diff --git a/test-network-k8s/.gitignore b/test-network-k8s/.gitignore deleted file mode 100644 index 944be9b5..00000000 --- a/test-network-k8s/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -.idea/ -network.log -network-debug.log -build/ -.env -bin/ -*.tgz diff --git a/test-network-k8s/README.md b/test-network-k8s/README.md deleted file mode 100644 index 948d1a65..00000000 --- a/test-network-k8s/README.md +++ /dev/null @@ -1,117 +0,0 @@ -# Kubernetes Test Network - -This project re-establishes the Hyperledger [test-network](../test-network) as a _cloud native_ application. - -### Objectives: - -- Provide a simple, _one click_ activity for running the Fabric test network. -- Provide a reference guide for deploying _production-style_ networks on Kubernetes. -- Provide a _cloud ready_ platform for developing chaincode, Gateway, and blockchain apps. -- Provide a Kube supplement to the Fabric [CA Operations and Deployment](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy.html) guides. -- Support a transition to [Chaincode as a Service](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html). -- Support a transition from the Internal, Docker daemon to [External Chaincode](https://hyperledger-fabric.readthedocs.io/en/latest/cc_launcher.html) builders. -- Run on any Kube. - -_Fabric, Ahoy!_ - - -## Prerequisites: - -- [kubectl](https://kubernetes.io/docs/tasks/tools/) -- [jq](https://stedolan.github.io/jq/) -- [envsubst](https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html) (`brew install gettext` on OSX) - -- K8s - either: - - [KIND](https://kind.sigs.k8s.io/docs/user/quick-start/#installation) + [Docker](https://www.docker.com) (resources: 8 CPU / 8 GRAM) - - [Rancher Desktop](https://rancherdesktop.io) (resources: 8 CPU / 8GRAM, mobyd, and disable Traefik) - -## Quickstart - -Create a KIND cluster: -```shell -./network kind -./network cluster init -``` -or for [Rancher / k3s](docs/KUBERNETES.md#rancher-desktop-and-k3s): -```shell -export TEST_NETWORK_CLUSTER_RUNTIME=k3s - -./network cluster init -``` - -Launch the network, create a channel, and deploy the [basic-asset-transfer](../asset-transfer-basic) smart contract: -```shell -./network up - -./network channel create - -./network chaincode deploy asset-transfer-basic ../asset-transfer-basic/chaincode-java -``` - -Invoke and query chaincode: -```shell -./network chaincode invoke asset-transfer-basic '{"Args":["InitLedger"]}' -./network chaincode query asset-transfer-basic '{"Args":["ReadAsset","asset1"]}' -``` - -Access the blockchain with a [REST API](https://github.com/hyperledger/fabric-samples/tree/main/asset-transfer-basic/rest-api-typescript): -```shell -./network rest-easy -``` - -Shut down the test network: -```shell -./network down -``` - -Tear down the cluster (KIND): -```shell -./network unkind -``` - -For Rancher: Preferences -> Kubernetes Settings -> Reset Kubernetes OR ... -```shell -./network cluster clean -``` - - -## [Detailed Guides](docs/README.md) - -- [Working with Kubernetes](docs/KUBERNETES.md) -- [Certificate Authorities](docs/CA.md) -- [Launching the Test Network](docs/TEST_NETWORK.md) -- [Working with Channels](docs/CHANNELS.md) -- [Working with Chaincode](docs/CHAINCODE.md) -- [Working with Applications](docs/APPLICATIONS.md) - - -### DNS Resolution on OSX - -Fabric's OSX binaries have been statically linked with the golang `go` DNS resolver. In some environments, this -causes a brief but [noticeable delay](https://github.com/hyperledger/fabric/issues/3372) when issuing peer commands -against the test network. - -Workarounds to improve DNS resolution time on OSX: - -- Add manual DNS overrides for virtual hosts by adding to /etc/hosts: -``` -127.0.0.1 org0-ca.localho.st -127.0.0.1 org1-ca.localho.st -127.0.0.1 org2-ca.localho.st -127.0.0.1 org0-orderer1.localho.st -127.0.0.1 org0-orderer2.localho.st -127.0.0.1 org0-orderer3.localho.st -127.0.0.1 org1-peer1.localho.st -127.0.0.1 org1-peer2.localho.st -127.0.0.1 org2-peer1.localho.st -127.0.0.1 org2-peer2.localho.st -``` - -- Reduce the system resolver timeout from the default 5s by adding to /etc/resolv.conf: -```shell -options: timeout 2 -``` - -- Compile the [fabric binaries](https://github.com/hyperledger/fabric) on a Mac and copy `build/bin/*` outputs to - `test-network-k8s/bin`. Mac native builds are linked against the `netdns=cgo` DNS resolver, and are not - subject to the timeouts associated with the Golang DNS resolver. diff --git a/test-network-k8s/config/org0/configtx-template.yaml b/test-network-k8s/config/org0/configtx-template.yaml deleted file mode 100644 index 5bbbf93f..00000000 --- a/test-network-k8s/config/org0/configtx-template.yaml +++ /dev/null @@ -1,415 +0,0 @@ -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -################################################################################ -# -# Section: Organizations -# -# - This section defines the different organizational identities which will -# be referenced later in the configuration. -# -################################################################################ -Organizations: - - # SampleOrg defines an MSP using the sampleconfig. It should never be used - # in production but may be used as a template for other definitions - - &OrdererOrg - # DefaultOrg defines the organization which is used in the sampleconfig - # of the fabric.git development environment - Name: OrdererOrg - - # ID to load the MSP definition as - ID: OrdererMSP - - # MSPDir is the filesystem path which contains the MSP configuration - MSPDir: ./channel-msp/ordererOrganizations/org0/msp - - # Policies defines the set of policies at this level of the config tree - # For organization policies, their canonical path is usually - # /Channel/// - Policies: - Readers: - Type: Signature - Rule: "OR('OrdererMSP.member')" - Writers: - Type: Signature - Rule: "OR('OrdererMSP.member')" - Admins: - Type: Signature - Rule: "OR('OrdererMSP.admin')" - - OrdererEndpoints: - - org0-orderer1.${ORG0_NS}.svc.cluster.local:6050 - - org0-orderer2.${ORG0_NS}.svc.cluster.local:6050 - - org0-orderer3.${ORG0_NS}.svc.cluster.local:6050 - - - &Org1 - # DefaultOrg defines the organization which is used in the sampleconfig - # of the fabric.git development environment - Name: Org1MSP - - # ID to load the MSP definition as - ID: Org1MSP - - MSPDir: ./channel-msp/peerOrganizations/org1/msp - - # Policies defines the set of policies at this level of the config tree - # For organization policies, their canonical path is usually - # /Channel/// - Policies: - Readers: - Type: Signature - Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')" - Writers: - Type: Signature - Rule: "OR('Org1MSP.admin', 'Org1MSP.client')" - Admins: - Type: Signature - Rule: "OR('Org1MSP.admin')" - Endorsement: - Type: Signature - Rule: "OR('Org1MSP.peer')" - - # leave this flag set to true. - AnchorPeers: - # AnchorPeers defines the location of peers which can be used - # for cross org gossip communication. Note, this value is only - # encoded in the genesis block in the Application section context - - Host: org1-peer1.${ORG1_NS}.svc.cluster.local - Port: 7051 - - - &Org2 - # DefaultOrg defines the organization which is used in the sampleconfig - # of the fabric.git development environment - Name: Org2MSP - - # ID to load the MSP definition as - ID: Org2MSP - - MSPDir: ./channel-msp/peerOrganizations/org2/msp - - # Policies defines the set of policies at this level of the config tree - # For organization policies, their canonical path is usually - # /Channel/// - Policies: - Readers: - Type: Signature - Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')" - Writers: - Type: Signature - Rule: "OR('Org2MSP.admin', 'Org2MSP.client')" - Admins: - Type: Signature - Rule: "OR('Org2MSP.admin')" - Endorsement: - Type: Signature - Rule: "OR('Org2MSP.peer')" - - AnchorPeers: - # AnchorPeers defines the location of peers which can be used - # for cross org gossip communication. Note, this value is only - # encoded in the genesis block in the Application section context - - Host: org2-peer1.${ORG2_NS}.svc.cluster.local - Port: 7051 - -################################################################################ -# -# SECTION: Capabilities -# -# - This section defines the capabilities of fabric network. This is a new -# concept as of v1.1.0 and should not be utilized in mixed networks with -# v1.0.x peers and orderers. Capabilities define features which must be -# present in a fabric binary for that binary to safely participate in the -# fabric network. For instance, if a new MSP type is added, newer binaries -# might recognize and validate the signatures from this type, while older -# binaries without this support would be unable to validate those -# transactions. This could lead to different versions of the fabric binaries -# having different world states. Instead, defining a capability for a channel -# informs those binaries without this capability that they must cease -# processing transactions until they have been upgraded. For v1.0.x if any -# capabilities are defined (including a map with all capabilities turned off) -# then the v1.0.x peer will deliberately crash. -# -################################################################################ -Capabilities: - # Channel capabilities apply to both the orderers and the peers and must be - # supported by both. - # Set the value of the capability to true to require it. - Channel: &ChannelCapabilities - # V2_0 capability ensures that orderers and peers behave according - # to v2.0 channel capabilities. Orderers and peers from - # prior releases would behave in an incompatible way, and are therefore - # not able to participate in channels at v2.0 capability. - # Prior to enabling V2.0 channel capabilities, ensure that all - # orderers and peers on a channel are at v2.0.0 or later. - V2_0: true - - # Orderer capabilities apply only to the orderers, and may be safely - # used with prior release peers. - # Set the value of the capability to true to require it. - Orderer: &OrdererCapabilities - # V2_0 orderer capability ensures that orderers behave according - # to v2.0 orderer capabilities. Orderers from - # prior releases would behave in an incompatible way, and are therefore - # not able to participate in channels at v2.0 orderer capability. - # Prior to enabling V2.0 orderer capabilities, ensure that all - # orderers on channel are at v2.0.0 or later. - V2_0: true - - # Application capabilities apply only to the peer network, and may be safely - # used with prior release orderers. - # Set the value of the capability to true to require it. - Application: &ApplicationCapabilities - # V2_0 application capability ensures that peers behave according - # to v2.0 application capabilities. Peers from - # prior releases would behave in an incompatible way, and are therefore - # not able to participate in channels at v2.0 application capability. - # Prior to enabling V2.0 application capabilities, ensure that all - # peers on channel are at v2.0.0 or later. - V2_0: true - -################################################################################ -# -# SECTION: Application -# -# - This section defines the values to encode into a config transaction or -# genesis block for application related parameters -# -################################################################################ -Application: &ApplicationDefaults - - # Organizations is the list of orgs which are defined as participants on - # the application side of the network - Organizations: - - # Policies defines the set of policies at this level of the config tree - # For Application policies, their canonical path is - # /Channel/Application/ - Policies: - Readers: - Type: ImplicitMeta - Rule: "ANY Readers" - Writers: - Type: ImplicitMeta - Rule: "ANY Writers" - Admins: - Type: ImplicitMeta - Rule: "MAJORITY Admins" - LifecycleEndorsement: - Type: Signature - Rule: "OR('Org1MSP.peer','Org2MSP.peer')" - Endorsement: - Type: Signature - Rule: "OR('Org1MSP.peer','Org2MSP.peer')" - - Capabilities: - <<: *ApplicationCapabilities -################################################################################ -# -# SECTION: Orderer -# -# - This section defines the values to encode into a config transaction or -# genesis block for orderer related parameters -# -################################################################################ -Orderer: &OrdererDefaults - - # Orderer Type: The orderer implementation to start - OrdererType: etcdraft - - EtcdRaft: - Consenters: - - Host: org0-orderer1 - Port: 6050 - ClientTLSCert: ./channel-msp/ordererOrganizations/org0/orderers/org0-orderer1/tls/signcerts/tls-cert.pem - ServerTLSCert: ./channel-msp/ordererOrganizations/org0/orderers/org0-orderer1/tls/signcerts/tls-cert.pem - - Host: org0-orderer2 - Port: 6050 - ClientTLSCert: ./channel-msp/ordererOrganizations/org0/orderers/org0-orderer2/tls/signcerts/tls-cert.pem - ServerTLSCert: ./channel-msp/ordererOrganizations/org0/orderers/org0-orderer2/tls/signcerts/tls-cert.pem - - Host: org0-orderer3 - Port: 6050 - ClientTLSCert: ./channel-msp/ordererOrganizations/org0/orderers/org0-orderer3/tls/signcerts/tls-cert.pem - ServerTLSCert: ./channel-msp/ordererOrganizations/org0/orderers/org0-orderer3/tls/signcerts/tls-cert.pem - - - # Options to be specified for all the etcd/raft nodes. The values here - # are the defaults for all new channels and can be modified on a - # per-channel basis via configuration updates. - Options: - # TickInterval is the time interval between two Node.Tick invocations. - #TickInterval: 500ms default - TickInterval: 2500ms - - # ElectionTick is the number of Node.Tick invocations that must pass - # between elections. That is, if a follower does not receive any - # message from the leader of current term before ElectionTick has - # elapsed, it will become candidate and start an election. - # ElectionTick must be greater than HeartbeatTick. - # ElectionTick: 10 default - ElectionTick: 5 - - # HeartbeatTick is the number of Node.Tick invocations that must - # pass between heartbeats. That is, a leader sends heartbeat - # messages to maintain its leadership every HeartbeatTick ticks. - HeartbeatTick: 1 - - # MaxInflightBlocks limits the max number of in-flight append messages - # during optimistic replication phase. - MaxInflightBlocks: 5 - - # SnapshotIntervalSize defines number of bytes per which a snapshot is taken - SnapshotIntervalSize: 16 MB - - # Batch Timeout: The amount of time to wait before creating a batch - BatchTimeout: 2s - - # Batch Size: Controls the number of messages batched into a block - BatchSize: - - # Max Message Count: The maximum number of messages to permit in a batch - MaxMessageCount: 10 - - # Absolute Max Bytes: The absolute maximum number of bytes allowed for - # the serialized messages in a batch. - AbsoluteMaxBytes: 99 MB - - # Preferred Max Bytes: The preferred maximum number of bytes allowed for - # the serialized messages in a batch. A message larger than the preferred - # max bytes will result in a batch larger than preferred max bytes. - PreferredMaxBytes: 512 KB - - # Organizations is the list of orgs which are defined as participants on - # the orderer side of the network - Organizations: - - # Policies defines the set of policies at this level of the config tree - # For Orderer policies, their canonical path is - # /Channel/Orderer/ - Policies: - Readers: - Type: ImplicitMeta - Rule: "ANY Readers" - Writers: - Type: ImplicitMeta - Rule: "ANY Writers" - Admins: - Type: ImplicitMeta - Rule: "MAJORITY Admins" - # BlockValidation specifies what signatures must be included in the block - # from the orderer for the peer to validate it. - BlockValidation: - Type: ImplicitMeta - Rule: "ANY Writers" - -################################################################################ -# -# CHANNEL -# -# This section defines the values to encode into a config transaction or -# genesis block for channel related parameters. -# -################################################################################ -Channel: &ChannelDefaults - # Policies defines the set of policies at this level of the config tree - # For Channel policies, their canonical path is - # /Channel/ - Policies: - # Who may invoke the 'Deliver' API - Readers: - Type: ImplicitMeta - Rule: "ANY Readers" - # Who may invoke the 'Broadcast' API - Writers: - Type: ImplicitMeta - Rule: "ANY Writers" - # By default, who may modify elements at this config level - Admins: - Type: ImplicitMeta - Rule: "MAJORITY Admins" - - # Capabilities describes the channel level capabilities, see the - # dedicated Capabilities section elsewhere in this file for a full - # description - Capabilities: - <<: *ChannelCapabilities - -################################################################################ -# -# Profile -# -# - Different configuration profiles may be encoded here to be specified -# as parameters to the configtxgen tool -# -################################################################################ -Profiles: - - # test network profile with application (not system) channel. - TwoOrgsApplicationGenesis: - <<: *ChannelDefaults - Orderer: - <<: *OrdererDefaults - Organizations: - - *OrdererOrg - Capabilities: *OrdererCapabilities - Application: - <<: *ApplicationDefaults - Organizations: - - *Org1 - - *Org2 - Capabilities: *ApplicationCapabilities - - - # - # Unclear lineage for these profiles: nano-fab? - # - # TwoOrgsOrdererGenesis will construct a system channel as it has a Consortiums stanza, which is not - # compatible with osnadmin. - # - # @enyeart - which profile should be used for the kube test network? - # - TwoOrgsOrdererGenesis: - <<: *ChannelDefaults - Orderer: - <<: *OrdererDefaults - OrdererType: etcdraft - Organizations: - - *OrdererOrg - Capabilities: - <<: *OrdererCapabilities - Consortiums: - SampleConsortium: - Organizations: - - *Org1 - - *Org2 - TwoOrgsChannel: - Consortium: SampleConsortium - <<: *ChannelDefaults - Application: - <<: *ApplicationDefaults - Organizations: - - *Org1 - - *Org2 - Capabilities: - <<: *ApplicationCapabilities - Org1Channel: - Consortium: SampleConsortium - <<: *ChannelDefaults - Application: - <<: *ApplicationDefaults - Organizations: - - *Org1 - Capabilities: - <<: *ApplicationCapabilities - Org2Channel: - Consortium: SampleConsortium - <<: *ChannelDefaults - Application: - <<: *ApplicationDefaults - Organizations: - - *Org2 - Capabilities: - <<: *ApplicationCapabilities diff --git a/test-network-k8s/config/org0/fabric-ca-server-config.yaml b/test-network-k8s/config/org0/fabric-ca-server-config.yaml deleted file mode 100644 index cff9c304..00000000 --- a/test-network-k8s/config/org0/fabric-ca-server-config.yaml +++ /dev/null @@ -1,506 +0,0 @@ -############################################################################# -# This is a configuration file for the fabric-ca-server command. -# -# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES -# ------------------------------------------------ -# Each configuration element can be overridden via command line -# arguments or environment variables. The precedence for determining -# the value of each element is as follows: -# 1) command line argument -# Examples: -# a) --port 443 -# To set the listening port -# b) --ca.keyfile ../mykey.pem -# To set the "keyfile" element in the "ca" section below; -# note the '.' separator character. -# 2) environment variable -# Examples: -# a) FABRIC_CA_SERVER_PORT=443 -# To set the listening port -# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" -# To set the "keyfile" element in the "ca" section below; -# note the '_' separator character. -# 3) configuration file -# 4) default value (if there is one) -# All default values are shown beside each element below. -# -# FILE NAME ELEMENTS -# ------------------ -# The value of all fields whose name ends with "file" or "files" are -# name or names of other files. -# For example, see "tls.certfile" and "tls.clientauth.certfiles". -# The value of each of these fields can be a simple filename, a -# relative path, or an absolute path. If the value is not an -# absolute path, it is interpreted as being relative to the location -# of this configuration file. -# -############################################################################# - -# Version of config file -version: 1.5.2 - -# Server's listening port (default: 7054) -port: 443 - -# Cross-Origin Resource Sharing (CORS) -cors: - enabled: false - origins: - - "*" - -# Enables debug logging (default: false) -debug: false - -# Size limit of an acceptable CRL in bytes (default: 512000) -crlsizelimit: 512000 - -############################################################################# -# TLS section for the server's listening port -# -# The following types are supported for client authentication: NoClientCert, -# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, -# and RequireAndVerifyClientCert. -# -# Certfiles is a list of root certificate authorities that the server uses -# when verifying client certificates. -############################################################################# -tls: - # Enable TLS (default: false) - enabled: true - # TLS for the server's listening port - certfile: - keyfile: - clientauth: - type: noclientcert - certfiles: - -############################################################################# -# The CA section contains information related to the Certificate Authority -# including the name of the CA, which should be unique for all members -# of a blockchain network. It also includes the key and certificate files -# used when issuing enrollment certificates (ECerts) and transaction -# certificates (TCerts). -# The chainfile (if it exists) contains the certificate chain which -# should be trusted for this CA, where the 1st in the chain is always the -# root CA certificate. -############################################################################# -ca: - # Name of this CA - name: org0-ca - # Key file (is only used to import a private key into BCCSP) - keyfile: - # Certificate file (default: ca-cert.pem) - certfile: - # Chain file - chainfile: - -############################################################################# -# The gencrl REST endpoint is used to generate a CRL that contains revoked -# certificates. This section contains configuration options that are used -# during gencrl request processing. -############################################################################# -crl: - # Specifies expiration for the generated CRL. The number of hours - # specified by this property is added to the UTC time, the resulting time - # is used to set the 'Next Update' date of the CRL. - expiry: 24h - -############################################################################# -# The registry section controls how the fabric-ca-server does two things: -# 1) authenticates enrollment requests which contain a username and password -# (also known as an enrollment ID and secret). -# 2) once authenticated, retrieves the identity's attribute names and -# values which the fabric-ca-server optionally puts into TCerts -# which it issues for transacting on the Hyperledger Fabric blockchain. -# These attributes are useful for making access control decisions in -# chaincode. -# There are two main configuration options: -# 1) The fabric-ca-server is the registry. -# This is true if "ldap.enabled" in the ldap section below is false. -# 2) An LDAP server is the registry, in which case the fabric-ca-server -# calls the LDAP server to perform these tasks. -# This is true if "ldap.enabled" in the ldap section below is true, -# which means this "registry" section is ignored. -############################################################################# -registry: - # Maximum number of times a password/secret can be reused for enrollment - # (default: -1, which means there is no limit) - maxenrollments: -1 - - # Contains identity information which is used when LDAP is disabled - identities: - - name: