
function install_chaincode_for() {
local org=$1
local peer=$2
local cc_package=$3
push_fn "Installing chaincode for org ${org} peer ${peer}"
export_peer_context $org $peer
peer lifecycle chaincode install $cc_package ${INSTALL_EXTRA_ARGS}
pop_fn
}
# Package and install the chaincode, but do not activate.
function install_chaincode() {
local org=org1
local cc_package=$1
install_chaincode_for ${org} peer1 ${cc_package}
install_chaincode_for ${org} peer2 ${cc_package}
}
# approve the chaincode package for an org and assign a name
function approve_chaincode() {
local org=org1
local peer=peer1
local cc_name=$1
local cc_id=$2
push_fn "Approving chaincode ${cc_name} with ID ${cc_id}"
export_peer_context $org $peer
peer lifecycle \
chaincode approveformyorg \
--channelID ${CHANNEL_NAME} \
--name ${cc_name} \
--version 1 \
--package-id ${cc_id} \
--sequence 1 \
--orderer org0-orderer1.${DOMAIN}:${NGINX_HTTPS_PORT} \
--connTimeout ${ORDERER_TIMEOUT} \
--tls --cafile ${TEMP_DIR}/channel-msp/ordererOrganizations/org0/orderers/org0-orderer1/tls/signcerts/tls-cert.pem \
${APPROVE_EXTRA_ARGS}
pop_fn
}
# commit the named chaincode for an org
function commit_chaincode() {
local org=org1
local peer=peer1
local cc_name=$1
push_fn "Committing chaincode ${cc_name}"
export_peer_context $org $peer
peer lifecycle \
chaincode commit \
--channelID ${CHANNEL_NAME} \
--name ${cc_name} \
--version 1 \
--sequence 1 \
--orderer org0-orderer1.${DOMAIN}:${NGINX_HTTPS_PORT} \
--connTimeout ${ORDERER_TIMEOUT} \
--tls --cafile ${TEMP_DIR}/channel-msp/ordererOrganizations/org0/orderers/org0-orderer1/tls/signcerts/tls-cert.pem \
${COMMIT_EXTRA_ARGS}
pop_fn
}
function set_chaincode_id() {
local cc_package=$1
cc_sha256=$(shasum -a 256 ${cc_package} | tr -s ' ' | cut -d ' ' -f 1)
cc_label=$(tar zxfO ${cc_package} metadata.json | jq -r '.label')
CHAINCODE_ID=${cc_label}:${cc_sha256}
}