rcaadmin - pass: rcaadminpw - type: client - affiliation: "" - attrs: - hf.Registrar.Roles: "*" - hf.Registrar.DelegateRoles: "*" - hf.Revoker: true - hf.IntermediateCA: true - hf.GenCRL: true - hf.Registrar.Attributes: "*" - hf.AffiliationMgr: true - -############################################################################# -# Database section -# Supported types are: "sqlite3", "postgres", and "mysql". -# The datasource value depends on the type. -# If the type is "sqlite3", the datasource value is a file name to use -# as the database store. Since "sqlite3" is an embedded database, it -# may not be used if you want to run the fabric-ca-server in a cluster. -# To run the fabric-ca-server in a cluster, you must choose "postgres" -# or "mysql". -############################################################################# -db: - type: sqlite3 - datasource: fabric-ca-server.db - tls: - enabled: false - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# LDAP section -# If LDAP is enabled, the fabric-ca-server calls LDAP to: -# 1) authenticate enrollment ID and secret (i.e. username and password) -# for enrollment requests; -# 2) To retrieve identity attributes -############################################################################# -ldap: - # Enables or disables the LDAP client (default: false) - # If this is set to true, the "registry" section is ignored. - enabled: false - # The URL of the LDAP server - url: ldap://:@:/ - # TLS configuration for the client connection to the LDAP server - tls: - certfiles: - client: - certfile: - keyfile: - # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes - attribute: - # 'names' is an array of strings containing the LDAP attribute names which are - # requested from the LDAP server for an LDAP identity's entry - names: ['uid','member'] - # The 'converters' section is used to convert an LDAP entry to the value of - # a fabric CA attribute. - # For example, the following converts an LDAP 'uid' attribute - # whose value begins with 'revoker' to a fabric CA attribute - # named "hf.Revoker" with a value of "true" (because the boolean expression - # evaluates to true). - # converters: - # - name: hf.Revoker - # value: attr("uid") =~ "revoker*" - converters: - - name: - value: - # The 'maps' section contains named maps which may be referenced by the 'map' - # function in the 'converters' section to map LDAP responses to arbitrary values. - # For example, assume a user has an LDAP attribute named 'member' which has multiple - # values which are each a distinguished name (i.e. a DN). For simplicity, assume the - # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. - # Further assume the following configuration. - # converters: - # - name: hf.Registrar.Roles - # value: map(attr("member"),"groups") - # maps: - # groups: - # - name: dn1 - # value: peer - # - name: dn2 - # value: client - # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be - # "peer,client,dn3". This is because the value of 'attr("member")' is - # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of - # "group" replaces "dn1" with "peer" and "dn2" with "client". - maps: - groups: - - name: - value: - -############################################################################# -# Affiliations section. Fabric CA server can be bootstrapped with the -# affiliations specified in this section. Affiliations are specified as maps. -# For example: -# businessunit1: -# department1: -# - team1 -# businessunit2: -# - department2 -# - department3 -# -# Affiliations are hierarchical in nature. In the above example, -# department1 (used as businessunit1.department1) is the child of businessunit1. -# team1 (used as businessunit1.department1.team1) is the child of department1. -# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) -# are children of businessunit2. -# Note: Affiliations are case sensitive except for the non-leaf affiliations -# (like businessunit1, department1, businessunit2) that are specified in the configuration file, -# which are always stored in lower case. -############################################################################# -affiliations: - org1: - - department1 - - department2 - org2: - - department1 - -############################################################################# -# Signing section -# -# The "default" subsection is used to sign enrollment certificates; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -# -# The "ca" profile subsection is used to sign intermediate CA certificates; -# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. -# Note that "isca" is true, meaning that it issues a CA certificate. -# A maxpathlen of 0 means that the intermediate CA cannot issue other -# intermediate CA certificates, though it can still issue end entity certificates. -# (See RFC 5280, section 4.2.1.9) -# -# The "tls" profile subsection is used to sign TLS certificate requests; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -############################################################################# -signing: - default: - usage: - - digital signature - expiry: 8760h - profiles: - ca: - usage: - - cert sign - - crl sign - expiry: 43800h - caconstraint: - isca: true - maxpathlen: 0 - tls: - usage: - - signing - - key encipherment - - server auth - - client auth - - key agreement - expiry: 8760h - -########################################################################### -# Certificate Signing Request (CSR) section. -# This controls the creation of the root CA certificate. -# The expiration for the root CA certificate is configured with the -# "ca.expiry" field below, whose default value is "131400h" which is -# 15 years in hours. -# The pathlength field is used to limit CA certificate hierarchy as described -# in section 4.2.1.9 of RFC 5280. -# Examples: -# 1) No pathlength value means no limit is requested. -# 2) pathlength == 1 means a limit of 1 is requested which is the default for -# a root CA. This means the root CA can issue intermediate CA certificates, -# but these intermediate CAs may not in turn issue other CA certificates -# though they can still issue end entity certificates. -# 3) pathlength == 0 means a limit of 0 is requested; -# this is the default for an intermediate CA, which means it can not issue -# CA certificates though it can still issue end entity certificates. -########################################################################### -csr: - cn: fabric-ca-server - keyrequest: - algo: ecdsa - size: 256 - names: - - C: US - ST: "North Carolina" - L: - O: Hyperledger - OU: Fabric - hosts: - - localhost - - 127.0.0.1 - - org0-ca - - org0-ca.${NS}.svc.cluster.local - ca: - expiry: 131400h - pathlength: 1 - -########################################################################### -# Each CA can issue both X509 enrollment certificate as well as Idemix -# Credential. This section specifies configuration for the issuer component -# that is responsible for issuing Idemix credentials. -########################################################################### -idemix: - # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an - # Idemix credential. The issuer will create a pool revocation handles of this specified size. When - # a credential is requested, issuer will get handle from the pool and assign it to the credential. - # Issuer will repopulate the pool with new handles when the last handle in the pool is used. - # A revocation handle and credential revocation information (CRI) are used to create non revocation proof - # by the prover to prove to the verifier that her credential is not revoked. - rhpoolsize: 1000 - - # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer - # and second step is send credential request that is constructed using the nonce to the issuer to - # request a credential. This configuration property specifies expiration for the nonces. By default is - # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). - nonceexpiration: 15s - - # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. - # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) - noncesweepinterval: 15m - -############################################################################# -# BCCSP (BlockChain Crypto Service Provider) section is used to select which -# crypto library implementation to use -############################################################################# -bccsp: - default: SW - sw: - hash: SHA2 - security: 256 - filekeystore: - # The directory used for the software file-based keystore - keystore: msp/keystore - -############################################################################# -# Multi CA section -# -# Each Fabric CA server contains one CA by default. This section is used -# to configure multiple CAs in a single server. -# -# 1) --cacount -# Automatically generate non-default CAs. The names of these -# additional CAs are "ca1", "ca2", ... "caN", where "N" is -# This is particularly useful in a development environment to quickly set up -# multiple CAs. Note that, this config option is not applicable to intermediate CA server -# i.e., Fabric CA server that is started with intermediate.parentserver.url config -# option (-u command line option) -# -# 2) --cafiles -# For each CA config file in the list, generate a separate signing CA. Each CA -# config file in this list MAY contain all of the same elements as are found in -# the server config file except port, debug, and tls sections. -# -# Examples: -# fabric-ca-server start -b admin:adminpw --cacount 2 -# -# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml -# --cafiles ca/ca2/fabric-ca-server-config.yaml -# -############################################################################# - -cacount: - -cafiles: - -############################################################################# -# Intermediate CA section -# -# The relationship between servers and CAs is as follows: -# 1) A single server process may contain or function as one or more CAs. -# This is configured by the "Multi CA section" above. -# 2) Each CA is either a root CA or an intermediate CA. -# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. -# -# This section pertains to configuration of #2 and #3. -# If the "intermediate.parentserver.url" property is set, -# then this is an intermediate CA with the specified parent -# CA. -# -# parentserver section -# url - The URL of the parent server -# caname - Name of the CA to enroll within the server -# -# enrollment section used to enroll intermediate CA with parent CA -# profile - Name of the signing profile to use in issuing the certificate -# label - Label to use in HSM operations -# -# tls section for secure socket connection -# certfiles - PEM-encoded list of trusted root certificate files -# client: -# certfile - PEM-encoded certificate file for when client authentication -# is enabled on server -# keyfile - PEM-encoded key file for when client authentication -# is enabled on server -############################################################################# -intermediate: - parentserver: - url: - caname: - - enrollment: - hosts: - profile: - label: - - tls: - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# CA configuration section -# -# Configure the number of incorrect password attempts are allowed for -# identities. By default, the value of 'passwordattempts' is 10, which -# means that 10 incorrect password attempts can be made before an identity get -# locked out. -############################################################################# -cfg: - identities: - passwordattempts: 10 - -############################################################################### -# -# Operations section -# -############################################################################### -operations: - # host and port for the operations server - listenAddress: 127.0.0.1:9443 - - # TLS configuration for the operations endpoint - tls: - # TLS enabled - enabled: false - - # path to PEM encoded server certificate for the operations server - cert: - file: - - # path to PEM encoded server key for the operations server - key: - file: - - # require client certificate authentication to access all resources - clientAuthRequired: false - - # paths to PEM encoded ca certificates to trust for client authentication - clientRootCAs: - files: [] - -############################################################################### -# -# Metrics section -# -############################################################################### -metrics: - # statsd, prometheus, or disabled - provider: disabled - - # statsd configuration - statsd: - # network type: tcp or udp - network: udp - - # statsd server address - address: 127.0.0.1:8125 - - # the interval at which locally cached counters and gauges are pushed - # to statsd; timings are pushed immediately - writeInterval: 10s - - # prefix is prepended to all emitted statsd metrics - prefix: server diff --git a/test-network-k8s/config/org0/orderer.yaml b/test-network-k8s/config/org0/orderer.yaml deleted file mode 100644 index c8e25a07..00000000 --- a/test-network-k8s/config/org0/orderer.yaml +++ /dev/null @@ -1,420 +0,0 @@ -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# - - ---- -################################################################################ -# -# Orderer Configuration -# -# - This controls the type and configuration of the orderer. -# -################################################################################ -General: - # Listen address: The IP on which to bind to listen. - ListenAddress: 0.0.0.0 - - # Listen port: The port on which to bind to listen. - ListenPort: 6050 - - # TLS: TLS settings for the GRPC server. - TLS: - # Require server-side TLS - Enabled: false - # PrivateKey governs the file location of the private key of the TLS certificate. - PrivateKey: tls/server.key - # Certificate governs the file location of the server TLS certificate. - Certificate: tls/server.crt - # RootCAs contains a list of additional root certificates used for verifying certificates - # of other orderer nodes during outbound connections. - # It is not required to be set, but can be used to augment the set of TLS CA certificates - # available from the MSPs of each channel’s configuration. - RootCAs: - - tls/ca.crt - # Require client certificates / mutual TLS for inbound connections. - ClientAuthRequired: false - # If mutual TLS is enabled, ClientRootCAs contains a list of additional root certificates - # used for verifying certificates of client connections. - # It is not required to be set, but can be used to augment the set of TLS CA certificates - # available from the MSPs of each channel’s configuration. - ClientRootCAs: - # Keepalive settings for the GRPC server. - Keepalive: - # ServerMinInterval is the minimum permitted time between client pings. - # If clients send pings more frequently, the server will - # disconnect them. - ServerMinInterval: 60s - # ServerInterval is the time between pings to clients. - ServerInterval: 7200s - # ServerTimeout is the duration the server waits for a response from - # a client before closing the connection. - ServerTimeout: 20s - # Cluster settings for ordering service nodes that communicate with other ordering service nodes - # such as Raft based ordering service. - Cluster: - # SendBufferSize is the maximum number of messages in the egress buffer. - # Consensus messages are dropped if the buffer is full, and transaction - # messages are waiting for space to be freed. - SendBufferSize: 10 - - # ClientCertificate governs the file location of the client TLS certificate - # used to establish mutual TLS connections with other ordering service nodes. - # If not set, the server General.TLS.Certificate is re-used. - ClientCertificate: - # ClientPrivateKey governs the file location of the private key of the client TLS certificate. - # If not set, the server General.TLS.PrivateKey is re-used. - ClientPrivateKey: - - # The below 4 properties should be either set together, or be unset together. - # If they are set, then the orderer node uses a separate listener for intra-cluster - # communication. If they are unset, then the general orderer listener is used. - # This is useful if you want to use a different TLS server certificates on the - # client-facing and the intra-cluster listeners. - - # ListenPort defines the port on which the cluster listens to connections. - ListenPort: - # ListenAddress defines the IP on which to listen to intra-cluster communication. - ListenAddress: - # ServerCertificate defines the file location of the server TLS certificate used for intra-cluster - # communication. - ServerCertificate: - # ServerPrivateKey defines the file location of the private key of the TLS certificate. - ServerPrivateKey: - - # Bootstrap method: The method by which to obtain the bootstrap block - # system channel is specified. The option can be one of: - # "file" - path to a file containing the genesis block or config block of system channel - # "none" - allows an orderer to start without a system channel configuration - BootstrapMethod: none - - # Bootstrap file: The file containing the bootstrap block to use when - # initializing the orderer system channel and BootstrapMethod is set to - # "file". The bootstrap file can be the genesis block, and it can also be - # a config block for late bootstrap of some consensus methods like Raft. - # Generate a genesis block by updating $FABRIC_CFG_PATH/configtx.yaml and - # using configtxgen command with "-outputBlock" option. - # Defaults to file "genesisblock" (in $FABRIC_CFG_PATH directory) if not specified. - BootstrapFile: - - # LocalMSPDir is where to find the private crypto material needed by the - # orderer. It is set relative here as a default for dev environments but - # should be changed to the real location in production. - LocalMSPDir: msp - - # LocalMSPID is the identity to register the local MSP material with the MSP - # manager. IMPORTANT: The local MSP ID of an orderer needs to match the MSP - # ID of one of the organizations defined in the orderer system channel's - # /Channel/Orderer configuration. The sample organization defined in the - # sample configuration provided has an MSP ID of "SampleOrg". - LocalMSPID: SampleOrg - - # Enable an HTTP service for Go "pprof" profiling as documented at: - # https://golang.org/pkg/net/http/pprof - Profile: - Enabled: false - Address: 0.0.0.0:6060 - - # BCCSP configures the blockchain crypto service providers. - BCCSP: - # Default specifies the preferred blockchain crypto service provider - # to use. If the preferred provider is not available, the software - # based provider ("SW") will be used. - # Valid providers are: - # - SW: a software based crypto provider - # - PKCS11: a CA hardware security module crypto provider. - Default: SW - - # SW configures the software based blockchain crypto provider. - SW: - # TODO: The default Hash and Security level needs refactoring to be - # fully configurable. Changing these defaults requires coordination - # SHA2 is hardcoded in several places, not only BCCSP - Hash: SHA2 - Security: 256 - # Location of key store. If this is unset, a location will be - # chosen using: 'LocalMSPDir'/keystore - FileKeyStore: - KeyStore: - - # Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11) - PKCS11: - # Location of the PKCS11 module library - Library: - # Token Label - Label: - # User PIN - Pin: - Hash: - Security: - FileKeyStore: - KeyStore: - - # Authentication contains configuration parameters related to authenticating - # client messages - Authentication: - # the acceptable difference between the current server time and the - # client's time as specified in a client request message - TimeWindow: 15m - - -################################################################################ -# -# SECTION: File Ledger -# -# - This section applies to the configuration of the file ledger. -# -################################################################################ -FileLedger: - - # Location: The directory to store the blocks in. - Location: /var/hyperledger/production/orderer - -################################################################################ -# -# SECTION: Kafka -# -# - This section applies to the configuration of the Kafka-based orderer, and -# its interaction with the Kafka cluster. -# -################################################################################ -Kafka: - - # Retry: What do if a connection to the Kafka cluster cannot be established, - # or if a metadata request to the Kafka cluster needs to be repeated. - Retry: - # When a new channel is created, or when an existing channel is reloaded - # (in case of a just-restarted orderer), the orderer interacts with the - # Kafka cluster in the following ways: - # 1. It creates a Kafka producer (writer) for the Kafka partition that - # corresponds to the channel. - # 2. It uses that producer to post a no-op CONNECT message to that - # partition - # 3. It creates a Kafka consumer (reader) for that partition. - # If any of these steps fail, they will be re-attempted every - # for a total of , and then every - # for a total of until they succeed. - # Note that the orderer will be unable to write to or read from a - # channel until all of the steps above have been completed successfully. - ShortInterval: 5s - ShortTotal: 10m - LongInterval: 5m - LongTotal: 12h - # Affects the socket timeouts when waiting for an initial connection, a - # response, or a transmission. See Config.Net for more info: - # https://godoc.org/github.com/Shopify/sarama#Config - NetworkTimeouts: - DialTimeout: 10s - ReadTimeout: 10s - WriteTimeout: 10s - # Affects the metadata requests when the Kafka cluster is in the middle - # of a leader election.See Config.Metadata for more info: - # https://godoc.org/github.com/Shopify/sarama#Config - Metadata: - RetryBackoff: 250ms - RetryMax: 3 - # What to do if posting a message to the Kafka cluster fails. See - # Config.Producer for more info: - # https://godoc.org/github.com/Shopify/sarama#Config - Producer: - RetryBackoff: 100ms - RetryMax: 3 - # What to do if reading from the Kafka cluster fails. See - # Config.Consumer for more info: - # https://godoc.org/github.com/Shopify/sarama#Config - Consumer: - RetryBackoff: 2s - # Settings to use when creating Kafka topics. Only applies when - # Kafka.Version is v0.10.1.0 or higher - Topic: - # The number of Kafka brokers across which to replicate the topic - ReplicationFactor: 3 - # Verbose: Enable logging for interactions with the Kafka cluster. - Verbose: false - - # TLS: TLS settings for the orderer's connection to the Kafka cluster. - TLS: - - # Enabled: Use TLS when connecting to the Kafka cluster. - Enabled: false - - # PrivateKey: PEM-encoded private key the orderer will use for - # authentication. - PrivateKey: - # As an alternative to specifying the PrivateKey here, uncomment the - # following "File" key and specify the file name from which to load the - # value of PrivateKey. - #File: path/to/PrivateKey - - # Certificate: PEM-encoded signed public key certificate the orderer will - # use for authentication. - Certificate: - # As an alternative to specifying the Certificate here, uncomment the - # following "File" key and specify the file name from which to load the - # value of Certificate. - #File: path/to/Certificate - - # RootCAs: PEM-encoded trusted root certificates used to validate - # certificates from the Kafka cluster. - RootCAs: - # As an alternative to specifying the RootCAs here, uncomment the - # following "File" key and specify the file name from which to load the - # value of RootCAs. - #File: path/to/RootCAs - - # SASLPlain: Settings for using SASL/PLAIN authentication with Kafka brokers - SASLPlain: - # Enabled: Use SASL/PLAIN to authenticate with Kafka brokers - Enabled: false - # User: Required when Enabled is set to true - User: - # Password: Required when Enabled is set to true - Password: - - # Kafka protocol version used to communicate with the Kafka cluster