276
test-network-k8s/scripts/channel.sh
View file

@ -1,276 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
function channel_command_group() {
# set -x
COMMAND=$1
shift
if [ "${COMMAND}" == "create" ]; then
log "Creating channel \"${CHANNEL_NAME}\":"
channel_up
log "🏁 - Channel is ready."
else
print_help
exit 1
fi
}
function channel_up() {
register_org_admins
enroll_org_admins
create_channel_MSP
create_genesis_block
join_channel_orderers
join_channel_peers
}
function register_org_admins() {
push_fn "Registering org Admin users"
register_org_admin org0 org0admin org0adminpw
register_org_admin org1 org1admin org1adminpw
register_org_admin org2 org2admin org2adminpw
pop_fn
}
# Register the org admin user
function register_org_admin() {
local type=admin
local org=$1
local id_name=$2
local id_secret=$3
local ca_name=${org}-ca
echo "Registering org admin $username"
fabric-ca-client register \
--id.name ${id_name} \
--id.secret ${id_secret} \
--id.type ${type} \
--url https://${ca_name}.${DOMAIN}:${NGINX_HTTPS_PORT} \
--tls.certfiles $TEMP_DIR/cas/${ca_name}/tlsca-cert.pem \
--mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp \
--id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
}
function enroll_org_admins() {
push_fn "Enrolling org Admin users"
enroll_org_admin orderer org0 org0admin org0adminpw
enroll_org_admin peer org1 org1admin org1adminpw
enroll_org_admin peer org2 org2admin org2adminpw
pop_fn
}
# Enroll the admin client to the local certificate storage folder.
function enroll_org_admin() {
local type=$1
local org=$2
local username=$3
local password=$4
echo "Enrolling $type org admin $username"
ENROLLMENTS_DIR=${TEMP_DIR}/enrollments
ORG_ADMIN_DIR=${ENROLLMENTS_DIR}/${org}/users/${username}
# skip the enrollment if the admin certificate is available.
if [ -f "${ORG_ADMIN_DIR}/msp/keystore/key.pem" ]; then
echo "Found an existing admin enrollment at ${ORG_ADMIN_DIR}"
return
fi
# Determine the CA information and TLS certificate
CA_NAME=${org}-ca
CA_DIR=${TEMP_DIR}/cas/${CA_NAME}
CA_AUTH=${username}:${password}
CA_HOST=${CA_NAME}.${DOMAIN}
CA_PORT=${NGINX_HTTPS_PORT}
CA_URL=https://${CA_AUTH}@${CA_HOST}:${CA_PORT}
# enroll the org admin
FABRIC_CA_CLIENT_HOME=${ORG_ADMIN_DIR} fabric-ca-client enroll \
--url ${CA_URL} \
--tls.certfiles ${CA_DIR}/tlsca-cert.pem
# Construct an msp config.yaml
CA_CERT_NAME=${CA_NAME}-$(echo $DOMAIN | tr -s . -)-${CA_PORT}.pem
create_msp_config_yaml ${CA_NAME} ${CA_CERT_NAME} ${ORG_ADMIN_DIR}/msp
# private keys are hashed by name, but we only support one enrollment.
# test-network examples refer to this as "server.key", which is incorrect.
# This is the private key used to endorse transactions using the admin's
# public key.
mv ${ORG_ADMIN_DIR}/msp/keystore/*_sk ${ORG_ADMIN_DIR}/msp/keystore/key.pem
}
# create an enrollment MSP config.yaml
function create_msp_config_yaml() {
local ca_name=$1
local ca_cert_name=$2
local msp_dir=$3
echo "Creating msp config ${msp_dir}/config.yaml with cert ${ca_cert_name}"
cat << EOF > ${msp_dir}/config.yaml
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/${ca_cert_name}
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/${ca_cert_name}
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/${ca_cert_name}
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/${ca_cert_name}
OrganizationalUnitIdentifier: orderer
EOF
}
function create_channel_MSP() {
push_fn "Creating channel MSP"
create_channel_org_MSP org0 orderer $ORG0_NS
create_channel_org_MSP org1 peer $ORG1_NS
create_channel_org_MSP org2 peer $ORG2_NS
extract_orderer_tls_cert org0 orderer1
extract_orderer_tls_cert org0 orderer2
extract_orderer_tls_cert org0 orderer3
pop_fn
}
function create_channel_org_MSP() {
local org=$1
local type=$2
local ns=$3
local ca_name=${org}-ca
ORG_MSP_DIR=${TEMP_DIR}/channel-msp/${type}Organizations/${org}/msp
mkdir -p ${ORG_MSP_DIR}/cacerts
mkdir -p ${ORG_MSP_DIR}/tlscacerts
# extract the CA's signing authority from the CA/cainfo response
curl -s \
--cacert ${TEMP_DIR}/cas/${ca_name}/tlsca-cert.pem \
https://${ca_name}.${DOMAIN}:${NGINX_HTTPS_PORT}/cainfo \
| jq -r .result.CAChain \
| base64 -d \
> ${ORG_MSP_DIR}/cacerts/ca-signcert.pem
# extract the CA's TLS CA certificate from the cert-manager secret
kubectl -n $ns get secret ${ca_name}-tls-cert -o json \
| jq -r .data.\"ca.crt\" \
| base64 -d \
> ${ORG_MSP_DIR}/tlscacerts/tlsca-signcert.pem
# create an MSP config.yaml with the CA's signing certificate
create_msp_config_yaml ${ca_name} ca-signcert.pem ${ORG_MSP_DIR}
}
# Extract an orderer's TLS signing certificate for inclusion in the channel config block
function extract_orderer_tls_cert() {
local org=$1
local orderer=$2
local ns=$ORG0_NS
echo "Extracting TLS cert for $org $orderer"
ORDERER_TLS_DIR=${TEMP_DIR}/channel-msp/ordererOrganizations/${org}/orderers/${org}-${orderer}/tls
mkdir -p $ORDERER_TLS_DIR/signcerts
kubectl -n $ns get secret ${org}-${orderer}-tls-cert -o json \
| jq -r .data.\"tls.crt\" \
| base64 -d \
> ${ORDERER_TLS_DIR}/signcerts/tls-cert.pem
}
function create_genesis_block() {
push_fn "Creating channel genesis block"
cat ${PWD}/config/org0/configtx-template.yaml | envsubst > ${TEMP_DIR}/configtx.yaml
FABRIC_CFG_PATH=${TEMP_DIR} \
configtxgen \
-profile TwoOrgsApplicationGenesis \
-channelID $CHANNEL_NAME \
-outputBlock ${TEMP_DIR}/genesis_block.pb
# configtxgen -inspectBlock ${TEMP_DIR}/genesis_block.pb
pop_fn
}
function join_channel_orderers() {
push_fn "Joining orderers to channel ${CHANNEL_NAME}"
join_channel_orderer org0 orderer1
join_channel_orderer org0 orderer2
join_channel_orderer org0 orderer3
# todo: readiness / liveiness equivalent for channel? Needs a little bit to settle before peers can join.
sleep 10
pop_fn
}
# Request from the channel ADMIN api that the orderer joins the target channel
function join_channel_orderer() {
local org=$1
local orderer=$2
# The client certificate presented in this case is the admin user's enrollment key. This is a stronger assertion
# of identity than the Docker Compose network, which transmits the orderer node's TLS key pair directly
osnadmin channel join \
--orderer-address ${org}-${orderer}-admin.${DOMAIN}:${NGINX_HTTPS_PORT} \
--ca-file ${TEMP_DIR}/channel-msp/ordererOrganizations/${org}/orderers/${org}-${orderer}/tls/signcerts/tls-cert.pem \
--client-cert ${TEMP_DIR}/enrollments/${org}/users/${org}admin/msp/signcerts/cert.pem \
--client-key ${TEMP_DIR}/enrollments/${org}/users/${org}admin/msp/keystore/key.pem \
--channelID ${CHANNEL_NAME} \
--config-block ${TEMP_DIR}/genesis_block.pb
}
function join_channel_peers() {
join_org_peers org1
join_org_peers org2
}
function join_org_peers() {
local org=$1
push_fn "Joining ${org} peers to channel ${CHANNEL_NAME}"
# Join peers to channel
join_channel_peer $org peer1
join_channel_peer $org peer2
pop_fn
}
function join_channel_peer() {
local org=$1
local peer=$2
export_peer_context $org $peer
peer channel join \
--blockpath ${TEMP_DIR}/genesis_block.pb \
--orderer org0-orderer1.${DOMAIN} \
--connTimeout ${ORDERER_TIMEOUT} \
--tls \
--cafile ${TEMP_DIR}/channel-msp/ordererOrganizations/org0/orderers/org0-orderer1/tls/signcerts/tls-cert.pem
}