brokers - # (defaults to 0.10.2.0 if not specified) - Version: - -################################################################################ -# -# Debug Configuration -# -# - This controls the debugging options for the orderer -# -################################################################################ -Debug: - - # BroadcastTraceDir when set will cause each request to the Broadcast service - # for this orderer to be written to a file in this directory - BroadcastTraceDir: - - # DeliverTraceDir when set will cause each request to the Deliver service - # for this orderer to be written to a file in this directory - DeliverTraceDir: - -################################################################################ -# -# Operations Configuration -# -# - This configures the operations server endpoint for the orderer -# -################################################################################ -Operations: - # host and port for the operations server - ListenAddress: 0.0.0.0:8443 - - # TLS configuration for the operations endpoint - TLS: - # TLS enabled - Enabled: false - - # Certificate is the location of the PEM encoded TLS certificate - Certificate: - - # PrivateKey points to the location of the PEM-encoded key - PrivateKey: - - # Most operations service endpoints require client authentication when TLS - # is enabled. ClientAuthRequired requires client certificate authentication - # at the TLS layer to access all resources. - ClientAuthRequired: false - - # Paths to PEM encoded ca certificates to trust for client authentication - ClientRootCAs: [] - -################################################################################ -# -# Metrics Configuration -# -# - This configures metrics collection for the orderer -# -################################################################################ -Metrics: - # The metrics provider is one of statsd, prometheus, or disabled - Provider: disabled - - # The statsd configuration - Statsd: - # network type: tcp or udp - Network: udp - - # the statsd server address - Address: 127.0.0.1:8125 - - # The interval at which locally cached counters and gauges are pushed - # to statsd; timings are pushed immediately - WriteInterval: 30s - - # The prefix is prepended to all emitted statsd metrics - Prefix: - -################################################################################ -# -# Admin Configuration -# -# - This configures the admin server endpoint for the orderer -# -################################################################################ -Admin: - # host and port for the admin server - ListenAddress: 0.0.0.0:9443 - - # TLS configuration for the admin endpoint - TLS: - # TLS enabled - Enabled: false - - # Certificate is the location of the PEM encoded TLS certificate - Certificate: - - # PrivateKey points to the location of the PEM-encoded key - PrivateKey: - - # Most admin service endpoints require client authentication when TLS - # is enabled. ClientAuthRequired requires client certificate authentication - # at the TLS layer to access all resources. - # - # NOTE: When TLS is enabled, the admin endpoint requires mutual TLS. The - # orderer will panic on startup if this value is set to false. - ClientAuthRequired: true - - # Paths to PEM encoded ca certificates to trust for client authentication - ClientRootCAs: [] - -################################################################################ -# -# Channel participation API Configuration -# -# - This provides the channel participation API configuration for the orderer. -# - Channel participation uses the ListenAddress and TLS settings of the Admin -# service. -# -################################################################################ -ChannelParticipation: - # Channel participation API is enabled. - Enabled: true - - # The maximum size of the request body when joining a channel. - MaxRequestBodySize: 1 MB - - -################################################################################ -# -# Consensus Configuration -# -# - This section contains config options for a consensus plugin. It is opaque -# to orderer, and completely up to consensus implementation to make use of. -# -################################################################################ -Consensus: - # The allowed key-value pairs here depend on consensus plugin. For etcd/raft, - # we use following options: - - # WALDir specifies the location at which Write Ahead Logs for etcd/raft are - # stored. Each channel will have its own subdir named after channel ID. - WALDir: /var/hyperledger/production/orderer/etcdraft/wal - - # SnapDir specifies the location at which snapshots for etcd/raft are - # stored. Each channel will have its own subdir named after channel ID. - SnapDir: /var/hyperledger/production/orderer/etcdraft/snapshot diff --git a/test-network-k8s/config/org1/core.yaml b/test-network-k8s/config/org1/core.yaml deleted file mode 100644 index 9643adbd..00000000 --- a/test-network-k8s/config/org1/core.yaml +++ /dev/null @@ -1,766 +0,0 @@ -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# - -############################################################################### -# -# Peer section -# -############################################################################### -peer: - - # The peer id provides a name for this peer instance and is used when - # naming docker resources. - id: jdoe - - # The networkId allows for logical separation of networks and is used when - # naming docker resources. - networkId: dev - - # The Address at local network interface this Peer will listen on. - # By default, it will listen on all network interfaces - listenAddress: 0.0.0.0:7051 - - # The endpoint this peer uses to listen for inbound chaincode connections. - # If this is commented-out, the listen address is selected to be - # the peer's address (see below) with port 7052 - # chaincodeListenAddress: 0.0.0.0:7052 - - # The endpoint the chaincode for this peer uses to connect to the peer. - # If this is not specified, the chaincodeListenAddress address is selected. - # And if chaincodeListenAddress is not specified, address is selected from - # peer address (see below). If specified peer address is invalid then it - # will fallback to the auto detected IP (local IP) regardless of the peer - # addressAutoDetect value. - # chaincodeAddress: 0.0.0.0:7052 - - # When used as peer config, this represents the endpoint to other peers - # in the same organization. For peers in other organization, see - # gossip.externalEndpoint for more info. - # When used as CLI config, this means the peer's endpoint to interact with - address: 0.0.0.0:7051 - - # Whether the Peer should programmatically determine its address - # This case is useful for docker containers. - # When set to true, will override peer address. - addressAutoDetect: false - - # Keepalive settings for peer server and clients - keepalive: - # Interval is the duration after which if the server does not see - # any activity from the client it pings the client to see if it's alive - interval: 7200s - # Timeout is the duration the server waits for a response - # from the client after sending a ping before closing the connection - timeout: 20s - # MinInterval is the minimum permitted time between client pings. - # If clients send pings more frequently, the peer server will - # disconnect them - minInterval: 60s - # Client keepalive settings for communicating with other peer nodes - client: - # Interval is the time between pings to peer nodes. This must - # greater than or equal to the minInterval specified by peer - # nodes - interval: 60s - # Timeout is the duration the client waits for a response from - # peer nodes before closing the connection - timeout: 20s - # DeliveryClient keepalive settings for communication with ordering - # nodes. - deliveryClient: - # Interval is the time between pings to ordering nodes. This must - # greater than or equal to the minInterval specified by ordering - # nodes. - interval: 60s - # Timeout is the duration the client waits for a response from - # ordering nodes before closing the connection - timeout: 20s - - - # Gossip related configuration - gossip: - # Bootstrap set to initialize gossip with. - # This is a list of other peers that this peer reaches out to at startup. - # Important: The endpoints here have to be endpoints of peers in the same - # organization, because the peer would refuse connecting to these endpoints - # unless they are in the same organization as the peer. - bootstrap: 127.0.0.1:7051 - - # NOTE: orgLeader and useLeaderElection parameters are mutual exclusive. - # Setting both to true would result in the termination of the peer - # since this is undefined state. If the peers are configured with - # useLeaderElection=false, make sure there is at least 1 peer in the - # organization that its orgLeader is set to true. - - # Defines whenever peer will initialize dynamic algorithm for - # "leader" selection, where leader is the peer to establish - # connection with ordering service and use delivery protocol - # to pull ledger blocks from ordering service. - useLeaderElection: false - # Statically defines peer to be an organization "leader", - # where this means that current peer will maintain connection - # with ordering service and disseminate block across peers in - # its own organization. Multiple peers or all peers in an organization - # may be configured as org leaders, so that they all pull - # blocks directly from ordering service. - orgLeader: true - - # Interval for membershipTracker polling - membershipTrackerInterval: 5s - - # Overrides the endpoint that the peer publishes to peers - # in its organization. For peers in foreign organizations - # see 'externalEndpoint' - endpoint: - # Maximum count of blocks stored in memory - maxBlockCountToStore: 10 - # Max time between consecutive message pushes(unit: millisecond) - maxPropagationBurstLatency: 10ms - # Max number of messages stored until a push is triggered to remote peers - maxPropagationBurstSize: 10 - # Number of times a message is pushed to remote peers - propagateIterations: 1 - # Number of peers selected to push messages to - propagatePeerNum: 3 - # Determines frequency of pull phases(unit: second) - # Must be greater than digestWaitTime + responseWaitTime - pullInterval: 4s - # Number of peers to pull from - pullPeerNum: 3 - # Determines frequency of pulling state info messages from peers(unit: second) - requestStateInfoInterval: 4s - # Determines frequency of pushing state info messages to peers(unit: second) - publishStateInfoInterval: 4s - # Maximum time a stateInfo message is kept until expired - stateInfoRetentionInterval: - # Time from startup certificates are included in Alive messages(unit: second) - publishCertPeriod: 10s - # Should we skip verifying block messages or not (currently not in use) - skipBlockVerification: false - # Dial timeout(unit: second) - dialTimeout: 3s - # Connection timeout(unit: second) - connTimeout: 2s - # Buffer size of received messages - recvBuffSize: 20 - # Buffer size of sending messages - sendBuffSize: 200 - # Time to wait before pull engine processes incoming digests (unit: second) - # Should be slightly smaller than requestWaitTime - digestWaitTime: 1s - # Time to wait before pull engine removes incoming nonce (unit: milliseconds) - # Should be slightly bigger than digestWaitTime - requestWaitTime: 1500ms - # Time to wait before pull engine ends pull (unit: second) - responseWaitTime: 2s - # Alive check interval(unit: second) - aliveTimeInterval: 5s - # Alive expiration timeout(unit: second) - aliveExpirationTimeout: 25s - # Reconnect interval(unit: second) - reconnectInterval: 25s - # Max number of attempts to connect to a peer - maxConnectionAttempts: 120 - # Message expiration factor for alive messages - msgExpirationFactor: 20 - # This is an endpoint that is published to peers outside of the organization. - # If this isn't set, the peer will not be known to other organizations. - externalEndpoint: - # Leader election service configuration - election: - # Longest time peer waits for stable membership during leader election startup (unit: second) - startupGracePeriod: 15s - # Interval gossip membership samples to check its stability (unit: second) - membershipSampleInterval: 1s - # Time passes since last declaration message before peer decides to perform leader election (unit: second) - leaderAliveThreshold: 10s - # Time between peer sends propose message and declares itself as a leader (sends declaration message) (unit: second) - leaderElectionDuration: 5s - - pvtData: - # pullRetryThreshold determines the maximum duration of time private data corresponding for a given block - # would be attempted to be pulled from peers until the block would be committed without the private data - pullRetryThreshold: 60s - # As private data enters the transient store, it is associated with the peer's ledger's height at that time. - # transientstoreMaxBlockRetention defines the maximum difference between the current ledger's height upon commit, - # and the private data residing inside the transient store that is guaranteed not to be purged. - # Private data is purged from the transient store when blocks with sequences that are multiples - # of transientstoreMaxBlockRetention are committed. - transientstoreMaxBlockRetention: 1000 - # pushAckTimeout is the maximum time to wait for an acknowledgement from each peer - # at private data push at endorsement time. - pushAckTimeout: 3s - # Block to live pulling margin, used as a buffer - # to prevent peer from trying to pull private data - # from peers that is soon to be purged in next N blocks. - # This helps a newly joined peer catch up to current - # blockchain height quicker. - btlPullMargin: 10 - # the process of reconciliation is done in an endless loop, while in each iteration reconciler tries to - # pull from the other peers the most recent missing blocks with a maximum batch size limitation. - # reconcileBatchSize determines the maximum batch size of missing private data that will be reconciled in a - # single iteration. - reconcileBatchSize: 10 - # reconcileSleepInterval determines the time reconciler sleeps from end of an iteration until the beginning - # of the next reconciliation iteration. - reconcileSleepInterval: 1m - # reconciliationEnabled is a flag that indicates whether private data reconciliation is enable or not. - reconciliationEnabled: true - # skipPullingInvalidTransactionsDuringCommit is a flag that indicates whether pulling of invalid - # transaction's private data from other peers need to be skipped during the commit time and pulled - # only through reconciler. - skipPullingInvalidTransactionsDuringCommit: false - # implicitCollectionDisseminationPolicy specifies the dissemination policy for the peer's own implicit collection. - # When a peer endorses a proposal that writes to its own implicit collection, below values override the default values - # for disseminating private data. - # Note that it is applicable to all channels the peer has joined. The implication is that requiredPeerCount has to - # be smaller than the number of peers in a channel that has the lowest numbers of peers from the organization. - implicitCollectionDisseminationPolicy: - # requiredPeerCount defines the minimum number of eligible peers to which the peer must successfully - # disseminate private data for its own implicit collection during endorsement. Default value is 0. - requiredPeerCount: 0 - # maxPeerCount defines the maximum number of eligible peers to which the peer will attempt to - # disseminate private data for its own implicit collection during endorsement. Default value is 1. - maxPeerCount: 1 - - # Gossip state transfer related configuration - state: - # indicates whenever state transfer is enabled or not - # default value is true, i.e. state transfer is active - # and takes care to sync up missing blocks allowing - # lagging peer to catch up to speed with rest network. - # Keep in mind that when peer.gossip.useLeaderElection is true - # and there are several peers in the organization, - # or peer.gossip.useLeaderElection is false alongside with - # peer.gossip.orgleader being false, the peer's ledger may lag behind - # the rest of the peers and will never catch up due to state transfer - # being disabled. - enabled: false - # checkInterval interval to check whether peer is lagging behind enough to - # request blocks via state transfer from another peer. - checkInterval: 10s - # responseTimeout amount of time to wait for state transfer response from - # other peers - responseTimeout: 3s - # batchSize the number of blocks to request via state transfer from another peer - batchSize: 10 - # blockBufferSize reflects the size of the re-ordering buffer - # which captures blocks and takes care to deliver them in order - # down to the ledger layer. The actual buffer size is bounded between - # 0 and 2*blockBufferSize, each channel maintains its own buffer - blockBufferSize: 20 - # maxRetries maximum number of re-tries to ask - # for single state transfer request - maxRetries: 3 - - # TLS Settings - tls: - # Require server-side TLS - enabled: true - # Require client certificates / mutual TLS for inbound connections. - # Note that clients that are not configured to use a certificate will - # fail to connect to the peer. - clientAuthRequired: false - # X.509 certificate used for TLS server - cert: - file: tls/server.crt - # Private key used for TLS server - key: - file: tls/server.key - # rootcert.file represents the trusted root certificate chain used for verifying certificates - # of other nodes during outbound connections. - # It is not required to be set, but can be used to augment the set of TLS CA certificates - # available from the MSPs of each channel’s configuration. - rootcert: - file: tls/ca.crt - # If mutual TLS is enabled, clientRootCAs.files contains a list of additional root certificates - # used for verifying certificates of client connections. - # It augments the set of TLS CA certificates available from the MSPs of each channel’s configuration. - # Minimally, set your organization's TLS CA root certificate so that the peer can receive join channel requests. - clientRootCAs: - files: - - tls/ca.crt - # Private key used for TLS when making client connections. - # If not set, peer.tls.key.file will be used instead - clientKey: - file: - # X.509 certificate used for TLS when making client connections. - # If not set, peer.tls.cert.file will be used instead - clientCert: - file: - - # Authentication contains configuration parameters related to authenticating - # client messages - authentication: - # the acceptable difference between the current server time and the - # client's time as specified in a client request message - timewindow: 15m - - # Path on the file system where peer will store data (eg ledger). This - # location must be access control protected to prevent unintended - # modification that might corrupt the peer operations. - fileSystemPath: /var/hyperledger/production - - # BCCSP (Blockchain crypto provider): Select which crypto implementation or - # library to use - BCCSP: - Default: SW - # Settings for the SW crypto provider (i.e. when DEFAULT: SW) - SW: - # TODO: The default Hash and Security level needs refactoring to be - # fully configurable. Changing these defaults requires coordination - # SHA2 is hardcoded in several places, not only BCCSP - Hash: SHA2 - Security: 256 - # Location of Key Store - FileKeyStore: - # If "", defaults to 'mspConfigPath'/keystore - KeyStore: - # Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11) - PKCS11: - # Location of the PKCS11 module library - Library: - # Token Label - Label: - # User PIN - Pin: - Hash: - Security: - - # Path on the file system where peer will find MSP local configurations - mspConfigPath: msp - - # Identifier of the local MSP - # ----!!!!IMPORTANT!!!-!!!IMPORTANT!!!-!!!IMPORTANT!!!!---- - # Deployers need to change the value of the localMspId string. - # In particular, the name of the local MSP ID of a peer needs - # to match the name of one of the MSPs in each of the channel - # that this peer is a member of. Otherwise this peer's messages - # will not be identified as valid by other nodes. - localMspId: Org1MSP - - # CLI common client config options - client: - # connection timeout - connTimeout: 10s - - # Delivery service related config - deliveryclient: - # It sets the total time the delivery service may spend in reconnection - # attempts until its retry logic gives up and returns an error - reconnectTotalTimeThreshold: 3600s - - # It sets the delivery service <-> ordering service node connection timeout - connTimeout: 10s - - # It sets the delivery service maximal delay between consecutive retries - reConnectBackoffThreshold: 3600s - - # A list of orderer endpoint addresses which should be overridden - # when found in channel configurations. - addressOverrides: - # - from: - # to: - # caCertsFile: - # - from: - # to: - # caCertsFile: - - # Type for the local MSP - by default it's of type bccsp - localMspType: bccsp - - # Used with Go profiling tools only in none production environment. In - # production, it should be disabled (eg enabled: false) - profile: - enabled: false - listenAddress: 0.0.0.0:6060 - - # Handlers defines custom handlers that can filter and mutate - # objects passing within the peer, such as: - # Auth filter - reject or forward proposals from clients - # Decorators - append or mutate the chaincode input passed to the chaincode - # Endorsers - Custom signing over proposal response payload and its mutation - # Valid handler definition contains: - # - A name which is a factory method name defined in - # core/handlers/library/library.go for statically compiled handlers - # - library path to shared object binary for pluggable filters - # Auth filters and decorators are chained and executed in the order that - # they are defined. For example: - # authFilters: - # - - # name: FilterOne - # library: /opt/lib/filter.so - # - - # name: FilterTwo - # decorators: - # - - # name: DecoratorOne - # - - # name: DecoratorTwo - # library: /opt/lib/decorator.so - # Endorsers are configured as a map that its keys are the endorsement system chaincodes that are being overridden. - # Below is an example that overrides the default ESCC and uses an endorsement plugin that has the same functionality - # as the default ESCC. - # If the 'library' property is missing, the name is used as the constructor method in the builtin library similar - # to auth filters and decorators. - # endorsers: - # escc: - # name: DefaultESCC - # library: /etc/hyperledger/fabric/plugin/escc.so - handlers: - authFilters: - - - name: DefaultAuth - - - name: ExpirationCheck # This filter checks identity x509 certificate expiration - decorators: - - - name: DefaultDecorator - endorsers: - escc: - name: DefaultEndorsement - library: - validators: - vscc: - name: DefaultValidation - library: - - # library: /etc/hyperledger/fabric/plugin/escc.so - # Number of goroutines that will execute transaction validation in parallel. - # By default, the peer chooses the number of CPUs on the machine. Set this - # variable to override that choice. - # NOTE: overriding this value might negatively influence the performance of - # the peer so please change this value only if you know what you're doing - validatorPoolSize: - - # The discovery service is used by clients to query information about peers, - # such as - which peers have joined a certain channel, what is the latest - # channel config, and most importantly - given a chaincode and a channel, - # what possible sets of peers satisfy the endorsement policy. - discovery: - enabled: true - # Whether the authentication cache is enabled or not. - authCacheEnabled: true - # The maximum size of the cache, after which a purge takes place - authCacheMaxSize: 1000 - # The proportion (0 to 1) of entries that remain in the cache after the cache is purged due to overpopulation - authCachePurgeRetentionRatio: 0.75 - # Whether to allow non-admins to perform non channel scoped queries. - # When this is false, it means that only peer admins can perform non channel scoped queries. - orgMembersAllowedAccess: false - - # Limits is used to configure some internal resource limits. - limits: - # Concurrency limits the number of concurrently running requests to a service on each peer. - # Currently this option is only applied to endorser service and deliver service. - # When the property is missing or the value is 0, the concurrency limit is disabled for the service. - concurrency: - # endorserService limits concurrent requests to endorser service that handles chaincode deployment, query and invocation, - # including both user chaincodes and system chaincodes. - endorserService: 2500 - # deliverService limits concurrent event listeners registered to deliver service for blocks and transaction events. - deliverService: 2500 - -############################################################################### -# -# VM section -# -############################################################################### -vm: - - # Endpoint of the vm management system. For docker can be one of the following in general - # unix:///var/run/docker.sock - # http://localhost:2375 - # https://localhost:2376 - # endpoint: unix:///var/run/docker.sock - - # settings for docker vms - docker: - tls: - enabled: false - ca: - file: docker/ca.crt - cert: - file: docker/tls.crt - key: - file: docker/tls.key - - # Enables/disables the standard out/err from chaincode containers for - # debugging purposes - attachStdout: false - - # Parameters on creating docker container. - # Container may be efficiently created using ipam & dns-server for cluster - # NetworkMode - sets the networking mode for the container. Supported - # standard values are: `host`(default),`bridge`,`ipvlan`,`none`. - # Dns - a list of DNS servers for the container to use. - # Note: `Privileged` `Binds` `Links` and `PortBindings` properties of - # Docker Host Config are not supported and will not be used if set. - # LogConfig - sets the logging driver (Type) and related options - # (Config) for Docker. For more info, - # https://docs.docker.com/engine/admin/logging/overview/ - # Note: Set LogConfig using Environment Variables is not supported. - hostConfig: - NetworkMode: host - Dns: - # - 192.168.0.1 - LogConfig: - Type: json-file - Config: - max-size: "50m" - max-file: "5" - Memory: 2147483648 - -############################################################################### -# -# Chaincode section -# -############################################################################### -chaincode: - - # The id is used by the Chaincode stub to register the executing Chaincode - # ID with the Peer and is generally supplied through ENV variables - # the `path` form of ID is provided when installing the chaincode. - # The `name` is used for all other requests and can be any string. - id: - path: - name: - - # Generic builder environment, suitable for most chaincode types - builder: $(DOCKER_NS)/fabric-ccenv:$(TWO_DIGIT_VERSION) - - # Enables/disables force pulling of the base docker images (listed below) - # during user chaincode instantiation. - # Useful when using moving image tags (such as :latest) - pull: false - - golang: - # golang will never need more than baseos - runtime: $(DOCKER_NS)/fabric-baseos:$(TWO_DIGIT_VERSION) - - # whether or not golang chaincode should be linked dynamically - dynamicLink: false - - java: - # This is an image based on java:openjdk-8 with addition compiler - # tools added for java shim layer packaging. - # This image is packed with shim layer libraries that are necessary - # for Java chaincode runtime. - runtime: $(DOCKER_NS)/fabric-javaenv:$(TWO_DIGIT_VERSION) - - node: - # This is an image based on node:$(NODE_VER)-alpine - runtime: $(DOCKER_NS)/fabric-nodeenv:$(TWO_DIGIT_VERSION) - - # List of directories to treat as external builders and launchers for - # chaincode. The external builder detection processing will iterate over the - # builders in the order specified below. - externalBuilders: - - name: ccaas_builder - path: /opt/hyperledger/ccaas_builder - propagateEnvironment: - - CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG - - # copied into the /var persistent volume share by "network up" - - name: k8s_builder - path: /var/hyperledger/fabric/external_builders/k8s_builder - propagateEnvironment: - - CORE_PEER_ID - - FABRIC_K8S_BUILDER_OBJECT_NAME_PREFIX - - KUBERNETES_SERVICE_HOST - - KUBERNETES_SERVICE_PORT - - # The maximum duration to wait for the chaincode build and install process - # to complete. - installTimeout: 300s - - # Timeout duration for starting up a container and waiting for Register - # to come through. - startuptimeout: 300s - - # Timeout duration for Invoke and Init calls to prevent runaway. - # This timeout is used by all chaincodes in all the channels, including - # system chaincodes. - # Note that during Invoke, if the image is not available (e.g. being - # cleaned up when in development environment), the peer will automatically - # build the image, which might take more time. In production environment, - # the chaincode image is unlikely to be deleted, so the timeout could be - # reduced accordingly. - executetimeout: 30s - - # There are 2 modes: "dev" and "net". - # In dev mode, user runs the chaincode after starting peer from - # command line on local machine. - # In net mode, peer will run chaincode in a docker container. - mode: net - - # keepalive in seconds. In situations where the communication goes through a - # proxy that does not support keep-alive, this parameter will maintain connection - # between peer and chaincode. - # A value <= 0 turns keepalive off - keepalive: 0 - - # enabled system chaincodes - system: - _lifecycle: enable - cscc: enable - lscc: enable - qscc: enable - - # Logging section for the chaincode container - logging: - # Default level for all loggers within the chaincode container - level: info - # Override default level for the 'shim' logger - shim: warning - # Format for the chaincode container logs - format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}' - -############################################################################### -# -# Ledger section - ledger configuration encompasses both the blockchain -# and the state -# -############################################################################### -ledger: - - blockchain: - - state: - # stateDatabase - options are "goleveldb", "CouchDB" - # goleveldb - default state database stored in goleveldb. - # CouchDB - store state database in CouchDB - stateDatabase: goleveldb - # Limit on the number of records to return per query - totalQueryLimit: 100000 - couchDBConfig: - # It is recommended to run CouchDB on the same server as the peer, and - # not map the CouchDB container port to a server port in docker-compose. - # Otherwise proper security must be provided on the connection between - # CouchDB client (on the peer) and server. - couchDBAddress: 127.0.0.1:5984 - # This username must have read and write authority on CouchDB - username: - # The password is recommended to pass as an environment variable - # during start up (eg CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD). - # If it is stored here, the file must be access control protected - # to prevent unintended users from discovering the password. - password: - # Number of retries for CouchDB errors - maxRetries: 3 - # Number of retries for CouchDB errors during peer startup. - # The delay between retries doubles for each attempt. - # Default of 10 retries results in 11 attempts over 2 minutes. - maxRetriesOnStartup: 10 - # CouchDB request timeout (unit: duration, e.g. 20s) - requestTimeout: 35s - # Limit on the number of records per each CouchDB query - # Note that chaincode queries are only bound by totalQueryLimit. - # Internally the chaincode may execute multiple CouchDB queries, - # each of size internalQueryLimit. - internalQueryLimit: 1000 - # Limit on the number of records per CouchDB bulk update batch - maxBatchUpdateSize: 1000 - # Warm indexes after every N blocks. - # This option warms any indexes that have been - # deployed to CouchDB after every N blocks. - # A value of 1 will warm indexes after every block commit, - # to ensure fast selector queries. - # Increasing the value may improve write efficiency of peer and CouchDB, - # but may degrade query response time. - warmIndexesAfterNBlocks: 1 - # Create the _global_changes system database - # This is optional. Creating the global changes database will require - # additional system resources to track changes and maintain the database - createGlobalChangesDB: false - # CacheSize denotes the maximum mega bytes (MB) to be allocated for the in-memory state - # cache. Note that CacheSize needs to be a multiple of 32 MB. If it is not a multiple - # of 32 MB, the peer would round the size to the next multiple of 32 MB. - # To disable the cache, 0 MB needs to be assigned to the cacheSize. - cacheSize: 64 - - history: - # enableHistoryDatabase - options are true or false - # Indicates if the history of key updates should be stored. - # All history 'index' will be stored in goleveldb, regardless if using - # CouchDB or alternate database for the state. - enableHistoryDatabase: true - - pvtdataStore: - # the maximum db batch size for converting - # the ineligible missing data entries to eligible missing data entries - collElgProcMaxDbBatchSize: 5000 - # the minimum duration (in milliseconds) between writing - # two consecutive db batches for converting the ineligible missing data entries to eligible missing data entries - collElgProcDbBatchesInterval: 1000 - # The missing data entries are classified into two categories: - # (1) prioritized - # (2) deprioritized - # Initially, all missing data are in the prioritized list. When the - # reconciler is unable to fetch the missing data from other peers, - # the unreconciled missing data would be moved to the deprioritized list. - # The reconciler would retry deprioritized missing data after every - # deprioritizedDataReconcilerInterval (unit: minutes). Note that the - # interval needs to be greater than the reconcileSleepInterval - deprioritizedDataReconcilerInterval: 60m - - snapshots: - # Path on the file system where peer will store ledger snapshots - rootDir: /var/hyperledger/production/snapshots - -############################################################################### -# -# Operations section -# -############################################################################### -operations: - # host and port for the operations server - listenAddress: 127.0.0.1:9443 - - # TLS configuration for the operations endpoint - tls: - # TLS enabled - enabled: false - - # path to PEM encoded server certificate for the operations server - cert: - file: - - # path to PEM encoded server key for the operations server - key: - file: - - # most operations service endpoints require client authentication when TLS - # is enabled. clientAuthRequired requires client certificate authentication - # at the TLS layer to access all resources. - clientAuthRequired: false - - # paths to PEM encoded ca certificates to trust for client authentication - clientRootCAs: - files: [] - -############################################################################### -# -# Metrics section -# -############################################################################### -metrics: - # metrics provider is one of statsd, prometheus, or disabled - provider: disabled - - # statsd configuration - statsd: - # network type: tcp or udp - network: udp - - # statsd server address - address: 127.0.0.1:8125 - - # the interval at which locally cached counters and gauges are pushed - # to statsd; timings are pushed immediately - writeInterval: 10s - - # prefix is prepended to all emitted statsd metrics - prefix: diff --git a/test-network-k8s/config/org1/fabric-ca-server-config.yaml b/test-network-k8s/config/org1/fabric-ca-server-config.yaml deleted file mode 100644 index d31dfad7..00000000 --- a/test-network-k8s/config/org1/fabric-ca-server-config.yaml +++ /dev/null @@ -1,506 +0,0 @@ -############################################################################# -# This is a configuration file for the fabric-ca-server command. -# -# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES -# ------------------------------------------------ -# Each configuration element can be overridden via command line -# arguments or environment variables. The precedence for determining -# the value of each element is as follows: -# 1) command line argument -# Examples: -# a) --port 443 -# To set the listening port -# b) --ca.keyfile ../mykey.pem -# To set the "keyfile" element in the "ca" section below; -# note the '.' separator character. -# 2) environment variable -# Examples: -# a) FABRIC_CA_SERVER_PORT=443 -# To set the listening port -# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" -# To set the "keyfile" element in the "ca" section below; -# note the '_' separator character. -# 3) configuration file -# 4) default value (if there is one) -# All default values are shown beside each element below. -# -# FILE NAME ELEMENTS -# ------------------ -# The value of all fields whose name ends with "file" or "files" are -# name or names of other files. -# For example, see "tls.certfile" and "tls.clientauth.certfiles". -# The value of each of these fields can be a simple filename, a -# relative path, or an absolute path. If the value is not an -# absolute path, it is interpreted as being relative to the location -# of this configuration file. -# -############################################################################# - -# Version of config file -version: 1.5.2 - -# Server's listening port (default: 7054) -port: 443 - -# Cross-Origin Resource Sharing (CORS) -cors: - enabled: false - origins: - - "*" - -# Enables debug logging (default: false) -debug: false - -# Size limit of an acceptable CRL in bytes (default: 512000) -crlsizelimit: 512000 - -############################################################################# -# TLS section for the server's listening port -# -# The following types are supported for client authentication: NoClientCert, -# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, -# and RequireAndVerifyClientCert. -# -# Certfiles is a list of root certificate authorities that the server uses -# when verifying client certificates. -############################################################################# -tls: - # Enable TLS (default: false) - enabled: true - # TLS for the server's listening port - certfile: - keyfile: - clientauth: - type: noclientcert - certfiles: - -############################################################################# -# The CA section contains information related to the Certificate Authority -# including the name of the CA, which should be unique for all members -# of a blockchain network. It also includes the key and certificate files -# used when issuing enrollment certificates (ECerts) and transaction -# certificates (TCerts). -# The chainfile (if it exists) contains the certificate chain which -# should be trusted for this CA, where the 1st in the chain is always the -# root CA certificate. -############################################################################# -ca: - # Name of this CA - name: org1-ca - # Key file (is only used to import a private key into BCCSP) - keyfile: - # Certificate file (default: ca-cert.pem) - certfile: - # Chain file - chainfile: - -############################################################################# -# The gencrl REST endpoint is used to generate a CRL that contains revoked -# certificates. This section contains configuration options that are used -# during gencrl request processing. -############################################################################# -crl: - # Specifies expiration for the generated CRL. The number of hours - # specified by this property is added to the UTC time, the resulting time - # is used to set the 'Next Update' date of the CRL. - expiry: 24h - -############################################################################# -# The registry section controls how the fabric-ca-server does two things: -# 1) authenticates enrollment requests which contain a username and password -# (also known as an enrollment ID and secret). -# 2) once authenticated, retrieves the identity's attribute names and -# values which the fabric-ca-server optionally puts into TCerts -# which it issues for transacting on the Hyperledger Fabric blockchain. -# These attributes are useful for making access control decisions in -# chaincode. -# There are two main configuration options: -# 1) The fabric-ca-server is the registry. -# This is true if "ldap.enabled" in the ldap section below is false. -# 2) An LDAP server is the registry, in which case the fabric-ca-server -# calls the LDAP server to perform these tasks. -# This is true if "ldap.enabled" in the ldap section below is true, -# which means this "registry" section is ignored. -############################################################################# -registry: - # Maximum number of times a password/secret can be reused for enrollment - # (default: -1, which means there is no limit) - maxenrollments: -1 - - # Contains identity information which is used when LDAP is disabled - identities: - - name: rcaadmin - pass: rcaadminpw - type: client - affiliation: "" - attrs: - hf.Registrar.Roles: "*" - hf.Registrar.DelegateRoles: "*" - hf.Revoker: true - hf.IntermediateCA: true - hf.GenCRL: true - hf.Registrar.Attributes: "*" - hf.AffiliationMgr: true - -############################################################################# -# Database section -# Supported types are: "sqlite3", "postgres", and "mysql". -# The datasource value depends on the type. -# If the type is "sqlite3", the datasource value is a file name to use -# as the database store. Since "sqlite3" is an embedded database, it -# may not be used if you want to run the fabric-ca-server in a cluster. -# To run the fabric-ca-server in a cluster, you must choose "postgres" -# or "mysql". -############################################################################# -db: - type: sqlite3 - datasource: fabric-ca-server.db - tls: - enabled: false - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# LDAP section -# If LDAP is enabled, the fabric-ca-server calls LDAP to: -# 1) authenticate enrollment ID and secret (i.e. username and password) -# for enrollment requests; -# 2) To retrieve identity attributes -############################################################################# -ldap: - # Enables or disables the LDAP client (default: false) - # If this is set to true, the "registry" section is ignored. - enabled: false - # The URL of the LDAP server - url: ldap://:@:/ - # TLS configuration for the client connection to the LDAP server - tls: - certfiles: - client: - certfile: - keyfile: - # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes - attribute: - # 'names' is an array of strings containing the LDAP attribute names which are - # requested from the LDAP server for an LDAP identity's entry - names: ['uid','member'] - # The 'converters' section is used to convert an LDAP entry to the value of - # a fabric CA attribute. - # For example, the following converts an LDAP 'uid' attribute - # whose value begins with 'revoker' to a fabric CA attribute - # named "hf.Revoker" with a value of "true" (because the boolean expression - # evaluates to true). - # converters: - # - name: hf.Revoker - # value: attr("uid") =~ "revoker*" - converters: - - name: - value: - # The 'maps' section contains named maps which may be referenced by the 'map' - # function in the 'converters' section to map LDAP responses to arbitrary values. - # For example, assume a user has an LDAP attribute named 'member' which has multiple - # values which are each a distinguished name (i.e. a DN). For simplicity, assume the - # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. - # Further assume the following configuration. - # converters: - # - name: hf.Registrar.Roles - # value: map(attr("member"),"groups") - # maps: - # groups: - # - name: dn1 - # value: peer - # - name: dn2 - # value: client - # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be - # "peer,client,dn3". This is because the value of 'attr("member")' is - # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of - # "group" replaces "dn1" with "peer" and "dn2" with "client". - maps: - groups: - - name: - value: - -############################################################################# -# Affiliations section. Fabric CA server can be bootstrapped with the -# affiliations specified in this section. Affiliations are specified as maps. -# For example: -# businessunit1: -# department1: -# - team1 -# businessunit2: -# - department2 -# - department3 -# -# Affiliations are hierarchical in nature. In the above example, -# department1 (used as businessunit1.department1) is the child of businessunit1. -# team1 (used as businessunit1.department1.team1) is the child of department1. -# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) -# are children of businessunit2. -# Note: Affiliations are case sensitive except for the non-leaf affiliations -# (like businessunit1, department1, businessunit2) that are specified in the configuration file, -# which are always stored in lower case. -############################################################################# -affiliations: - org1: - - department1 - - department2 - org2: - - department1 - -############################################################################# -# Signing section -# -# The "default" subsection is used to sign enrollment certificates; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -# -# The "ca" profile subsection is used to sign intermediate CA certificates; -# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. -# Note that "isca" is true, meaning that it issues a CA certificate. -# A maxpathlen of 0 means that the intermediate CA cannot issue other -# intermediate CA certificates, though it can still issue end entity certificates. -# (See RFC 5280, section 4.2.1.9) -# -# The "tls" profile subsection is used to sign TLS certificate requests; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -############################################################################# -signing: - default: - usage: - - digital signature - expiry: 8760h - profiles: - ca: - usage: - - cert sign - - crl sign - expiry: 43800h - caconstraint: - isca: true - maxpathlen: 0 - tls: - usage: - - signing - - key encipherment - - server auth - - client auth - - key agreement - expiry: 8760h - -########################################################################### -# Certificate Signing Request (CSR) section. -# This controls the creation of the root CA certificate. -# The expiration for the root CA certificate is configured with the -# "ca.expiry" field below, whose default value is "131400h" which is -# 15 years in hours. -# The pathlength field is used to limit CA certificate hierarchy as described -# in section 4.2.1.9 of RFC 5280. -# Examples: -# 1) No pathlength value means no limit is requested. -# 2) pathlength == 1 means a limit of 1 is requested which is the default for -# a root CA. This means the root CA can issue intermediate CA certificates, -# but these intermediate CAs may not in turn issue other CA certificates -# though they can still issue end entity certificates. -# 3) pathlength == 0 means a limit of 0 is requested; -# this is the default for an intermediate CA, which means it can not issue -# CA certificates though it can still issue end entity certificates. -########################################################################### -csr: - cn: fabric-ca-server - keyrequest: - algo: ecdsa - size: 256 - names: - - C: US - ST: "North Carolina" - L: - O: Hyperledger - OU: Fabric - hosts: - - localhost - - 127.0.0.1 - - org1-ca - - org1-ca.