145
test-network-k8s/scripts/cluster.sh
View file

@ -1,145 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
# cluster "group" commands. Like "main" for the fabric-cli "cluster" sub-command
function cluster_command_group() {
# Default COMMAND is 'init' if not specified
if [ "$#" -eq 0 ]; then
COMMAND="init"
else
COMMAND=$1
shift
fi
if [ "${COMMAND}" == "init" ]; then
log "Initializing K8s cluster"
cluster_init
log "🏁 - Cluster is ready"
elif [ "${COMMAND}" == "clean" ]; then
log "Cleaning k8s cluster"
cluster_clean
log "🏁 - Cluster is cleaned"
elif [ "${COMMAND}" == "load-images" ]; then
log "Loading Docker images"
load_images
log "🏁 - Images are loaded"
else
print_help
exit 1
fi
}
function pull_docker_images() {
push_fn "Pulling docker images for Fabric ${FABRIC_VERSION}"
$CONTAINER_CLI pull ${CONTAINER_NAMESPACE} ${FABRIC_CONTAINER_REGISTRY}/fabric-ca:$FABRIC_CA_VERSION
$CONTAINER_CLI pull ${CONTAINER_NAMESPACE} ${FABRIC_CONTAINER_REGISTRY}/fabric-orderer:$FABRIC_VERSION
$CONTAINER_CLI pull ${CONTAINER_NAMESPACE} ${FABRIC_PEER_IMAGE}
$CONTAINER_CLI pull ${CONTAINER_NAMESPACE} couchdb:$COUCHDB_VERSION
$CONTAINER_CLI pull ${CONTAINER_NAMESPACE} ghcr.io/hyperledger/fabric-rest-sample:latest
$CONTAINER_CLI pull ${CONTAINER_NAMESPACE} redis:6.2.5
pop_fn
}
function cluster_init() {
apply_nginx_ingress
apply_cert_manager
sleep 2
wait_for_cert_manager
wait_for_nginx_ingress
if [ "${STAGE_DOCKER_IMAGES}" == true ]; then
pull_docker_images
kind_load_docker_images
fi
}
function apply_nginx() {
apply_nginx_ingress
wait_for_nginx_ingress
}
function apply_nginx_ingress() {
push_fn "Launching ${CLUSTER_RUNTIME} ingress controller"
# 1.1.2 static ingress with modifications to enable ssl-passthrough
# k3s : 'cloud'
# kind : 'kind'
# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/cloud/deploy.yaml
kubectl apply -f kube/ingress-nginx-${CLUSTER_RUNTIME}.yaml
pop_fn
}
function delete_nginx_ingress() {
push_fn "Deleting ${CLUSTER_RUNTIME} ingress controller"
cat kube/ingress-nginx-${CLUSTER_RUNTIME}.yaml | kubectl delete -f -
pop_fn
}
function wait_for_nginx_ingress() {
push_fn "Waiting for ingress controller"
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=2m
pop_fn
}
function apply_cert_manager() {
push_fn "Launching cert-manager"
# Install cert-manager to manage TLS certificates
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml
pop_fn
}
function delete_cert_manager() {
push_fn "Deleting cert-manager"
# Install cert-manager to manage TLS certificates
curl https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml | kubectl delete -f -
pop_fn
}
function wait_for_cert_manager() {
push_fn "Waiting for cert-manager"
kubectl -n cert-manager rollout status deploy/cert-manager
kubectl -n cert-manager rollout status deploy/cert-manager-cainjector
kubectl -n cert-manager rollout status deploy/cert-manager-webhook
pop_fn
}
function cluster_clean() {
delete_nginx_ingress
delete_cert_manager
}
function load_images() {
if [ "${CLUSTER_RUNTIME}" == "kind" ]; then
kind_load_docker_images
fi
}