${NS}.svc.cluster.local - ca: - expiry: 131400h - pathlength: 1 - -########################################################################### -# Each CA can issue both X509 enrollment certificate as well as Idemix -# Credential. This section specifies configuration for the issuer component -# that is responsible for issuing Idemix credentials. -########################################################################### -idemix: - # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an - # Idemix credential. The issuer will create a pool revocation handles of this specified size. When - # a credential is requested, issuer will get handle from the pool and assign it to the credential. - # Issuer will repopulate the pool with new handles when the last handle in the pool is used. - # A revocation handle and credential revocation information (CRI) are used to create non revocation proof - # by the prover to prove to the verifier that her credential is not revoked. - rhpoolsize: 1000 - - # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer - # and second step is send credential request that is constructed using the nonce to the issuer to - # request a credential. This configuration property specifies expiration for the nonces. By default is - # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). - nonceexpiration: 15s - - # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. - # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) - noncesweepinterval: 15m - -############################################################################# -# BCCSP (BlockChain Crypto Service Provider) section is used to select which -# crypto library implementation to use -############################################################################# -bccsp: - default: SW - sw: - hash: SHA2 - security: 256 - filekeystore: - # The directory used for the software file-based keystore - keystore: msp/keystore - -############################################################################# -# Multi CA section -# -# Each Fabric CA server contains one CA by default. This section is used -# to configure multiple CAs in a single server. -# -# 1) --cacount -# Automatically generate non-default CAs. The names of these -# additional CAs are "ca1", "ca2", ... "caN", where "N" is -# This is particularly useful in a development environment to quickly set up -# multiple CAs. Note that, this config option is not applicable to intermediate CA server -# i.e., Fabric CA server that is started with intermediate.parentserver.url config -# option (-u command line option) -# -# 2) --cafiles -# For each CA config file in the list, generate a separate signing CA. Each CA -# config file in this list MAY contain all of the same elements as are found in -# the server config file except port, debug, and tls sections. -# -# Examples: -# fabric-ca-server start -b admin:adminpw --cacount 2 -# -# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml -# --cafiles ca/ca2/fabric-ca-server-config.yaml -# -############################################################################# - -cacount: - -cafiles: - -############################################################################# -# Intermediate CA section -# -# The relationship between servers and CAs is as follows: -# 1) A single server process may contain or function as one or more CAs. -# This is configured by the "Multi CA section" above. -# 2) Each CA is either a root CA or an intermediate CA. -# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. -# -# This section pertains to configuration of #2 and #3. -# If the "intermediate.parentserver.url" property is set, -# then this is an intermediate CA with the specified parent -# CA. -# -# parentserver section -# url - The URL of the parent server -# caname - Name of the CA to enroll within the server -# -# enrollment section used to enroll intermediate CA with parent CA -# profile - Name of the signing profile to use in issuing the certificate -# label - Label to use in HSM operations -# -# tls section for secure socket connection -# certfiles - PEM-encoded list of trusted root certificate files -# client: -# certfile - PEM-encoded certificate file for when client authentication -# is enabled on server -# keyfile - PEM-encoded key file for when client authentication -# is enabled on server -############################################################################# -intermediate: - parentserver: - url: - caname: - - enrollment: - hosts: - profile: - label: - - tls: - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# CA configuration section -# -# Configure the number of incorrect password attempts are allowed for -# identities. By default, the value of 'passwordattempts' is 10, which -# means that 10 incorrect password attempts can be made before an identity get -# locked out. -############################################################################# -cfg: - identities: - passwordattempts: 10 - -############################################################################### -# -# Operations section -# -############################################################################### -operations: - # host and port for the operations server - listenAddress: 127.0.0.1:9443 - - # TLS configuration for the operations endpoint - tls: - # TLS enabled - enabled: false - - # path to PEM encoded server certificate for the operations server - cert: - file: - - # path to PEM encoded server key for the operations server - key: - file: - - # require client certificate authentication to access all resources - clientAuthRequired: false - - # paths to PEM encoded ca certificates to trust for client authentication - clientRootCAs: - files: [] - -############################################################################### -# -# Metrics section -# -############################################################################### -metrics: - # statsd, prometheus, or disabled - provider: disabled - - # statsd configuration - statsd: - # network type: tcp or udp - network: udp - - # statsd server address - address: 127.0.0.1:8125 - - # the interval at which locally cached counters and gauges are pushed - # to statsd; timings are pushed immediately - writeInterval: 10s - - # prefix is prepended to all emitted statsd metrics - prefix: server diff --git a/test-network-k8s/config/org2/core.yaml b/test-network-k8s/config/org2/core.yaml deleted file mode 100644 index e4168a12..00000000 --- a/test-network-k8s/config/org2/core.yaml +++ /dev/null @@ -1,766 +0,0 @@ -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# - -############################################################################### -# -# Peer section -# -############################################################################### -peer: - - # The peer id provides a name for this peer instance and is used when - # naming docker resources. - id: jdoe - - # The networkId allows for logical separation of networks and is used when - # naming docker resources. - networkId: dev - - # The Address at local network interface this Peer will listen on. - # By default, it will listen on all network interfaces - listenAddress: 0.0.0.0:7051 - - # The endpoint this peer uses to listen for inbound chaincode connections. - # If this is commented-out, the listen address is selected to be - # the peer's address (see below) with port 7052 - # chaincodeListenAddress: 0.0.0.0:7052 - - # The endpoint the chaincode for this peer uses to connect to the peer. - # If this is not specified, the chaincodeListenAddress address is selected. - # And if chaincodeListenAddress is not specified, address is selected from - # peer address (see below). If specified peer address is invalid then it - # will fallback to the auto detected IP (local IP) regardless of the peer - # addressAutoDetect value. - # chaincodeAddress: 0.0.0.0:7052 - - # When used as peer config, this represents the endpoint to other peers - # in the same organization. For peers in other organization, see - # gossip.externalEndpoint for more info. - # When used as CLI config, this means the peer's endpoint to interact with - address: 0.0.0.0:7051 - - # Whether the Peer should programmatically determine its address - # This case is useful for docker containers. - # When set to true, will override peer address. - addressAutoDetect: false - - # Keepalive settings for peer server and clients - keepalive: - # Interval is the duration after which if the server does not see - # any activity from the client it pings the client to see if it's alive - interval: 7200s - # Timeout is the duration the server waits for a response - # from the client after sending a ping before closing the connection - timeout: 20s - # MinInterval is the minimum permitted time between client pings. - # If clients send pings more frequently, the peer server will - # disconnect them - minInterval: 60s - # Client keepalive settings for communicating with other peer nodes - client: - # Interval is the time between pings to peer nodes. This must - # greater than or equal to the minInterval specified by peer - # nodes - interval: 60s - # Timeout is the duration the client waits for a response from - # peer nodes before closing the connection - timeout: 20s - # DeliveryClient keepalive settings for communication with ordering - # nodes. - deliveryClient: - # Interval is the time between pings to ordering nodes. This must - # greater than or equal to the minInterval specified by ordering - # nodes. - interval: 60s - # Timeout is the duration the client waits for a response from - # ordering nodes before closing the connection - timeout: 20s - - - # Gossip related configuration - gossip: - # Bootstrap set to initialize gossip with. - # This is a list of other peers that this peer reaches out to at startup. - # Important: The endpoints here have to be endpoints of peers in the same - # organization, because the peer would refuse connecting to these endpoints - # unless they are in the same organization as the peer. - bootstrap: 127.0.0.1:7051 - - # NOTE: orgLeader and useLeaderElection parameters are mutual exclusive. - # Setting both to true would result in the termination of the peer - # since this is undefined state. If the peers are configured with - # useLeaderElection=false, make sure there is at least 1 peer in the - # organization that its orgLeader is set to true. - - # Defines whenever peer will initialize dynamic algorithm for - # "leader" selection, where leader is the peer to establish - # connection with ordering service and use delivery protocol - # to pull ledger blocks from ordering service. - useLeaderElection: false - # Statically defines peer to be an organization "leader", - # where this means that current peer will maintain connection - # with ordering service and disseminate block across peers in - # its own organization. Multiple peers or all peers in an organization - # may be configured as org leaders, so that they all pull - # blocks directly from ordering service. - orgLeader: true - - # Interval for membershipTracker polling - membershipTrackerInterval: 5s - - # Overrides the endpoint that the peer publishes to peers - # in its organization. For peers in foreign organizations - # see 'externalEndpoint' - endpoint: - # Maximum count of blocks stored in memory - maxBlockCountToStore: 10 - # Max time between consecutive message pushes(unit: millisecond) - maxPropagationBurstLatency: 10ms - # Max number of messages stored until a push is triggered to remote peers - maxPropagationBurstSize: 10 - # Number of times a message is pushed to remote peers - propagateIterations: 1 - # Number of peers selected to push messages to - propagatePeerNum: 3 - # Determines frequency of pull phases(unit: second) - # Must be greater than digestWaitTime + responseWaitTime - pullInterval: 4s - # Number of peers to pull from - pullPeerNum: 3 - # Determines frequency of pulling state info messages from peers(unit: second) - requestStateInfoInterval: 4s - # Determines frequency of pushing state info messages to peers(unit: second) - publishStateInfoInterval: 4s - # Maximum time a stateInfo message is kept until expired - stateInfoRetentionInterval: - # Time from startup certificates are included in Alive messages(unit: second) - publishCertPeriod: 10s - # Should we skip verifying block messages or not (currently not in use) - skipBlockVerification: false - # Dial timeout(unit: second) - dialTimeout: 3s - # Connection timeout(unit: second) - connTimeout: 2s - # Buffer size of received messages - recvBuffSize: 20 - # Buffer size of sending messages - sendBuffSize: 200 - # Time to wait before pull engine processes incoming digests (unit: second) - # Should be slightly smaller than requestWaitTime - digestWaitTime: 1s - # Time to wait before pull engine removes incoming nonce (unit: milliseconds) - # Should be slightly bigger than digestWaitTime - requestWaitTime: 1500ms - # Time to wait before pull engine ends pull (unit: second) - responseWaitTime: 2s - # Alive check interval(unit: second) - aliveTimeInterval: 5s - # Alive expiration timeout(unit: second) - aliveExpirationTimeout: 25s - # Reconnect interval(unit: second) - reconnectInterval: 25s - # Max number of attempts to connect to a peer - maxConnectionAttempts: 120 - # Message expiration factor for alive messages - msgExpirationFactor: 20 - # This is an endpoint that is published to peers outside of the organization. - # If this isn't set, the peer will not be known to other organizations. - externalEndpoint: - # Leader election service configuration - election: - # Longest time peer waits for stable membership during leader election startup (unit: second) - startupGracePeriod: 15s - # Interval gossip membership samples to check its stability (unit: second) - membershipSampleInterval: 1s - # Time passes since last declaration message before peer decides to perform leader election (unit: second) - leaderAliveThreshold: 10s - # Time between peer sends propose message and declares itself as a leader (sends declaration message) (unit: second) - leaderElectionDuration: 5s - - pvtData: - # pullRetryThreshold determines the maximum duration of time private data corresponding for a given block - # would be attempted to be pulled from peers until the block would be committed without the private data - pullRetryThreshold: 60s - # As private data enters the transient store, it is associated with the peer's ledger's height at that time. - # transientstoreMaxBlockRetention defines the maximum difference between the current ledger's height upon commit, - # and the private data residing inside the transient store that is guaranteed not to be purged. - # Private data is purged from the transient store when blocks with sequences that are multiples - # of transientstoreMaxBlockRetention are committed. - transientstoreMaxBlockRetention: 1000 - # pushAckTimeout is the maximum time to wait for an acknowledgement from each peer - # at private data push at endorsement time. - pushAckTimeout: 3s - # Block to live pulling margin, used as a buffer - # to prevent peer from trying to pull private data - # from peers that is soon to be purged in next N blocks. - # This helps a newly joined peer catch up to current - # blockchain height quicker. - btlPullMargin: 10 - # the process of reconciliation is done in an endless loop, while in each iteration reconciler tries to - # pull from the other peers the most recent missing blocks with a maximum batch size limitation. - # reconcileBatchSize determines the maximum batch size of missing private data that will be reconciled in a - # single iteration. - reconcileBatchSize: 10 - # reconcileSleepInterval determines the time reconciler sleeps from end of an iteration until the beginning - # of the next reconciliation iteration. - reconcileSleepInterval: 1m - # reconciliationEnabled is a flag that indicates whether private data reconciliation is enable or not. - reconciliationEnabled: true - # skipPullingInvalidTransactionsDuringCommit is a flag that indicates whether pulling of invalid - # transaction's private data from other peers need to be skipped during the commit time and pulled - # only through reconciler. - skipPullingInvalidTransactionsDuringCommit: false - # implicitCollectionDisseminationPolicy specifies the dissemination policy for the peer's own implicit collection. - # When a peer endorses a proposal that writes to its own implicit collection, below values override the default values - # for disseminating private data. - # Note that it is applicable to all channels the peer has joined. The implication is that requiredPeerCount has to - # be smaller than the number of peers in a channel that has the lowest numbers of peers from the organization. - implicitCollectionDisseminationPolicy: - # requiredPeerCount defines the minimum number of eligible peers to which the peer must successfully - # disseminate private data for its own implicit collection during endorsement. Default value is 0. - requiredPeerCount: 0 - # maxPeerCount defines the maximum number of eligible peers to which the peer will attempt to - # disseminate private data for its own implicit collection during endorsement. Default value is 1. - maxPeerCount: 1 - - # Gossip state transfer related configuration - state: - # indicates whenever state transfer is enabled or not - # default value is true, i.e. state transfer is active - # and takes care to sync up missing blocks allowing - # lagging peer to catch up to speed with rest network. - # Keep in mind that when peer.gossip.useLeaderElection is true - # and there are several peers in the organization, - # or peer.gossip.useLeaderElection is false alongside with - # peer.gossip.orgleader being false, the peer's ledger may lag behind - # the rest of the peers and will never catch up due to state transfer - # being disabled. - enabled: false - # checkInterval interval to check whether peer is lagging behind enough to - # request blocks via state transfer from another peer. - checkInterval: 10s - # responseTimeout amount of time to wait for state transfer response from - # other peers - responseTimeout: 3s - # batchSize the number of blocks to request via state transfer from another peer - batchSize: 10 - # blockBufferSize reflects the size of the re-ordering buffer - # which captures blocks and takes care to deliver them in order - # down to the ledger layer. The actual buffer size is bounded between - # 0 and 2*blockBufferSize, each channel maintains its own buffer - blockBufferSize: 20 - # maxRetries maximum number of re-tries to ask - # for single state transfer request - maxRetries: 3 - - # TLS Settings - tls: - # Require server-side TLS - enabled: true - # Require client certificates / mutual TLS for inbound connections. - # Note that clients that are not configured to use a certificate will - # fail to connect to the peer. - clientAuthRequired: false - # X.509 certificate used for TLS server - cert: - file: tls/server.crt - # Private key used for TLS server - key: - file: tls/server.key - # rootcert.file represents the trusted root certificate chain used for verifying certificates - # of other nodes during outbound connections. - # It is not required to be set, but can be used to augment the set of TLS CA certificates - # available from the MSPs of each channel’s configuration. - rootcert: - file: tls/ca.crt - # If mutual TLS is enabled, clientRootCAs.files contains a list of additional root certificates - # used for verifying certificates of client connections. - # It augments the set of TLS CA certificates available from the MSPs of each channel’s configuration. - # Minimally, set your organization's TLS CA root certificate so that the peer can receive join channel requests. - clientRootCAs: - files: - - tls/ca.crt - # Private key used for TLS when making client connections. - # If not set, peer.tls.key.file will be used instead - clientKey: - file: - # X.509 certificate used for TLS when making client connections. - # If not set, peer.tls.cert.file will be used instead - clientCert: - file: - - # Authentication contains configuration parameters related to authenticating - # client messages - authentication: - # the acceptable difference between the current server time and the - # client's time as specified in a client request message - timewindow: 15m - - # Path on the file system where peer will store data (eg ledger). This - # location must be access control protected to prevent unintended - # modification that might corrupt the peer operations. - fileSystemPath: /var/hyperledger/production - - # BCCSP (Blockchain crypto provider): Select which crypto implementation or - # library to use - BCCSP: - Default: SW - # Settings for the SW crypto provider (i.e. when DEFAULT: SW) - SW: - # TODO: The default Hash and Security level needs refactoring to be - # fully configurable. Changing these defaults requires coordination - # SHA2 is hardcoded in several places, not only BCCSP - Hash: SHA2 - Security: 256 - # Location of Key Store - FileKeyStore: - # If "", defaults to 'mspConfigPath'/keystore - KeyStore: - # Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11) - PKCS11: - # Location of the PKCS11 module library - Library: - # Token Label - Label: - # User PIN - Pin: - Hash: - Security: - - # Path on the file system where peer will find MSP local configurations - mspConfigPath: msp - - # Identifier of the local MSP - # ----!!!!IMPORTANT!!!-!!!IMPORTANT!!!-!!!IMPORTANT!!!!---- - # Deployers need to change the value of the localMspId string. - # In particular, the name of the local MSP ID of a peer needs - # to match the name of one of the MSPs in each of the channel - # that this peer is a member of. Otherwise this peer's messages - # will not be identified as valid by other nodes. - localMspId: Org2MSP - - # CLI common client config options - client: - # connection timeout - connTimeout: 10s - - # Delivery service related config - deliveryclient: - # It sets the total time the delivery service may spend in reconnection - # attempts until its retry logic gives up and returns an error - reconnectTotalTimeThreshold: 3600s - - # It sets the delivery service <-> ordering service node connection timeout - connTimeout: 10s - - # It sets the delivery service maximal delay between consecutive retries - reConnectBackoffThreshold: 3600s - - # A list of orderer endpoint addresses which should be overridden - # when found in channel configurations. - addressOverrides: - # - from: - # to: - # caCertsFile: - # - from: - # to: - # caCertsFile: - - # Type for the local MSP - by default it's of type bccsp - localMspType: bccsp - - # Used with Go profiling tools only in none production environment. In - # production, it should be disabled (eg enabled: false) - profile: - enabled: false - listenAddress: 0.0.0.0:6060 - - # Handlers defines custom handlers that can filter and mutate - # objects passing within the peer, such as: - # Auth filter - reject or forward proposals from clients - # Decorators - append or mutate the chaincode input passed to the chaincode - # Endorsers - Custom signing over proposal response payload and its mutation - # Valid handler definition contains: - # - A name which is a factory method name defined in - # core/handlers/library/library.go for statically compiled handlers - # - library path to shared object binary for pluggable filters - # Auth filters and decorators are chained and executed in the order that - # they are defined. For example: - # authFilters: - # - - # name: FilterOne - # library: /opt/lib/filter.so - # - - # name: FilterTwo - # decorators: - # - - # name: DecoratorOne - # - - # name: DecoratorTwo - # library: /opt/lib/decorator.so - # Endorsers are configured as a map that its keys are the endorsement system chaincodes that are being overridden. - # Below is an example that overrides the default ESCC and uses an endorsement plugin that has the same functionality - # as the default ESCC. - # If the 'library' property is missing, the name is used as the constructor method in the builtin library similar - # to auth filters and decorators. - # endorsers: - # escc: - # name: DefaultESCC - # library: /etc/hyperledger/fabric/plugin/escc.so - handlers: - authFilters: - - - name: DefaultAuth - - - name: ExpirationCheck # This filter checks identity x509 certificate expiration - decorators: - - - name: DefaultDecorator - endorsers: - escc: - name: DefaultEndorsement - library: - validators: - vscc: - name: DefaultValidation - library: - - # library: /etc/hyperledger/fabric/plugin/escc.so - # Number of goroutines that will execute transaction validation in parallel. - # By default, the peer chooses the number of CPUs on the machine. Set this - # variable to override that choice. - # NOTE: overriding this value might negatively influence the performance of - # the peer so please change this value only if you know what you're doing - validatorPoolSize: - - # The discovery service is used by clients to query information about peers, - # such as - which peers have joined a certain channel, what is the latest - # channel config, and most importantly - given a chaincode and a channel, - # what possible sets of peers satisfy the endorsement policy. - discovery: - enabled: true - # Whether the authentication cache is enabled or not. - authCacheEnabled: true - # The maximum size of the cache, after which a purge takes place - authCacheMaxSize: 1000 - # The proportion (0 to 1) of entries that remain in the cache after the cache is purged due to overpopulation - authCachePurgeRetentionRatio: 0.75 - # Whether to allow non-admins to perform non channel scoped queries. - # When this is false, it means that only peer admins can perform non channel scoped queries. - orgMembersAllowedAccess: false - - # Limits is used to configure some internal resource limits. - limits: - # Concurrency limits the number of concurrently running requests to a service on each peer. - # Currently this option is only applied to endorser service and deliver service. - # When the property is missing or the value is 0, the concurrency limit is disabled for the service. - concurrency: - # endorserService limits concurrent requests to endorser service that handles chaincode deployment, query and invocation, - # including both user chaincodes and system chaincodes. - endorserService: 2500 - # deliverService limits concurrent event listeners registered to deliver service for blocks and transaction events. - deliverService: 2500 - -############################################################################### -# -# VM section -# -############################################################################### -vm: - - # Endpoint of the vm management system. For docker can be one of the following in general - # unix:///var/run/docker.sock - # http://localhost:2375 - # https://localhost:2376 - # endpoint: unix:///var/run/docker.sock - - # settings for docker vms - docker: - tls: - enabled: false - ca: - file: docker/ca.crt - cert: - file: docker/tls.crt - key: - file: docker/tls.key - - # Enables/disables the standard out/err from chaincode containers for - # debugging purposes - attachStdout: false - - # Parameters on creating docker container. - # Container may be efficiently created using ipam & dns-server for cluster - # NetworkMode - sets the networking mode for the container. Supported - # standard values are: `host`(default),`bridge`,`ipvlan`,`none`. - # Dns - a list of DNS servers for the container to use. - # Note: `Privileged` `Binds` `Links` and `PortBindings` properties of - # Docker Host Config are not supported and will not be used if set. - # LogConfig - sets the logging driver (Type) and related options - # (Config) for Docker. For more info, - # https://docs.docker.com/engine/admin/logging/overview/ - # Note: Set LogConfig using Environment Variables is not supported. - hostConfig: - NetworkMode: host - Dns: - # - 192.168.0.1 - LogConfig: - Type: json-file - Config: - max-size: "50m" - max-file: "5" - Memory: 2147483648 - -############################################################################### -# -# Chaincode section -# -############################################################################### -chaincode: - - # The id is used by the Chaincode stub to register the executing Chaincode - # ID with the Peer and is generally supplied through ENV variables - # the `path` form of ID is provided when installing the chaincode. - # The `name` is used for all other requests and can be any string. - id: - path: - name: - - # Generic builder environment, suitable for most chaincode types - builder: $(DOCKER_NS)/fabric-ccenv:$(TWO_DIGIT_VERSION) - - # Enables/disables force pulling of the base docker images (listed below) - # during user chaincode instantiation. - # Useful when using moving image tags (such as :latest) - pull: false - - golang: - # golang will never need more than baseos - runtime: $(DOCKER_NS)/fabric-baseos:$(TWO_DIGIT_VERSION) - - # whether or not golang chaincode should be linked dynamically - dynamicLink: false - - java: - # This is an image based on java:openjdk-8 with addition compiler - # tools added for java shim layer packaging. - # This image is packed with shim layer libraries that are necessary - # for Java chaincode runtime. - runtime: $(DOCKER_NS)/fabric-javaenv:$(TWO_DIGIT_VERSION) - - node: - # This is an image based on node:$(NODE_VER)-alpine - runtime: $(DOCKER_NS)/fabric-nodeenv:$(TWO_DIGIT_VERSION) - - # List of directories to treat as external builders and launchers for - # chaincode. The external builder detection processing will iterate over the - # builders in the order specified below. - externalBuilders: - - name: ccaas_builder - path: /opt/hyperledger/ccaas_builder - propagateEnvironment: - - CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG - - # copied into the /var persistent volume share by "network up" - - name: k8s_builder - path: /var/hyperledger/fabric/external_builders/k8s_builder - propagateEnvironment: - - CORE_PEER_ID - - FABRIC_K8S_BUILDER_OBJECT_NAME_PREFIX - - KUBERNETES_SERVICE_HOST - - KUBERNETES_SERVICE_PORT - - # The maximum duration to wait for the chaincode build and install process - # to complete. - installTimeout: 300s - - # Timeout duration for starting up a container and waiting for Register - # to come through. - startuptimeout: 300s - - # Timeout duration for Invoke and Init calls to prevent runaway. - # This timeout is used by all chaincodes in all the channels, including - # system chaincodes. - # Note that during Invoke, if the image is not available (e.g. being - # cleaned up when in development environment), the peer will automatically - # build the image, which might take more time. In production environment, - # the chaincode image is unlikely to be deleted, so the timeout could be - # reduced accordingly. - executetimeout: 30s - - # There are 2 modes: "dev" and "net". - # In dev mode, user runs the chaincode after starting peer from - # command line on local machine. - # In net mode, peer will run chaincode in a docker container. - mode: net - - # keepalive in seconds. In situations where the communication goes through a - # proxy that does not support keep-alive, this parameter will maintain connection - # between peer and chaincode. - # A value <= 0 turns keepalive off - keepalive: 0 - - # enabled system chaincodes - system: - _lifecycle: enable - cscc: enable - lscc: enable - qscc: enable - - # Logging section for the chaincode container - logging: - # Default level for all loggers within the chaincode container - level: info - # Override default level for the 'shim' logger - shim: warning - # Format for the chaincode container logs - format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}' - -############################################################################### -# -# Ledger section - ledger configuration encompasses both the blockchain -# and the state -# -############################################################################### -ledger: - - blockchain: - - state: - # stateDatabase - options are "goleveldb", "CouchDB" - # goleveldb - default state database stored in goleveldb. - # CouchDB - store state database in CouchDB - stateDatabase: goleveldb - # Limit on the number of records to return per query - totalQueryLimit: 100000 - couchDBConfig: - # It is recommended to run CouchDB on the same server as the peer, and - # not map the CouchDB container port to a server port in docker-compose. - # Otherwise proper security must be provided on the connection between - # CouchDB client (on the peer) and server. - couchDBAddress: 127.0.0.1:5984 - # This username must have read and write authority on CouchDB - username: - # The password is recommended to pass as an environment variable - # during start up (eg CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD). - # If it is stored here, the file must be access control protected - # to prevent unintended users from discovering the password. - password: - # Number of retries for CouchDB errors - maxRetries: 3 - # Number of retries for CouchDB errors during peer startup. - # The delay between retries doubles for each attempt. - # Default of 10 retries results in 11 attempts over 2 minutes. - maxRetriesOnStartup: 10 - # CouchDB request timeout (unit: duration, e.g. 20s) - requestTimeout: 35s - # Limit on the number of records per each CouchDB query - # Note that chaincode queries are only bound by totalQueryLimit. - # Internally the chaincode may execute multiple CouchDB queries, - # each of size internalQueryLimit. - internalQueryLimit: 1000 - # Limit on the number of records per CouchDB bulk update batch - maxBatchUpdateSize: 1000 - # Warm indexes after every N blocks. - # This option warms any indexes that have been - # deployed to CouchDB after every N blocks. - # A value of 1 will warm indexes after every block commit, - # to ensure fast selector queries. - # Increasing the value may improve write efficiency of peer and CouchDB, - # but may degrade query response time. - warmIndexesAfterNBlocks: 1 - # Create the _global_changes system database - # This is optional. Creating the global changes database will require - # additional system resources to track changes and maintain the database - createGlobalChangesDB: false - # CacheSize denotes the maximum mega bytes (MB) to be allocated for the in-memory state - # cache. Note that CacheSize needs to be a multiple of 32 MB. If it is not a multiple - # of 32 MB, the peer would round the size to the next multiple of 32 MB. - # To disable the cache, 0 MB needs to be assigned to the cacheSize. - cacheSize: 64 - - history: - # enableHistoryDatabase - options are true or false - # Indicates if the history of key updates should be stored. - # All history 'index' will be stored in goleveldb, regardless if using - # CouchDB or alternate database for the state. - enableHistoryDatabase: true - - pvtdataStore: - # the maximum db batch size for converting - # the ineligible missing data entries to eligible missing data entries - collElgProcMaxDbBatchSize: 5000 - # the minimum duration (in milliseconds) between writing - # two consecutive db batches for converting the ineligible missing data entries to eligible missing data entries - collElgProcDbBatchesInterval: 1000 - # The missing data entries are classified into two categories: - # (1) prioritized - # (2) deprioritized - # Initially, all missing data are in the prioritized list. When the - # reconciler is unable to fetch the missing data from other peers, - # the unreconciled missing data would be moved to the deprioritized list. - # The reconciler would retry deprioritized missing data after every - # deprioritizedDataReconcilerInterval (unit: minutes). Note that the - # interval needs to be greater than the reconcileSleepInterval - deprioritizedDataReconcilerInterval: 60m - - snapshots: - # Path on the file system where peer will store ledger snapshots - rootDir: /var/hyperledger/production/snapshots - -############################################################################### -# -# Operations section -# -############################################################################### -operations: - # host and port for the operations server - listenAddress: 127.0.0.1:9443 - - # TLS configuration for the operations endpoint - tls: - # TLS enabled - enabled: false - - # path to PEM encoded server certificate for the operations server - cert: - file: - - # path to PEM encoded server key for the operations server - key: - file: - - # most operations service endpoints require client authentication when TLS - # is enabled. clientAuthRequired requires client certificate authentication - # at the TLS layer to access all resources. - clientAuthRequired: false - - # paths to PEM encoded ca certificates to trust for client authentication - clientRootCAs: - files: [] - -############################################################################### -# -# Metrics section -# -############################################################################### -metrics: - # metrics provider is one of statsd, prometheus, or disabled - provider: disabled - - # statsd configuration - statsd: - # network type: tcp or udp - network: udp - - # statsd server address - address: 127.0.0.1:8125 - - # the interval at which locally cached counters and gauges are pushed - # to statsd; timings are pushed immediately - writeInterval: 10s - - # prefix is prepended to all emitted statsd metrics - prefix: diff --git a/test-network-k8s/config/org2/fabric-ca-server-config.yaml b/test-network-k8s/config/org2/fabric-ca-server-config.yaml deleted file mode 100644 index 677c9c07..00000000 --- a/test-network-k8s/config/org2/fabric-ca-server-config.yaml +++ /dev/null @@ -1,506 +0,0 @@ -############################################################################# -# This is a configuration file for the fabric-ca-server command. -# -# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES -# ------------------------------------------------ -# Each configuration element can be overridden via command line -# arguments or environment variables. The precedence for determining -# the value of each element is as follows: -# 1) command line argument -# Examples: -# a) --port 443 -# To set the listening port -# b) --ca.keyfile ../mykey.pem -# To set the "keyfile" element in the "ca" section below; -# note the '.' separator character. -# 2) environment variable -# Examples: -# a) FABRIC_CA_SERVER_PORT=443 -# To set the listening port -# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" -# To set the "keyfile" element in the "ca" section below; -# note the '_' separator character. -# 3) configuration file -# 4) default value (if there is one) -# All default values are shown beside each element below. -# -# FILE NAME ELEMENTS -# ------------------ -# The value of all fields whose name ends with "file" or "files" are -# name or names of other files. -# For example, see "tls.certfile" and "tls.clientauth.certfiles". -# The value of each of these fields can be a simple filename, a -# relative path, or an absolute path. If the value is not an -# absolute path, it is interpreted as being relative to the location -# of this configuration file. -# -############################################################################# - -# Version of config file -version: 1.5.2 - -# Server's listening port (default: 7054) -port: 443 - -# Cross-Origin Resource Sharing (CORS) -cors: - enabled: false - origins: - - "*" - -# Enables debug logging (default: false) -debug: false - -# Size limit of an acceptable CRL in bytes (default: 512000) -crlsizelimit: 512000 - -############################################################################# -# TLS section for the server's listening port -# -# The following types are supported for client authentication: NoClientCert, -# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, -# and RequireAndVerifyClientCert. -# -# Certfiles is a list of root certificate authorities that the server uses -# when verifying client certificates. -############################################################################# -tls: - # Enable TLS (default: false) - enabled: true - # TLS for the server's listening port - certfile: - keyfile: - clientauth: - type: noclientcert - certfiles: - -############################################################################# -# The CA section contains information related to the Certificate Authority -# including the name of the CA, which should be unique for all members -# of a blockchain network. It also includes the key and certificate files -# used when issuing enrollment certificates (ECerts) and transaction -# certificates (TCerts). -# The chainfile (if it exists) contains the certificate chain which -# should be trusted for this CA, where the 1st in the chain is always the -# root CA certificate. -############################################################################# -ca: - # Name of this CA - name: org2-ca - # Key file (is only used to import a private key into BCCSP) - keyfile: - # Certificate file (default: ca-cert.pem) - certfile: - # Chain file - chainfile: - -############################################################################# -# The gencrl REST endpoint is used to generate a CRL that contains revoked -# certificates. This section contains configuration options that are used -# during gencrl request processing. -############################################################################# -crl: - # Specifies expiration for the generated CRL. The number of hours - # specified by this property is added to the UTC time, the resulting time - # is used to set the 'Next Update' date of the CRL. - expiry: 24h - -############################################################################# -# The registry section controls how the fabric-ca-server does two things: -# 1) authenticates enrollment requests which contain a username and password -# (also known as an enrollment ID and secret). -# 2) once authenticated, retrieves the identity's attribute names and -# values which the fabric-ca-server optionally puts into TCerts -# which it issues for transacting on the Hyperledger Fabric blockchain. -# These attributes are useful for making access control decisions in -# chaincode. -# There are two main configuration options: -# 1) The fabric-ca-server is the registry. -# This is true if "ldap.enabled" in the ldap section below is false. -# 2) An LDAP server is the registry, in which case the fabric-ca-server -# calls the LDAP server to perform these tasks. -# This is true if "ldap.enabled" in the ldap section below is true, -# which means this "registry" section is ignored. -############################################################################# -registry: - # Maximum number of times a password/secret can be reused for enrollment - # (default: -1, which means there is no limit) - maxenrollments: -1 - - # Contains identity information which is used when LDAP is disabled - identities: - - name: rcaadmin - pass: rcaadminpw - type: client - affiliation: "" - attrs: - hf.Registrar.Roles: "*" - hf.Registrar.DelegateRoles: "*" - hf.Revoker: true - hf.IntermediateCA: true - hf.GenCRL: true - hf.Registrar.Attributes: "*" - hf.AffiliationMgr: true - -############################################################################# -# Database section -# Supported types are: "sqlite3", "postgres", and "mysql". -# The datasource value depends on the type. -# If the type is "sqlite3", the datasource value is a file name to use -# as the database store. Since "sqlite3" is an embedded database, it -# may not be used if you want to run the fabric-ca-server in a cluster. -# To run the fabric-ca-server in a cluster, you must choose "postgres" -# or "mysql". -############################################################################# -db: - type: sqlite3 - datasource: fabric-ca-server.db - tls: - enabled: false - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# LDAP section -# If LDAP is enabled, the fabric-ca-server calls LDAP to: -# 1) authenticate enrollment ID and secret (i.e. username and password) -# for enrollment requests; -# 2) To retrieve identity attributes -############################################################################# -ldap: - # Enables or disables the LDAP client (default: false) - # If this is set to true, the "registry" section is ignored. - enabled: false - # The URL of the LDAP server - url: ldap://:@:/ - # TLS configuration for the client connection to the LDAP server - tls: - certfiles: - client: - certfile: - keyfile: - # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes - attribute: - # 'names' is an array of strings containing the LDAP attribute names which are - # requested from the LDAP server for an LDAP identity's entry - names: ['uid','member'] - # The 'converters' section is used to convert an LDAP entry to the value of - # a fabric CA attribute. - # For example, the following converts an LDAP 'uid' attribute - # whose value begins with 'revoker' to a fabric CA attribute - # named "hf.Revoker" with a value of "true" (because the boolean expression - # evaluates to true). - # converters: - # - name: hf.Revoker - # value: attr("uid") =~ "revoker*" - converters: - - name: - value: - # The 'maps' section contains named maps which may be referenced by the 'map' - # function in the 'converters' section to map LDAP responses to arbitrary values. - # For example, assume a user has an LDAP attribute named 'member' which has multiple - # values which are each a distinguished name (i.e. a DN). For simplicity, assume the - # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. - # Further assume the following configuration. - # converters: - # - name: hf.Registrar.Roles - # value: map(attr("member"),"groups") - # maps: - # groups: - # - name: dn1 - # value: peer - # - name: dn2 - # value: client - # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be - # "peer,client,dn3". This is because the value of 'attr("member")' is - # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of - # "group" replaces "dn1" with "peer" and "dn2" with "client". - maps: - groups: - - name: - value: - -############################################################################# -# Affiliations section. Fabric CA server can be bootstrapped with the -# affiliations specified in this section. Affiliations are specified as maps. -# For example: -# businessunit1: -# department1: -# - team1 -# businessunit2: -# - department2 -# - department3 -# -# Affiliations are hierarchical in nature. In the above example, -# department1 (used as businessunit1.department1) is the child of businessunit1. -# team1 (used as businessunit1.department1.team1) is the child of department1. -# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) -# are children of businessunit2. -# Note: Affiliations are case sensitive except for the non-leaf affiliations -# (like businessunit1, department1, businessunit2) that are specified in the configuration file, -# which are always stored in lower case. -############################################################################# -affiliations: - org1: - - department1 - - department2 - org2: - - department1 - -############################################################################# -# Signing section -# -# The "default" subsection is used to sign enrollment certificates; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -# -# The "ca" profile subsection is used to sign intermediate CA certificates; -# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. -# Note that "isca" is true, meaning that it issues a CA certificate. -# A maxpathlen of 0 means that the intermediate CA cannot issue other -# intermediate CA certificates, though it can still issue end entity certificates. -# (See RFC 5280, section 4.2.1.9) -# -# The "tls" profile subsection is used to sign TLS certificate requests; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -############################################################################# -signing: - default: - usage: - - digital signature - expiry: 8760h - profiles: - ca: - usage: - - cert sign - - crl sign - expiry: 43800h - caconstraint: - isca: true - maxpathlen: 0 - tls: - usage: - - signing - - key encipherment - - server auth - - client auth - - key agreement - expiry: 8760h - -########################################################################### -# Certificate Signing Request (CSR) section. -# This controls the creation of the root CA certificate. -# The expiration for the root CA certificate is configured with the -# "ca.expiry" field below, whose default value is "131400h" which is -# 15 years in hours. -# The pathlength field is used to limit CA certificate hierarchy as described -# in section 4.2.1.9 of RFC 5280. -# Examples: -# 1) No pathlength value means no limit is requested. -# 2) pathlength == 1 means a limit of 1 is requested which is the default for -# a root CA. This means the root CA can issue intermediate CA certificates, -# but these intermediate CAs may not in turn issue other CA certificates -# though they can still issue end entity certificates. -# 3) pathlength == 0 means a limit of 0 is requested; -# this is the default for an intermediate CA, which means it can not issue -# CA certificates though it can still issue end entity certificates. -########################################################################### -csr: - cn: fabric-ca-server - keyrequest: - algo: ecdsa - size: 256 - names: - - C: US - ST: "North Carolina" - L: - O: Hyperledger - OU: Fabric - hosts: - - localhost - - 127.0.0.1 - - org2-ca - - org2-ca.