81
test-network-k8s/scripts/fabric_CAs.sh
View file

@ -1,81 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
function launch_ECert_CAs() {
push_fn "Launching Fabric CAs"
apply_template kube/org0/org0-ca.yaml $ORG0_NS
apply_template kube/org1/org1-ca.yaml $ORG1_NS
apply_template kube/org2/org2-ca.yaml $ORG2_NS
kubectl -n $ORG0_NS rollout status deploy/org0-ca
kubectl -n $ORG1_NS rollout status deploy/org1-ca
kubectl -n $ORG2_NS rollout status deploy/org2-ca
# todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up
sleep 5
pop_fn
}
# experimental: create TLS CA issuers using cert-manager for each org.
function init_tls_cert_issuers() {
push_fn "Initializing TLS certificate Issuers"
# Create a self-signing certificate issuer / root TLS certificate for the blockchain.
# TODO : Bring-Your-Own-Key - allow the network bootstrap to read an optional ECDSA key pair for the TLS trust root CA.
kubectl -n $ORG0_NS apply -f kube/root-tls-cert-issuer.yaml
kubectl -n $ORG0_NS wait --timeout=30s --for=condition=Ready issuer/root-tls-cert-issuer
kubectl -n $ORG1_NS apply -f kube/root-tls-cert-issuer.yaml
kubectl -n $ORG1_NS wait --timeout=30s --for=condition=Ready issuer/root-tls-cert-issuer
kubectl -n $ORG2_NS apply -f kube/root-tls-cert-issuer.yaml
kubectl -n $ORG2_NS wait --timeout=30s --for=condition=Ready issuer/root-tls-cert-issuer
# Use the self-signing issuer to generate three Issuers, one for each org.
kubectl -n $ORG0_NS apply -f kube/org0/org0-tls-cert-issuer.yaml
kubectl -n $ORG1_NS apply -f kube/org1/org1-tls-cert-issuer.yaml
kubectl -n $ORG2_NS apply -f kube/org2/org2-tls-cert-issuer.yaml
kubectl -n $ORG0_NS wait --timeout=30s --for=condition=Ready issuer/org0-tls-cert-issuer
kubectl -n $ORG1_NS wait --timeout=30s --for=condition=Ready issuer/org1-tls-cert-issuer
kubectl -n $ORG2_NS wait --timeout=30s --for=condition=Ready issuer/org2-tls-cert-issuer
pop_fn
}
function enroll_bootstrap_ECert_CA_user() {
local org=$1
local ns=$2
# Determine the CA information and TLS certificate
CA_NAME=${org}-ca
CA_DIR=${TEMP_DIR}/cas/${CA_NAME}
mkdir -p ${CA_DIR}
# Read the CA's TLS certificate from the cert-manager CA secret
echo "retrieving ${CA_NAME} TLS root cert"
kubectl -n $ns get secret ${CA_NAME}-tls-cert -o json \
| jq -r .data.\"ca.crt\" \
| base64 -d \
> ${CA_DIR}/tlsca-cert.pem
# Enroll the root CA user
fabric-ca-client enroll \
--url https://${RCAADMIN_USER}:${RCAADMIN_PASS}@${CA_NAME}.${DOMAIN}:${NGINX_HTTPS_PORT} \
--tls.certfiles $TEMP_DIR/cas/${CA_NAME}/tlsca-cert.pem \
--mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp
}
function enroll_bootstrap_ECert_CA_users() {
push_fn "Enrolling bootstrap ECert CA users"
enroll_bootstrap_ECert_CA_user org0 $ORG0_NS
enroll_bootstrap_ECert_CA_user org1 $ORG1_NS
enroll_bootstrap_ECert_CA_user org2 $ORG2_NS
pop_fn
}

82
test-network-k8s/scripts/fabric_config.sh
View file

@ -1,82 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
function init_namespace() {
local namespaces=$(echo "$ORG0_NS $ORG1_NS $ORG2_NS" | xargs -n1 | sort -u)
for ns in $namespaces; do
push_fn "Creating namespace \"$ns\""
kubectl create namespace $ns || true
pop_fn
done
}
function delete_namespace() {
local namespaces=$(echo "$ORG0_NS $ORG1_NS $ORG2_NS" | xargs -n1 | sort -u)
for ns in $namespaces; do
push_fn "Deleting namespace \"$ns\""
kubectl delete namespace $ns || true
pop_fn
done
}
function init_storage_volumes() {
push_fn "Provisioning volume storage"
# Both KIND and k3s use the Rancher local-path provider. In KIND, this is installed
# as the 'standard' storage class, and in Rancher as the 'local-path' storage class.
if [ "${CLUSTER_RUNTIME}" == "kind" ]; then
export STORAGE_CLASS="standard"
elif [ "${CLUSTER_RUNTIME}" == "k3s" ]; then
export STORAGE_CLASS="local-path"
else
echo "Unknown CLUSTER_RUNTIME ${CLUSTER_RUNTIME}"
exit 1
fi
cat kube/pvc-fabric-org0.yaml | envsubst | kubectl -n $ORG0_NS create -f - || true
cat kube/pvc-fabric-org1.yaml | envsubst | kubectl -n $ORG1_NS create -f - || true
cat kube/pvc-fabric-org2.yaml | envsubst | kubectl -n $ORG2_NS create -f - || true
pop_fn
}
function load_org_config() {
push_fn "Creating fabric config maps"
kubectl -n $ORG0_NS delete configmap org0-config || true
kubectl -n $ORG1_NS delete configmap org1-config || true
kubectl -n $ORG2_NS delete configmap org2-config || true
kubectl -n $ORG0_NS create configmap org0-config --from-file=config/org0
kubectl -n $ORG1_NS create configmap org1-config --from-file=config/org1
kubectl -n $ORG2_NS create configmap org2-config --from-file=config/org2
pop_fn
}
function apply_k8s_builder_roles() {
push_fn "Applying k8s chaincode builder roles"
apply_template kube/fabric-builder-role.yaml $ORG1_NS
apply_template kube/fabric-builder-rolebinding.yaml $ORG1_NS
pop_fn
}
function apply_k8s_builders() {
push_fn "Installing k8s chaincode builders"
apply_template kube/org1/org1-install-k8s-builder.yaml $ORG1_NS
apply_template kube/org2/org2-install-k8s-builder.yaml $ORG2_NS
kubectl -n $ORG1_NS wait --for=condition=complete --timeout=60s job/org1-install-k8s-builder
kubectl -n $ORG2_NS wait --for=condition=complete --timeout=60s job/org2-install-k8s-builder
pop_fn
}

142
test-network-k8s/scripts/kind.sh
View file

@ -1,142 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
function kind_create() {
push_fn "Creating cluster \"${CLUSTER_NAME}\""
# prevent the next kind cluster from using the previous Fabric network's enrollments.
rm -rf $PWD/build
# todo: always delete? Maybe return no-op if the cluster already exists?
kind delete cluster --name $CLUSTER_NAME
local reg_name=${LOCAL_REGISTRY_NAME}
local reg_port=${LOCAL_REGISTRY_PORT}
local ingress_http_port=${NGINX_HTTP_PORT}
local ingress_https_port=${NGINX_HTTPS_PORT}
# the 'ipvs'proxy mode permits better HA abilities
cat <<EOF | kind create cluster --name $CLUSTER_NAME --config=-
---
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: ${ingress_http_port}
protocol: TCP
- containerPort: 443
hostPort: ${ingress_https_port}
protocol: TCP
#networking:
# kubeProxyMode: "ipvs"
# create a cluster with the local registry enabled in containerd
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:${reg_port}"]
endpoint = ["http://${reg_name}:${reg_port}"]
EOF
# workaround for https://github.com/hyperledger/fabric-samples/issues/550 - pods can not resolve external DNS
for node in $(kind get nodes);
do
docker exec "$node" sysctl net.ipv4.conf.all.route_localnet=1;
done
pop_fn
}
function kind_load_docker_images() {
push_fn "Loading docker images to KIND control plane"
kind load docker-image ${FABRIC_CONTAINER_REGISTRY}/fabric-ca:$FABRIC_CA_VERSION
kind load docker-image ${FABRIC_CONTAINER_REGISTRY}/fabric-orderer:$FABRIC_VERSION
kind load docker-image ${FABRIC_PEER_IMAGE}
kind load docker-image couchdb:$COUCHDB_VERSION
kind load docker-image ghcr.io/hyperledger/fabric-rest-sample:latest
kind load docker-image redis:6.2.5
pop_fn
}
function launch_docker_registry() {
push_fn "Launching container registry \"${LOCAL_REGISTRY_NAME}\" at localhost:${LOCAL_REGISTRY_PORT}"
# create registry container unless it already exists
local reg_name=${LOCAL_REGISTRY_NAME}
local reg_port=${LOCAL_REGISTRY_PORT}
local reg_interface=${LOCAL_REGISTRY_INTERFACE}
running="$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)"
if [ "${running}" != 'true' ]; then
docker run \
--detach \
--restart always \
--name "${reg_name}" \
--publish "${reg_interface}:${reg_port}:5000" \
registry:2
fi
# connect the registry to the cluster network
# (the network may already be connected)
docker network connect "kind" "${reg_name}" || true
# Document the local registry
# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: ConfigMap
metadata:
name: local-registry-hosting
namespace: kube-public
data:
localRegistryHosting.v1: |
host: "localhost:${reg_port}"
help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
EOF
pop_fn
}
function stop_docker_registry() {
push_fn "Deleting container registry \"${LOCAL_REGISTRY_NAME}\" at localhost:${LOCAL_REGISTRY_PORT}"
docker kill kind-registry || true
docker rm kind-registry || true
pop_fn
}
function kind_delete() {
push_fn "Deleting KIND cluster ${CLUSTER_NAME}"
kind delete cluster --name $CLUSTER_NAME
pop_fn
}
function kind_init() {
kind_create
launch_docker_registry
}
function kind_unkind() {
kind_delete
stop_docker_registry
}

68
test-network-k8s/scripts/prereqs.sh
View file

@ -1,68 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
# Double check that kind, kubectl, docker, and all required images are present.
function check_prereqs() {
set +e
${CONTAINER_CLI} version > /dev/null
if [[ $? -ne 0 ]]; then
echo "No '${CONTAINER_CLI}' binary available?"
exit 1
fi
if [ "${CLUSTER_RUNTIME}" == "kind" ]; then
kind version > /dev/null
if [[ $? -ne 0 ]]; then
echo "No 'kind' binary available? (https://kind.sigs.k8s.io/docs/user/quick-start/#installation)"
exit 1
fi
fi
kubectl > /dev/null
if [[ $? -ne 0 ]]; then
echo "No 'kubectl' binary available? (https://kubernetes.io/docs/tasks/tools/)"
exit 1
fi
jq --version > /dev/null
if [[ $? -ne 0 ]]; then
echo "No 'jq' binary available? (https://stedolan.github.io/jq/)"
exit 1
fi
echo | envsubst > /dev/null
if [[ $? -ne 0 ]]; then
echo "No 'envsubst' binary (gettext package) available? (https://www.gnu.org/software/gettext/)"
exit 1
fi
# Use the local fabric binaries if available. If not, go get them.
bin/peer version &> /dev/null
if [[ $? -ne 0 ]]; then
echo "Downloading LATEST Fabric binaries and config"
curl -sSL https://raw.githubusercontent.com/hyperledger/fabric/main/scripts/bootstrap.sh \
| bash -s -- -s -d
# remove sample config files extracted by the installation script
rm config/configtx.yaml
rm config/core.yaml
rm config/orderer.yaml
fi
export PATH=bin:$PATH
# Double-check that the binary transfer was OK
peer version > /dev/null
if [[ $? -ne 0 ]]; then
log "No 'peer' binary available?"
exit 1
fi
set -e
}