${NS}.svc.cluster.local - ca: - expiry: 131400h - pathlength: 1 - -########################################################################### -# Each CA can issue both X509 enrollment certificate as well as Idemix -# Credential. This section specifies configuration for the issuer component -# that is responsible for issuing Idemix credentials. -########################################################################### -idemix: - # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an - # Idemix credential. The issuer will create a pool revocation handles of this specified size. When - # a credential is requested, issuer will get handle from the pool and assign it to the credential. - # Issuer will repopulate the pool with new handles when the last handle in the pool is used. - # A revocation handle and credential revocation information (CRI) are used to create non revocation proof - # by the prover to prove to the verifier that her credential is not revoked. - rhpoolsize: 1000 - - # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer - # and second step is send credential request that is constructed using the nonce to the issuer to - # request a credential. This configuration property specifies expiration for the nonces. By default is - # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). - nonceexpiration: 15s - - # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. - # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) - noncesweepinterval: 15m - -############################################################################# -# BCCSP (BlockChain Crypto Service Provider) section is used to select which -# crypto library implementation to use -############################################################################# -bccsp: - default: SW - sw: - hash: SHA2 - security: 256 - filekeystore: - # The directory used for the software file-based keystore - keystore: msp/keystore - -############################################################################# -# Multi CA section -# -# Each Fabric CA server contains one CA by default. This section is used -# to configure multiple CAs in a single server. -# -# 1) --cacount -# Automatically generate non-default CAs. The names of these -# additional CAs are "ca1", "ca2", ... "caN", where "N" is -# This is particularly useful in a development environment to quickly set up -# multiple CAs. Note that, this config option is not applicable to intermediate CA server -# i.e., Fabric CA server that is started with intermediate.parentserver.url config -# option (-u command line option) -# -# 2) --cafiles -# For each CA config file in the list, generate a separate signing CA. Each CA -# config file in this list MAY contain all of the same elements as are found in -# the server config file except port, debug, and tls sections. -# -# Examples: -# fabric-ca-server start -b admin:adminpw --cacount 2 -# -# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml -# --cafiles ca/ca2/fabric-ca-server-config.yaml -# -############################################################################# - -cacount: - -cafiles: - -############################################################################# -# Intermediate CA section -# -# The relationship between servers and CAs is as follows: -# 1) A single server process may contain or function as one or more CAs. -# This is configured by the "Multi CA section" above. -# 2) Each CA is either a root CA or an intermediate CA. -# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. -# -# This section pertains to configuration of #2 and #3. -# If the "intermediate.parentserver.url" property is set, -# then this is an intermediate CA with the specified parent -# CA. -# -# parentserver section -# url - The URL of the parent server -# caname - Name of the CA to enroll within the server -# -# enrollment section used to enroll intermediate CA with parent CA -# profile - Name of the signing profile to use in issuing the certificate -# label - Label to use in HSM operations -# -# tls section for secure socket connection -# certfiles - PEM-encoded list of trusted root certificate files -# client: -# certfile - PEM-encoded certificate file for when client authentication -# is enabled on server -# keyfile - PEM-encoded key file for when client authentication -# is enabled on server -############################################################################# -intermediate: - parentserver: - url: - caname: - - enrollment: - hosts: - profile: - label: - - tls: - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# CA configuration section -# -# Configure the number of incorrect password attempts are allowed for -# identities. By default, the value of 'passwordattempts' is 10, which -# means that 10 incorrect password attempts can be made before an identity get -# locked out. -############################################################################# -cfg: - identities: - passwordattempts: 10 - -############################################################################### -# -# Operations section -# -############################################################################### -operations: - # host and port for the operations server - listenAddress: 127.0.0.1:9443 - - # TLS configuration for the operations endpoint - tls: - # TLS enabled - enabled: false - - # path to PEM encoded server certificate for the operations server - cert: - file: - - # path to PEM encoded server key for the operations server - key: - file: - - # require client certificate authentication to access all resources - clientAuthRequired: false - - # paths to PEM encoded ca certificates to trust for client authentication - clientRootCAs: - files: [] - -############################################################################### -# -# Metrics section -# -############################################################################### -metrics: - # statsd, prometheus, or disabled - provider: disabled - - # statsd configuration - statsd: - # network type: tcp or udp - network: udp - - # statsd server address - address: 127.0.0.1:8125 - - # the interval at which locally cached counters and gauges are pushed - # to statsd; timings are pushed immediately - writeInterval: 10s - - # prefix is prepended to all emitted statsd metrics - prefix: server diff --git a/test-network-k8s/docs/APPLICATIONS.md b/test-network-k8s/docs/APPLICATIONS.md deleted file mode 100644 index acf6b98b..00000000 --- a/test-network-k8s/docs/APPLICATIONS.md +++ /dev/null @@ -1,106 +0,0 @@ -# Working with Applications - -## TL/DR: - -```shell -$ ./network rest-easy -Launching fabric-rest-sample application: -βœ… - Ensuring fabric-rest-sample image ... -βœ… - Constructing fabric-rest-sample connection profiles ... -βœ… - Starting fabric-rest-sample ... - -The fabric-rest-sample has started. See https://github.com/hyperledger/fabric-samples/tree/main/asset-transfer-basic/rest-api-typescript for additional usage. -To access the endpoint: - -export SAMPLE_APIKEY=97834158-3224-4CE7-95F9-A148C886653E -curl -s --header "X-Api-Key: ${SAMPLE_APIKEY}" http://localhost/api/assets - -🏁 - Fabric REST sample is ready. -``` - -```shell -$ export SAMPLE_APIKEY=97834158-3224-4CE7-95F9-A148C886653E - -$ ./network chaincode invoke asset-transfer-basic '{"Args":["CreateAsset","1","blue","35","tom","1000"]}' - -$ curl -s --header "X-Api-Key: ${SAMPLE_APIKEY}" http://fabric-rest-sample.localho.st/api/assets | jq -[ - { - "Key": "1", - "Record": { - "ID": "1", - "color": "blue", - "size": 35, - "owner": "tom", - "appraisedValue": 1000 - } - } -] - -$ open https://github.com/hyperledger/fabric-samples/tree/main/asset-transfer-basic/rest-api-typescript -``` - -## Guide for Gateway Client Applications - -TODO: this section is a work-in-progress. - -### EXTERNAL Gateway Client (localhost) - -For certain development scenarios, it is advantageous to run a Gateway Client externally, using a bridge -or port forward to access services running behind the veil of Kubernetes networking. For instance, during active -development we can run a Gateway Client under the microscope of an IDE / debugger, on a local system, connected -to a remote network as if it were running resident within the Kube. As the system is developed (bugs addressed, etc.), -the application author can transition the updated routines into Docker containers, verify locally, and push -into the container registry for validation within the Kubernetes network. - -Here is a brief overview of the steps necessary to run EXTERNAL gateway applications: - -1. Open a TCP port forward from the local host to a targeted peer: -```shell -kubectl -n test-network port-forward svc/org1-peer1 7051:7051 -``` - -2. Add "mock DNS" records to /etc/hosts for TLS host validation: -```shell -127.0.0.1 org1-peer1 -``` - -3. Configure the gateway client to connect to `org1-peer1:7051`, or the kube TCP port forward. - - -4. Launch the gateway client application locally, e.g. in a docker container or attached to an IDE. - - -5. Update this guide with feedback, recipes, and stories of successful client development on Kube/KIND. - - -### INTERNAL Gateway Client (In Kube) - -#### TODO: Deploy - -```shell -./network application ACTION -``` - - -#### Local Container Registry - -Docker images built locally can be uploaded to the `localhost:5000` container registry for -immediate access within the Kube/KIND cluster. In addition to providing fast turn-around to/from containers -running in Kube, the use of a private container registry allows us to quickly iterate on code without uploading -images to the Internet. Even when using _private_ container registries, the use of a local server saves valuable -time when loading images into the kind control plane. - -e.g.: -```shell -docker build -t localhost:5000/my-gateway-app . -docker push localhost:5000/my-gateway-app -``` - -Provided that the `imagePullPolicy` for the client deployment is not set to `IfNotPresent`, killing the current pod -running the gateway client will force a refresh with the latest image layer available at the local registry. - - -#### Aggregating MSP and Certificates - -#### Deploying to the Namespace \ No newline at end of file diff --git a/test-network-k8s/docs/CA.md b/test-network-k8s/docs/CA.md deleted file mode 100644 index f10302ef..00000000 --- a/test-network-k8s/docs/CA.md +++ /dev/null @@ -1,198 +0,0 @@ -# Certificate Authorities - -This guide serves as a companion to the [Fabric CA Deployment Guide](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy.html), -the definitive reference for planning, configuring, and managing CAs within a production Hyperledger Fabric installation. - -For individual fabric nodes to communicate securely over a network, all interactions are performed over secure sockets -with (at a minimum) server side TLS certificate verification. In addition, for the individual participants of a Fabric -network to interact with the blockchain, the participant identities and activities are verified against an Enrollment -Certificate or 'ECert' authority. - -In this document we'll outline the key aspects of bootstrapping test network TLS and ECert CAs, registration and -enrollment of node identities, and address some effective strategies for storage and organization of channel and -node local MSP data structures. - - -### TL/DR : -```shell -$ ./network up - -Launching network "test-network": -... -βœ… - Initializing TLS certificate Issuers ... -βœ… - Launching Fabric CAs ... -βœ… - Enrolling bootstrap ECert CA users ... -... -🏁 - Network is ready. -``` - -## [Planning for a CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy-topology.html#planning-for-a-ca) - -Setting up a CA framework is one of the more daunting aspects of a Fabric installation. There is an incredible amount -of flexibility possible with the Fabric CA architecture, so to keep things straightforward we have opted to aim for a -simplified, but realistic CA deployment illustrating key touch points with Kubernetes: - -- Each organization maintains distinct, [independent volumes](../kube/pv-fabric-org0.yaml) for the storage of MSP and - node certificates. This forces the consortium organizer to plan for the distribution of _public_ certificates to - member organizations, while maintaining an independent, secret storage location for _private_ signing keys. - - -- This guide simplifies the storage and organization of Fabric certificates into two distinct flows. For securing - inter-node communication with TLS, [cert-manager](https://cert-manager.io) is responsible for the lifecycle of issuing, - renewing, and revoking SSL certificates and keys as native Kubernetes `Certificate` resources. Complementing the - SSL certificate lifecycle is a set of fabric-CAs responsible for fulfilling Fabric [ECert](../kube/org0/org0-ca.yaml) - Enrollments and identities. - - -- MSP Certificate organization and [Folder Structure](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#folder-structure-for-your-org-and-node-admin-identities) - strictly adheres to the best practices and guidelines recommended by the CA Deployment Guide. - - -- The `cryptogen` anti-pattern is **strictly forbidden**. All MSP enrollments are constructed using the CA - registration and enrollment REST services, coordinated by calls to `fabric-ca-client`. At runtime, the ca-client - ONLY has visibility to the organization's shared volume mount. - - -- TLS Certificates are stored and organized within the cluster as a series of `Certificate` resources with associated - Kube `Secret` and volume mounts. Service pods mount the node TLS key pair and CA certificate at `/var/hyperledger/fabric/config/tls`. - Each organization in the network maintains an independent [CA `Issuer`](https://cert-manager.io/docs/configuration/ca/) - endorsed by a system-wide, self-signed root CA. - - -- Each organization in the network maintains an independent fabric CA instance, with configuration and certificates - stored in each org's persistent volume at `/var/hyperledger/fabric-ca-server`. - - -- fabric-ca-client configuration and certificates are maintained in each org's persistent volume at `/var/hyperledger/fabric-ca-client` - - -- ECert and MSP enrollment structures are maintained in each org's persistent volume at `/var/hyperledger/fabric/organizations` - - - -### Future Enhancements: - -- **_Bring your own Certificates_** : It would be nice to bootstrap the network using a single, top-level signing authority, - rather than generating self-signed certificates when the system is bootstrapped. Ideally this will be realized by - introducing an [Intermediate CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy-topology.html#when-would-i-want-an-intermediate-ca) - and/or alternate signing chains backed by formal (e.g. letsencrypt, Thawte, Verisign, etc.) certificate authorities. - - -- **_Time-Bomb Certificates_** : By default the certificates issued by the test network are valid for 1 (one) year. For - lightweight or adhoc testing, this is fine. But when applied to production deployments, certificate expiry is a - real operational challenge. For instance, it is possible to soft-lock a Fabric network when all system certificates - expire _en-masse_ - it's impossible to re-establish a consensus and renew the certificates! - - -- **_Mutual TLS_** : Server-side TLS is a minimum, but the addition of client-side TLS certificates will help fully - secure all TCP channels within the Fabric network. - - -- **_Bugs_** : `./network up` currently goes through the process of bootstrapping a fabric network from scratch, but - does not handle "multiple runs" or the complete course of errors that can occur in the wild. For instance, If the - routine is run multiple times in succession, it will overwrite the network's certificate chains and soft-lock the - network. - - -## [Process Overview](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#) - -The [sequence of activities](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#what-order-should-i-deploy-the-cas) -necessary to bring up a CA infrastructure is well documented by the CA Deployment Guide: - -1. [Deploy TLS CA Issuers](#deploy-tls-ca-issuers) - -1. [Deploy the Organization CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#deploy-an-organization-ca) - 1. [Configure the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-ca-server-configuration) - 1. [Launch the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#start-the-ca-server) - 1. [Enroll the ECert CA Bootstrap / Admin User](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-the-ca-admin) - - -## Deploy TLS CA Issuers - -``` -βœ… - Initializing TLS certificate Issuers ... -... -``` - -The Kubernetes Test Network relies on [cert-manager](https://cert-manager.io) to issue, renew, and revoke TLS -certificates for network endpoints. Before launching peers, orderers, and chaincode pods, each node must -have a corresponding [`Certificate`](https://cert-manager.io/docs/usage/certificate/) generated by a cert manager [CA -`Issuer`](https://cert-manager.io/docs/configuration/ca/), stored in Kubernetes and exposed as a kube `Secret` at -runtime. - -In the test network, the root TLS certificate is automatically generated by requesting a self-signed ECDSA key pair. -In turn, the root key is used to create a series of CA `Issuers`, one per member organization participating in the -blockchain: - -``` -# Use the self-signing issuer to generate three Issuers, one for each org: -kubectl -n test-network apply -f kube/org0/org0-tls-cert-issuer.yaml -kubectl -n test-network apply -f kube/org1/org1-tls-cert-issuer.yaml -kubectl -n test-network apply -f kube/org2/org2-tls-cert-issuer.yaml -``` - -Each organization's CA `Issuer` will be used to construct a TLS `Certificate` for each node in the network. At -runtime, the deployment pods will mount the certificate contents (`tls.key`, `tls.pem`, and `ca.pem`) as a kube -secrets mounted at `/var/hyperledger/fabric/config/tls`. - - -## [Deploy the Organization CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#deploy-an-organization-ca) - -The organization (ECert) CA is used to issue MSP certificates for nodes, channels, and identities in the fabric network. -Before we can set up the peers, orderers, and channels, we will need to bootstrap an ECert CA administrator -for each org in the network. - - -### [Configure the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-ca-server-configuration) - -When launching the ECert CA pods, both the org volume shares and org config maps are made available via volume shares. -The [fabric-ecert-ca-server.yaml](../config/org0/fabric-ca-server-config.yaml) includes overrides for: - -- `port: 443` binds all traffic to the default HTTPS port -- `tls.enabled: true` enables TLS for registration and enrollment requests -- `ca.name: ` matches the Kubernetes `Service` host alias -- `csr.hosts:` includes host aliases for accessing the CA with Kube DNS - - -### [Launch the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#start-the-ca-server) -```shell -βœ… - Launching ECert CAs ... -``` - -```shell -kubectl -n test-network apply -f kube/org0/org0-ca.yaml -kubectl -n test-network apply -f kube/org1/org1-ca.yaml -kubectl -n test-network apply -f kube/org2/org2-ca.yaml -``` -- [x] Note: The `rcaadmin` enrollment's `cert.pem` and `key.pem` locations are specified in the ecert CA's k8s deployment as environment variables. - - -### [Enroll the ECert CA Bootstrap / Admin User](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-the-ca-admin) -```shell -βœ… - Enrolling bootstrap ECert CA users ... -``` - -Finally, after the services are active, we can connect to each organization's ECert CA using TLS and -activate the `rcaadmin` (Root Certificate Authority) admin user. This user will be employed to generate the -local MSP certificate structure for all of the nodes in our test network. - -```shell - fabric-ca-client enroll \ - --url https://'${auth}'@'${ecert_ca}' \ - --tls.certfiles /var/hyperledger/fabric/config/tls/ca.pem \ - --mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp -``` - - -## Next Steps : - -After the CAs have been deployed, each org in the Kube namespace includes: - -- One TLS CA `Issuer` and issuer `Certificate` -- One ECert CA `Service`, forwarding internal traffic from https://orgN-ecert-ca to the ECert CA -- One ECert CA `Deployment` -- One ECert CA `Pod` -- One ECert CA admin bootstrap user `rcaadmin` enrollment and MSP root certificate. - - -### [Launch the Test Network...](TEST_NETWORK.md) diff --git a/test-network-k8s/docs/CALIPER.md b/test-network-k8s/docs/CALIPER.md deleted file mode 100644 index bc83ed27..00000000 --- a/test-network-k8s/docs/CALIPER.md +++ /dev/null @@ -1,205 +0,0 @@ -# Benchmarking the performance using Hyperledger Caliper - -This document introduces how to use [Hyperledger Caliper](https://hyperledger.github.io/caliper/) to benchmark the performance of the Hyperledger Fabric environment created with test-network-k8s. - -[Fabric adapter manual of Hyperledger Caliper v0.6.0](https://hyperledger.github.io/caliper/v0.6.0/fabric-config/new/) only describes how to connect to test-network. Furthermore, these chaincodes need to be executed as services to run in a K8s environment, but this is not supported by default, requiring customization. So we will explain how to benchmark the performance of the Kubernetes test network using Hyperledger Caliper and Asset Transfer Basic chaincode, which is most basic in current sample chaincodes. - -The following documentation assumes that test-network-k8s and Hyperledger Caliper v0.6.0 are located on the same host. - -## Setting of test-network-k8s side - -As described in the README of test-network-k8s, launch the network, create a channel, and deploy and invoke the basic-asset-transfer smart contract: - -```shell -./network kind - -./network cluster init - -./network up - -./network channel create - -./network chaincode deploy asset-transfer-basic ../asset-transfer-basic/chaincode-java - -./network chaincode invoke asset-transfer-basic '{"Args":["InitLedger"]}' -``` - -REST API will not be used in the procedure described below, but the connection profile will be generated by launching it: -```shell -./network rest-easy -``` - -## Setting of Hyperledger Caliper side - -Following [Install manual of Hyperledger Caliper