82
test-network-k8s/scripts/rest_sample.sh
View file

@ -1,82 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
# This magical awk script led to 30 hours of debugging a "TLS handshake error"
# moral: do not edit / alter the number of '\' in the following transform:
function one_line_pem {
echo "`awk 'NF {sub(/\\n/, ""); printf "%s\\\\\\\n",$0;}' $1`"
}
function json_ccp {
local ORG=$1
local PP=$(one_line_pem $2)
local CP=$(one_line_pem $3)
local NS=$4
sed -e "s/\${ORG}/$ORG/" \
-e "s#\${PEERPEM}#$PP#" \
-e "s#\${CAPEM}#$CP#" \
-e "s#\${NS}#$NS#" \
scripts/ccp-template.json
}
function construct_rest_sample_configmap() {
local ns=$ORG1_NS
push_fn "Constructing fabric-rest-sample connection profiles"
ENROLLMENT_DIR=${TEMP_DIR}/enrollments
CHANNEL_MSP_DIR=${TEMP_DIR}/channel-msp
CONFIG_DIR=${TEMP_DIR}/fabric-rest-sample-config
mkdir -p $CONFIG_DIR
local peer_pem=$CHANNEL_MSP_DIR/peerOrganizations/org1/msp/tlscacerts/tlsca-signcert.pem
local ca_pem=$CHANNEL_MSP_DIR/peerOrganizations/org1/msp/cacerts/ca-signcert.pem
echo "$(json_ccp 1 $peer_pem $ca_pem $ORG1_NS)" > build/fabric-rest-sample-config/HLF_CONNECTION_PROFILE_ORG1
peer_pem=$CHANNEL_MSP_DIR/peerOrganizations/org2/msp/tlscacerts/tlsca-signcert.pem
ca_pem=$CHANNEL_MSP_DIR/peerOrganizations/org2/msp/cacerts/ca-signcert.pem
echo "$(json_ccp 2 $peer_pem $ca_pem $ORG2_NS)" > build/fabric-rest-sample-config/HLF_CONNECTION_PROFILE_ORG2
cp $ENROLLMENT_DIR/org1/users/org1admin/msp/signcerts/cert.pem $CONFIG_DIR/HLF_CERTIFICATE_ORG1
cp $ENROLLMENT_DIR/org2/users/org2admin/msp/signcerts/cert.pem $CONFIG_DIR/HLF_CERTIFICATE_ORG2
cp $ENROLLMENT_DIR/org1/users/org1admin/msp/keystore/key.pem $CONFIG_DIR/HLF_PRIVATE_KEY_ORG1
cp $ENROLLMENT_DIR/org2/users/org2admin/msp/keystore/key.pem $CONFIG_DIR/HLF_PRIVATE_KEY_ORG2
kubectl -n $ns delete configmap fabric-rest-sample-config || true
kubectl -n $ns create configmap fabric-rest-sample-config --from-file=$CONFIG_DIR
pop_fn
}
function rollout_rest_sample() {
local ns=$ORG1_NS
push_fn "Starting fabric-rest-sample"
kubectl -n $ns apply -f kube/fabric-rest-sample.yaml
kubectl -n $ns rollout status deploy/fabric-rest-sample
pop_fn
}
function launch_rest_sample() {
local ns=$ORG1_NS
construct_rest_sample_configmap
apply_template kube/fabric-rest-sample.yaml $ns
kubectl -n $ns rollout status deploy/fabric-rest-sample
log ""
log "The fabric-rest-sample has started."
log "See https://github.com/hyperledger/fabric-samples/tree/main/asset-transfer-basic/rest-api-typescript for additional usage details."
log "To access the endpoint:"
log ""
log "export SAMPLE_APIKEY=97834158-3224-4CE7-95F9-A148C886653E"
log 'curl -s --header "X-Api-Key: ${SAMPLE_APIKEY}" http://fabric-rest-sample.'${DOMAIN}'/api/assets'
log ""
}

110
test-network-k8s/scripts/set_anchor_peer.sh
View file

@ -1,110 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
function fetch_channel_config() {
local output=$1
echo "Fetching the most recent configuration block for channel ${CHANNEL_NAME}"
peer channel \
fetch config config_block.pb \
-o org0-orderer1:6050 \
-c ${CHANNEL_NAME} \
--tls --cafile ${ORDERER_TLS_CA_FILE}
echo "Decoding config block to JSON and isolating config to ${output}"
configtxlator proto_decode \
--input config_block.pb \
--type common.Block \
| jq .data.data[0].payload.data.config > ${output}
}
verify_result() {
if [ $1 -ne 0 ]; then
echo $2
exit $1
fi
}
function create_config_update() {
local original=$1
local modified=$2
local output=$3
configtxlator proto_encode --input "${original}" --type common.Config --output original_config.pb
configtxlator proto_encode --input "${modified}" --type common.Config --output modified_config.pb
# returns non-zero if no updates were detected between current and new config
configtxlator compute_update --channel_id "${CHANNEL_NAME}" --original original_config.pb --updated modified_config.pb --output config_update.pb
if [ $? -ne 0 ]; then
echo "Anchor peer has already been set to ${ANCHOR_PEER_HOST}:${ANCHOR_PEER_PORT} - no update required."
return 1
fi
configtxlator proto_decode --input config_update.pb --type common.ConfigUpdate --output config_update.json
echo '{"payload":{"header":{"channel_header":{"channel_id":"'${CHANNEL_NAME}'", "type":2}},"data":{"config_update":'$(cat config_update.json)'}}}' | jq . > config_update_in_envelope.json
configtxlator proto_encode --input config_update_in_envelope.json --type common.Envelope --output ${output}
return 0
}
function create_anchor_peer_update() {
echo "Generating anchor peer update transaction for Org${ORG_NUM} on channel ${CHANNEL_NAME}"
fetch_channel_config config.json
set -x
# Modify the configuration to append the anchor peer
jq '.channel_group.groups.Application.groups.'${CORE_PEER_LOCALMSPID}'.values += {"AnchorPeers":{"mod_policy": "Admins","value":{"anchor_peers": [{"host": "'${ANCHOR_PEER_HOST}'","port": '${ANCHOR_PEER_PORT}'}]},"version": "0"}}' config.json > modified_config.json
{ set +x; } 2>/dev/null
# Compute a config update, based on the differences between
# config.json and modified_config.json, write
# it as a transaction to anchors.tx
create_config_update config.json modified_config.json anchors.tx
return $?
}
function update_anchor_peer() {
peer channel \
update -f anchors.tx \
-o org0-orderer1:6050 \
-c ${CHANNEL_NAME} \
--tls --cafile ${ORDERER_TLS_CA_FILE} >& log.txt
res=$?
cat log.txt
verify_result $res "Anchor peer update failed"
echo "Anchor peer set for org ${ORG_NAME} on channel ${CHANNEL_NAME} to ${ANCHOR_PEER_HOST}:${ANCHOR_PEER_PORT}"
}
function set_anchor_peer() {
echo "Updating org ${ORG_NUM} anchor peer for channel ${CHANNEL_NAME} to ${ANCHOR_PEER_HOST}:${ANCHOR_PEER_PORT}"
create_anchor_peer_update
res=$?
if [ $res -eq 0 ]; then
update_anchor_peer
fi
}
set -x
ORG_NUM=$1
CHANNEL_NAME=$2
PEER_NAME=$3
ORG_NAME=org${ORG_NUM}
ANCHOR_PEER_HOST=${ORG_NAME}-${PEER_NAME}
ANCHOR_PEER_PORT=7051
ORDERER_TLS_CA_FILE=/var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem
export CORE_PEER_LOCALMSPID=Org${ORG_NUM}MSP
set_anchor_peer
{ set +x; } 2>/dev/null

204
test-network-k8s/scripts/test_network.sh
View file

@ -1,204 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
function launch_orderers() {
push_fn "Launching orderers"
apply_template kube/org0/org0-orderer1.yaml $ORG0_NS
apply_template kube/org0/org0-orderer2.yaml $ORG0_NS
apply_template kube/org0/org0-orderer3.yaml $ORG0_NS
kubectl -n $ORG0_NS rollout status deploy/org0-orderer1
kubectl -n $ORG0_NS rollout status deploy/org0-orderer2
kubectl -n $ORG0_NS rollout status deploy/org0-orderer3
pop_fn
}
function launch_peers() {
push_fn "Launching peers"
apply_template kube/org1/org1-peer1.yaml $ORG1_NS
apply_template kube/org1/org1-peer2.yaml $ORG1_NS
apply_template kube/org2/org2-peer1.yaml $ORG2_NS
apply_template kube/org2/org2-peer2.yaml $ORG2_NS
kubectl -n $ORG1_NS rollout status deploy/org1-peer1
kubectl -n $ORG1_NS rollout status deploy/org1-peer2
kubectl -n $ORG2_NS rollout status deploy/org2-peer1
kubectl -n $ORG2_NS rollout status deploy/org2-peer2
pop_fn
}
# Each network node needs a registration, enrollment, and MSP config.yaml
function create_node_local_MSP() {
local node_type=$1
local org=$2
local node=$3
local csr_hosts=$4
local ns=$5
local id_name=${org}-${node}
local id_secret=${node_type}pw
local ca_name=${org}-ca
# Register the node admin
rc=0
fabric-ca-client register \
--id.name ${id_name} \
--id.secret ${id_secret} \
--id.type ${node_type} \
--url https://${ca_name}.${DOMAIN}:${NGINX_HTTPS_PORT} \
--tls.certfiles $TEMP_DIR/cas/${ca_name}/tlsca-cert.pem \
--mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp \
|| rc=$? # trap error code from registration without exiting the network driver script"
if [ $rc -eq 1 ]; then
echo "CA admin was (probably) previously registered - continuing"
fi
# Enroll the node admin user from within k8s. This will leave the certificates available on a volume share in the
# cluster for access by the nodes when launching in a container.
cat <<EOF | kubectl -n ${ns} exec deploy/${ca_name} -i -- /bin/sh
set -x
export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client
export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric/config/tls/ca.crt
fabric-ca-client enroll \
--url https://${id_name}:${id_secret}@${ca_name} \
--csr.hosts ${csr_hosts} \
--mspdir /var/hyperledger/fabric/organizations/${node_type}Organizations/${org}.example.com/${node_type}s/${id_name}.${org}.example.com/msp
# Create local MSP config.yaml
echo "NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/${org}-ca.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/${org}-ca.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/${org}-ca.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/${org}-ca.pem
OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/${node_type}Organizations/${org}.example.com/${node_type}s/${id_name}.${org}.example.com/msp/config.yaml
EOF
}
function create_orderer_local_MSP() {
local org=$1
local orderer=$2
local csr_hosts=${org}-${orderer}
create_node_local_MSP orderer $org $orderer $csr_hosts $ORG0_NS
}
function create_peer_local_MSP() {
local org=$1
local peer=$2
local ns=$3
local csr_hosts=localhost,${org}-${peer},${org}-peer-gateway-svc
create_node_local_MSP peer $org $peer $csr_hosts ${ns}
}
function create_local_MSP() {
push_fn "Creating local node MSP"
create_orderer_local_MSP org0 orderer1
create_orderer_local_MSP org0 orderer2
create_orderer_local_MSP org0 orderer3
create_peer_local_MSP org1 peer1 $ORG1_NS
create_peer_local_MSP org1 peer2 $ORG1_NS
create_peer_local_MSP org2 peer1 $ORG2_NS
create_peer_local_MSP org2 peer2 $ORG2_NS
pop_fn
}
function network_up() {
# Kube config
init_namespace
init_storage_volumes
load_org_config
# Service account permissions for the k8s builder
if [ "${CHAINCODE_BUILDER}" == "k8s" ]; then
apply_k8s_builder_roles
apply_k8s_builders
fi
# Network TLS CAs
init_tls_cert_issuers
# Network ECert CAs
launch_ECert_CAs
enroll_bootstrap_ECert_CA_users
# Test Network
create_local_MSP
launch_orderers
launch_peers
}
function stop_services() {
push_fn "Stopping Fabric services"
for ns in $ORG0_NS $ORG1_NS $ORG2_NS; do
kubectl -n $ns delete ingress --all
kubectl -n $ns delete deployment --all
kubectl -n $ns delete pod --all
kubectl -n $ns delete service --all
kubectl -n $ns delete configmap --all
kubectl -n $ns delete cert --all
kubectl -n $ns delete issuer --all
kubectl -n $ns delete secret --all
done
pop_fn
}
function scrub_org_volumes() {
push_fn "Scrubbing Fabric volumes"
for org in org0 org1 org2; do
# clean job to make this function can be rerun
local namespace_variable=${org^^}_NS
kubectl -n ${!namespace_variable} delete jobs --all
# scrub all pv contents
kubectl -n ${!namespace_variable} create -f kube/${org}/${org}-job-scrub-fabric-volumes.yaml
kubectl -n ${!namespace_variable} wait --for=condition=complete --timeout=60s job/job-scrub-fabric-volumes
kubectl -n ${!namespace_variable} delete jobs --all
done
pop_fn
}
function network_down() {
set +e
for ns in $ORG0_NS $ORG1_NS $ORG2_NS; do
kubectl get namespace $ns > /dev/null
if [[ $? -ne 0 ]]; then
echo "No namespace $ns found - nothing to do."
return
fi
done
set -e
stop_services
scrub_org_volumes
delete_namespace
rm -rf $PWD/build
}

114
test-network-k8s/scripts/utils.sh
View file

@ -1,114 +0,0 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
function logging_init() {
# Reset the output and debug log files
printf '' > ${LOG_FILE} > ${DEBUG_FILE}
# Write all output to the control flow log to STDOUT
tail -f ${LOG_FILE} &
# Call the exit handler when we exit.
trap "exit_fn" EXIT
# Send stdout and stderr from child programs to the debug log file
exec 1>>${DEBUG_FILE} 2>>${DEBUG_FILE}
# There can be a race between the tail starting and the next log statement
sleep 0.5
}
function exit_fn() {
rc=$?
set +x
# Write an error icon to the current logging statement.
if [ "0" -ne $rc ]; then
pop_fn $rc
fi
# always remove the log trailer when the process exits.
pkill -P $$
}
function push_fn() {
#echo -ne " - entering ${FUNCNAME[1]} with arguments $@"
echo -ne " - $@ ..." >> ${LOG_FILE}
}
function log() {
echo -e $@ >> ${LOG_FILE}
}
function pop_fn() {
# echo exiting ${FUNCNAME[1]}
if [ $# -eq 0 ]; then
echo -ne "\r✅" >> ${LOG_FILE}
echo "" >> ${LOG_FILE}
return
fi
local res=$1
if [ $res -eq 0 ]; then
echo -ne "\r✅\n" >> ${LOG_FILE}
elif [ $res -eq 1 ]; then
echo -ne "\r⚠\n" >> ${LOG_FILE}
elif [ $res -eq 2 ]; then
echo -ne "\r☠\n" >> ${LOG_FILE}
elif [ $res -eq 127 ]; then
echo -ne "\r☠\n" >> ${LOG_FILE}
else
echo -ne "\r\n" >> ${LOG_FILE}
fi
if [ $res -ne 0 ]; then
tail -${LOG_ERROR_LINES} network-debug.log >> ${LOG_FILE}
fi
#echo "" >> ${LOG_FILE}
}
# Apply the current environment to a k8s template and apply to the cluster.
function apply_template() {
echo "Applying template $1:"
cat $1 | envsubst
cat $1 | envsubst | kubectl -n $2 apply -f -
}
# Set the calling context to refer the peer binary to the correct org / peer instance
#
# todo: Expose the output of this function to a target that prints the context to STDOUT.
#
# e.g.:
# bash $ source $(network set-peer-context org1 peer2)
# bash $ peer chaincode list
# bash $ ...
function export_peer_context() {
local org=$1
local peer=$2
export FABRIC_CFG_PATH=${PWD}/config/${org}
export CORE_PEER_ADDRESS=${org}-${peer}.${DOMAIN}:${NGINX_HTTPS_PORT}
export CORE_PEER_MSPCONFIGPATH=${TEMP_DIR}/enrollments/${org}/users/${org}admin/msp
export CORE_PEER_TLS_ROOTCERT_FILE=${TEMP_DIR}/channel-msp/peerOrganizations/${org}/msp/tlscacerts/tlsca-signcert.pem
}
function absolute_path() {
local relative_path=$1
local abspath="$( cd "${relative_path}" && pwd )"
echo $abspath
}