v0.6.0](https://hyperledger.github.io/caliper/v0.6.0/installing-caliper/), install Hyperledger Caliper from npm: - -```shell -git clone https://github.com/hyperledger/caliper-benchmarks.git -cd caliper-benchmarks -npm install --only=prod @hyperledger/caliper-cli@0.6.0 -npx caliper bind --caliper-bind-sut fabric:fabric-gateway -``` - -Copy the connection profile created in test-network-k8s environment to Caliper environment. - -```shell -cp /test-network-k8s/build/fabric-rest-sample-config/HLF_CONNECTION_PROFILE_ORG1 networks/fabric/connection-profile.json -``` -Replace `*.test-network.svc.cluster.local` with `*.localho.st` in "url" and "grpcOptions" section of connection-profile.json as below: - -```json - "peers": { - "org1-peers": { - "url": "grpcs://org1-peer1.localho.st:443", - "tlsCACerts": { - "pem": " - }, - "grpcOptions": { - "ssl-target-name-override": "org1-peer1.localho.st", - "hostnameOverride": "org1-peer1.localho.st" - } - } - }, -``` -`*.localho.st` is wildcard domain defined for accessing K8s pod from external network via Nginx ingress controller. Please see [Working with Kubernetes](KUBERNETES.md) document for details. - -Open networks/fabric/test-network.yaml and edit it as below: - - -```yaml -name: Caliper Benchmarks -version: "2.0.0" - -caliper: - blockchain: fabric - -channels: - # channelName of mychannel matches the name of the channel created by test network - - channelName: mychannel - # the chaincodeIDs of all the fabric chaincodes in caliper-benchmarks - contracts: - - id: fabcar - - id: fixed-asset - - id: marbles - - id: simple - - id: smallbank - - id: asset-transfer-basic - -organizations: - - mspid: Org1MSP - # Identities come from cryptogen created material for test-network - identities: - certificates: - - name: 'User1' - clientPrivateKey: - path: '/test-network-k8s/build/enrollments/org1/users/org1admin/msp/keystore/key.pem' - - clientSignedCert: - path: '/test-network-k8s/build/enrollments/org1/users/org1admin/msp/signcerts/cert.pem' - - connectionProfile: - path: 'networks/fabric/connection-profile.json' - discover: true -``` - -Currently, sample code for running a performance benchmark targeting asset-transfer-basic is not published on the Caliper repository. Therefore, use the sample code published in [Caliper's user manual to build a test workload.](https://hyperledger.github.io/caliper/vNext/fabric-tutorial/tutorials-fabric-existing/) - - -As shown in "Step 3" of the above document, create workload/readAsset.js file and edit it as below: - - -```javascript -'use strict'; - -const { WorkloadModuleBase } = require('@hyperledger/caliper-core'); - -class MyWorkload extends WorkloadModuleBase { - constructor() { - super(); - } - - async initializeWorkloadModule(workerIndex, totalWorkers, roundIndex, roundArguments, sutAdapter, sutContext) { - await super.initializeWorkloadModule(workerIndex, totalWorkers, roundIndex, roundArguments, sutAdapter, sutContext); - - for (let i=0; i Chaincode invoke successful. result: status:200 payload:"{\"owner\":\"tom\",\"color\":\"blue\",\"size\":35,\"appraisedValue\":1000,\"assetID\":\"1\"}" - -$ ./network chaincode query asset-transfer-basic '{"Args":["ReadAsset","1"]}' | jq -{ - "ID": "1", - "color": "blue", - "size": 35, - "owner": "tom", - "appraisedValue": 1000 -} -``` - -## Running Smart Contracts on Kubernetes - -In the Kubernetes Test Network, smart contracts are developed with the [Chaincode as a Service](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html) -pattern, relying on an embedded [External Builder](https://hyperledger-fabric.readthedocs.io/en/latest/cc_launcher.html) to avoid the use of a Docker daemon. With -Chaincode-as-a-Service, smart contracts are deployed to Kubernetes as `Services`, -`Deployments`, and `Pods`. When invoking smart contracts, the Peer network connects to the grpc receiver -through the port exposed by the chaincode's Kube `Service` as described in the chaincode -connection.json. - -Before installing chaincode to the network, a smart contract must: - -- Utilize the `ChaincodeServer` grpc receiver, as described in the [Fabric Operations - Guide](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html#writing-chaincode-to-run-as-an-external-service). - -- Run as a Docker image published to a container registry. - -- Maintain a connection.json and metadata.json files in the `chaincode/$CHAINCODE_NAME` folder. - -- Accept the `CHAINCODE_ID` environment variable: _CHAINCODE_LABEL:sha_256(chaincode.tar.gz)_. - - -## Deploying Chaincode to the Network -```shell -βœ… - Packaging chaincode "asset-transfer-basic" archive ... -βœ… - Deploying chaincode "asset-transfer-basic" for org org1 ... -``` - -When working with chaincode, the `./network` script includes two parameters that define the Docker image -launched in the cluster and the chaincode metadata: - -- `${TEST_NETWORK_CHAINCODE_NAME:-asset-transfer-basic}` refers to the _name_ associated with the chaincode. - While packaging and deploying to the network, the `scripts/chaincode.sh` script uses this string to search - the local `/chaincode` folder for associated metadata and connection json descriptor files. - - -- `${TEST_NETWORK_CHAINCODE_IMAGE:-ghcr.io/hyperledgendary/fabric-ccaas-asset-transfer-basic}` defines the - container image that will be used when running the chaincode in Kubernetes. - - -To deploy the chaincode, the network script will: - -1. Read the `connection.json` and `metadata.json` files from the `/chaincode/${TEST_NETWORK_CHAINCODE_NAME}` - folder, bundling the files into a chaincode tar.gz archive. - -2. Install the chaincode archive on a peer in the organization: -```shell - export CORE_PEER_ADDRESS='${org}'-peer1:7051 - peer lifecycle chaincode install chaincode/asset-transfer-basic.tgz -``` - - -3. In typical Fabric operations, the output of the `chaincode install` command includes a generated ID of the - chaincode archive printed to standard out. This ID is manually inspected and transcribed by the - network operator when executing subsequent commands with the network peers. To avoid scraping the - output of the installation command, the test network scripts precompute the chaincode ID - as the `sha256` checksum of the tar.gz archive. - - -4. The chaincode docker [image is launched using the yaml template](../kube/org1/org1-cc-template.yaml) as a Kubernetes - `Deployment` specifying _CHAINCODE_ID=sha-256(archive)_ in the environment and binding a `Service` port 9999 - within the namespace. When the network sends messages to the chaincode process, it will use the host URL as - defined in the `connection.json`, connecting to the kubernetes `Service` URL and `Deployment`. - - -5. Finally, the Admin CLI issues a series of peer commands to approve and commit the chaincode for the org: - -```shell - export CORE_PEER_ADDRESS='${org}'-peer1:7051 - - peer lifecycle \ - chaincode approveformyorg \ - --channelID '${CHANNEL_NAME}' \ - --name '${CHAINCODE_NAME}' \ - --version 1 \ - --package-id '${cc_id}' \ - --sequence 1 \ - -o org0-orderer1:6050 \ - --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem - - peer lifecycle \ - chaincode commit \ - --channelID '${CHANNEL_NAME}' \ - --name '${CHAINCODE_NAME}' \ - --version 1 \ - --sequence 1 \ - -o org0-orderer1:6050 \ - --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem -``` - -## Invoking and Querying the Chaincode - -Once the chaincode service has been deployed to the cluster, and the peers have approved the chaincode, -the test scripts can issue adhoc invoke, query, and metadata requests to the network: - -### Invoke -```shell -$ ./network chaincode invoke asset-transfer-basic '{"Args":["CreateAsset","1","blue","35","tom","1000"]}' -2022-06-23 06:12:13.150 UTC 0001 INFO [chaincodeCmd] chaincodeInvokeOrQuery -> Chaincode invoke successful. result: status:200 payload:"{\"owner\":\"tom\",\"color\":\"blue\",\"size\":35,\"appraisedValue\":1000,\"assetID\":\"1\"}" -``` - -### Query -```shell -$ ./network chaincode query asset-transfer-basic '{"Args":["ReadAsset","1"]}' | jq -{ - "ID": "1", - "color": "blue", - "size": 35, - "owner": "tom", - "appraisedValue": 1000 -} -``` - -### Describe -```shell -$ ./network chaincode metadata asset-transfer-basic | awk "NR==3,NR==3 {print}" | jq | head -{ - "info": { - "title": "undefined", - "version": "latest" - }, - "contracts": { - "SmartContract": { - "info": { - "title": "SmartContract", - "version": "latest" -``` - - -## Build a Chaincode Docker Image - -Before chaincode can be started in the network, it must be compiled, linked with the grpc `ChaincodeServer`, -embedded into a Docker image, and pushed to a container registry visible to the Kubernetes cluster. - -By default, the `./network` script will launch the [asset-transfer-basic](../../asset-transfer-basic/chaincode-external) -chaincode. When the test network installs this chaincode, there is no need to build a custom Docker image as it -has previously been uploaded to a public container registry. - -As an exercise, we recommend making some updates to the asset transfer basic chaincode and then running the -modified smart contract on your local Kubernetes cluster. For instance, the current version of the -[assetTransfer.go](../../asset-transfer-basic/chaincode-external/assetTransfer.go) code is completely -silent, printing nothing to the log when functions are invoked in the container. Try adding some debugging -information to the stdout of this process, bundling into a Docker image, and pushing the docker -image to the local development container registry. - -1. Add some print statements to assetTransfer.go. E.g.: -```go - fmt.Printf("reading asset %s\n", id) -``` - -2. Build the docker image locally with: -```shell -docker build -t asset-transfer-basic ../asset-transfer-basic/chaincode-external -``` - -3. Override the test network's default chaincode image, pointing to our local container registry: -```shell -export TEST_NETWORK_CHAINCODE_IMAGE=localhost:5000/asset-transfer-basic -``` - -3. Publish the custom image to the local registry: - -```shell -docker tag asset-transfer-basic $TEST_NETWORK_CHAINCODE_IMAGE -docker push $TEST_NETWORK_CHAINCODE_IMAGE -``` - - -## Debugging Chaincode - -One of the most compelling features of Fabric's _Chaincode-as-a-Service_ pattern is that when the peer connects to a -chaincode URL, it can connect back to a port on the local host. Instead of connecting to a pod running in a -container within Kubernetes, the chaincode process can be launched locally as a native binary in a debugger, an IDE, -or a docker image bound to the host network. - -For additional details, see the [debugging chaincode](CHAINCODE_AS_A_SERVICE.md) guide for running the basic asset -transfer chaincode in an interactive development workflow. - - -## Next Steps: - -[Writing a Blockchain Application](APPLICATIONS.md) \ No newline at end of file diff --git a/test-network-k8s/docs/CHAINCODE_AS_A_SERVICE.md b/test-network-k8s/docs/CHAINCODE_AS_A_SERVICE.md deleted file mode 100644 index e8a005fa..00000000 --- a/test-network-k8s/docs/CHAINCODE_AS_A_SERVICE.md +++ /dev/null @@ -1,171 +0,0 @@ -# Debugging Chaincode - -In this sample we will employ the [Kubernetes Test Network](../README.md) to illustrate a scenario of -building, running, and debugging chaincode on a development workstation. - -While this guide targets the Java [asset-transfer-basic](../../asset-transfer-basic/chaincode-java) sample, the approach -may be applied to any sample and chaincode implementation language. - -When debugging chaincode as a service, the chaincode process is launched on the local system, binding to a port -on the host's network interface. In this mode the developer has complete flexibility in determining how and where the -process runs - it can be launched as a native binary from a CLI, attached to an active debugging session from an IDE, -as a Docker container, or even behind a reverse network proxy for diagnosing issues in a remote / cloud-based Fabric -network. - - -## TL/DR - -``` -export PATH=${PWD}/test-network-k8s:$PATH - -cd asset-transfer-basic/chaincode-java - -network kind -network cluster init -``` -``` -network up -network channel create -``` -``` -network chaincode deploy asset-transfer-basic ${PWD} -``` -``` -network chaincode metadata asset-transfer-basic -network chaincode invoke asset-transfer-basic '{"Args":["InitLedger"]}' -network chaincode query asset-transfer-basic '{"Args":["ReadAsset","asset1"]}' | jq -``` - -## Detailed Guide - -```shell -network down -network up -network channel create -``` - -```shell -# Build the chaincode docker image -docker build -t fabric-samples/asset-transfer-basic/chaincode-java . - -# Load the docker image directly to the KIND control plane. -# (Alternately, build/tag/push the image to a remote container registry, e.g. localhost:5000 or ghcr.io) -kind load docker-image fabric-samples/asset-transfer-basic/chaincode-java -``` - -```shell -# Assemble the chaincode package archive -network chaincode package asset-transfer-basic asset-transfer-basic $PWD/build/asset-transfer.tgz - -# Determine the ID for the chaincode package -CORE_CHAINCODE_ID_NAME=$(network chaincode id $PWD/build/asset-transfer.tgz) - -# Launch the chaincode in k8s as Deployment + Service -network chaincode launch asset-transfer-basic $CORE_CHAINCODE_ID_NAME fabric-samples/asset-transfer-basic/chaincode-java - -# Complete the chaincode lifecycle -network chaincode install $PWD/build/asset-transfer.tgz -network chaincode approve asset-transfer-basic $CORE_CHAINCODE_ID_NAME -network chaincode commit asset-transfer-basic -``` - -```shell -# execute the smart contract by name -network chaincode metadata asset-transfer-basic -network chaincode invoke asset-transfer-basic '{"Args":["InitLedger"]}' -network chaincode query asset-transfer-basic '{"Args":["ReadAsset","asset1"]}' -``` - -```shell -kubectl -n test-network logs -f deployment/org1peer1-ccaas-asset-transfer-basic -``` - -## Debugging - -### Build - -```shell -./gradlew shadowJar -``` -or -```shell -docker build -t fabric-samples/asset-transfer-basic/chaincode-java . -``` - - -### Package - -By instructing the peer to connect to chaincode at the Docker host alias `host.docker.internal`, pods running in -Kubernetes will access the local process via a special loopback interface established by KIND. - -Set the "address" attribute in the package connection.json descriptor and assemble the chaincode package: -```shell -export TEST_NETWORK_CHAINCODE_ADDRESS=host.docker.internal:9999 - -network cc package basic_1.0 asset-transfer-debug $PWD/build/asset-transfer-debug.tgz -``` - -*NOTE:* The Docker host alias `host.docker.internal` is not yet supported for Linux. -In Linux environments, as a workaround, you should specify the IP address of the host directly instead of `host.docker.internal`: - -```shell -export TEST_NETWORK_CHAINCODE_ADDRESS=:9999 - -network cc package basic_1.0 asset-transfer-debug $PWD/build/asset-transfer-debug.tgz -``` - -### Launch - -When chaincode is launched locally, it must declare the package ID in the environment as if the process had been managed -by the peer's chaincode lifecycle manager. Calculate the package ID and start the chaincode, binding to port 9999 -on the local system: - -```shell -export CHAINCODE_SERVER_ADDRESS=0.0.0.0:9999 -export CORE_CHAINCODE_ID_NAME=$(network chaincode id $PWD/build/asset-transfer-debug.tgz) - -java -jar build/libs/chaincode.jar -``` - -Or using the editor/debugger/IDE of your choice, create a launch target for `ContractMain.main()`, specifying the -environment as above. - -Or launch the chaincode in a Docker container, binding to port 9999 on the host system: - -```shell -docker run \ - --rm \ - --name basic_1.0 \ - -p 9999:9999 \ - -e CHAINCODE_SERVER_ADDRESS \ - -e CORE_CHAINCODE_ID_NAME \ - fabric-samples/asset-transfer-basic/chaincode-java -``` - -### Approve, Invoke, and Query - -After the contract main has launched, install, approve, commit, and invoke the chaincode: - -```shell -# Complete the chaincode lifecycle -network cc activate asset-transfer-debug $PWD/build/asset-transfer-debug.tgz -``` - -```shell -# execute the smart contract by name -network cc metadata asset-transfer-debug -network cc invoke asset-transfer-debug '{"Args":["InitLedger"]}' -network cc query asset-transfer-debug '{"Args":["ReadAsset","asset1"]}' -``` - -## Tear Down - -```shell -network down -``` -or -```shell -network unkind -``` - - diff --git a/test-network-k8s/docs/CHANNELS.md b/test-network-k8s/docs/CHANNELS.md deleted file mode 100644 index 511d1870..00000000 --- a/test-network-k8s/docs/CHANNELS.md +++ /dev/null @@ -1,150 +0,0 @@ -# Channels - -Once the test network peers and orderers have been started, and the network identities have been registered -and enrolled with the ECert CA, we can construct a channel linking the participants of the test network -blockchain. - -## TL/DR : - -``` -$ export TEST_NETWORK_CHANNEL_NAME="mychannel" - -$ ./network channel create -Creating channel "mychannel": -βœ… - Registering org Admin users ... -βœ… - Enrolling org Admin users ... -βœ… - Creating channel MSP ... -βœ… - Creating channel genesis block ... -βœ… - Joining orderers to channel mychannel ... -βœ… - Joining org1 peers to channel mychannel ... -βœ… - Joining org2 peers to channel mychannel ... -🏁 - Channel is ready. -``` - -## Process Overview - -In order to construct a Fabric channel, the following steps must be performed: - -1. Admin users must be registered and enrolled with the CAs - -2. TLS and enrollment certificates must be aggregated and distributed to all participants in the network. - -3. The channel genesis block is constructed from `configtx.yaml`, specifying the location of channel MSP. - -4. Network orderers are joined to the channel using the channel participation API. - -5. Network peers are joined to the channel. - - -## Aggregating the Channel MSP -```shell -βœ… - Registering org Admin users ... -βœ… - Enrolling org Admin users ... -βœ… - Creating channel MSP ... -``` - -One of the responsibilities of a Hyperledger Fabric _Consortium Organizer_ is to distribute the public MSP and -TLS certificates to organizations participating in a blockchain. In the Docker composed based test network, or -systems bootstrapped with the `cryptogen` command, all of the public certificates will be available on a common -file system or volume share. In our Kubernetes test network, each organization maintains the cryptographic -assets on a distinct persistent volume, invisible to other the other participants in the network. - -To distribute the TLS and MSP _public_ certificates, the test network emulates the responsibilities of the -consortium organizer by constructing a [Channel MSP](https://hyperledger-fabric.readthedocs.io/en/latest/membership/membership.html#channel-msps) -structure, extracting the relevant certificate files into a local folder before constructing the channel -genesis block. The `configtx.yaml` specifies the channel root folder as the consortium org's (org0) `MSPDir` -attribute. - -- Org admin users are registered with the `fabric-ca-client`, storing the enrollment MSP structures in the local -`${PWD}/build/enrollments/${org}` folder. - -- Channel MSP certificates are extracted from the ECert CA and cert-manager TLS signing authorities, storing the files -locally in the `${PWD}/channel-msp` folder. - - -## Create the Channel -```shell -βœ… - Creating channel "mychannel" ... -``` - -As the _consortium leader_ org0, we create the channel's genesis block and use the orderer admin REST -services to register the channel genesis block configuration on the ordering nodes: - -```shell -configtxgen -profile TwoOrgsApplicationGenesis -channelID '${CHANNEL_NAME}' -outputBlock genesis_block.pb - -osnadmin channel join --orderer-address org0-orderer1-admin.localho.st --channelID '${CHANNEL_NAME}' --config-block genesis_block.pb -osnadmin channel join --orderer-address org0-orderer2-admin.localho.st --channelID '${CHANNEL_NAME}' --config-block genesis_block.pb -osnadmin channel join --orderer-address org0-orderer3-admin.localho.st --channelID '${CHANNEL_NAME}' --config-block genesis_block.pb -``` - - -## Join Peers - -```shell -βœ… - Joining org1 peers to channel "mychannel" ... -βœ… - Joining org2 peers to channel "mychannel" ... -``` - -After the channel configurations have been registered with the network orderers, we will join the peers to the channel -by retrieving the genesis block from the orderers and then joining the channel: - -```shell - # Fetch the genesis block from an orderer - peer channel \ - fetch oldest \ - genesis_block.pb \ - -c '${CHANNEL_NAME}' \ - -o org0-orderer1.localho.st \ - --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem - - # Join peer1 to the channel. - CORE_PEER_ADDRESS='${org}'-peer1:7051 \ - peer channel \ - join \ - -b genesis_block.pb \ - -o org0-orderer1.localho.st \ - --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem - - # Join peer2 to the channel. - CORE_PEER_ADDRESS='${org}'-peer2:7051 \ - peer channel \ - join \ - -b genesis_block.pb \ - -o org0-orderer1.localho.st \ - --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem -``` - - -## Set Anchor Peers (Optional) -```shell -$ ./network anchor peer2 -βœ… - Updating anchor peers to "peer2" ... -``` - -In the test network, the configtx.yaml sets the organization [Anchor Peers](https://hyperledger-fabric.readthedocs.io/en/latest/glossary.html?highlight=anchor#anchor-peer) -to "peer1" in the genesis block. As such, no additional configuration is necessary for neighboring -organizations to discover additional peers in the network. - -However, the process of setting the anchor peers on a channel requires a more complicated scripting process, so we -have included in the test network a mechanism to illustrate how anchor peers may be set on a network after a -channel has been constructed. - -Up to this point in the network configuration, the shell scripts orchestrating the remote volumes, peers, and -admin commands have all been executed by piping a sequence of commands into an existing pod directly -into the input of a `kubectl` command. For small command sets this is adequate, but for the more complicated -process of registering a channel anchor peer, we have elected to use a different approach to launch the peer -update scripts on the kubernetes cluster. - -When updating anchor peers, the `./network` script will: - -1. Transfer the shell scripts from `/scripts/*.sh` into the remote organization's persistent volume. -2. Issue a `kubectl exec -c "script-name.sh {args}"` on the org's admin CLI pod. - -For non-trivial Fabric administrative tasks, this approach of uploading a script into the cluster and then -executing in an admin pod works well. - - -## Next Steps - -### [Working with Chaincode](CHAINCODE.md) \ No newline at end of file diff --git a/test-network-k8s/docs/HIGH_AVAILABILITY.md b/test-network-k8s/docs/HIGH_AVAILABILITY.md deleted file mode 100644 index 1725e4bc..00000000 --- a/test-network-k8s/docs/HIGH_AVAILABILITY.md +++ /dev/null @@ -1,71 +0,0 @@ -# High Availability - -The peers have been configured so they implemented a essential failover/high-availability configuration. - -Two important notes: - -1. The word 'gateway' in the k8s definitions is being used in a generic way. It is not tied to the concept of the 'Fabric Gateway' component. However using the 'Fabric-Gateway' with the updated SDKs, make connecting to Fabric even easier. There is a single connection, that can easily be handled with core k8s abilities. Attempting the approach described below with the older SDKs is not recommended. -2. Long Lived gRPC connections. Remember that the connections between components in Fabric are long-lived gRPC connections. From a client application's perspective that means the connection will be load-balanced when initially connected, but unless the connection breaks, it will not be 're-load-balanced'. It's important to keep this in mind. - -## Peer Gateway Services - -Each peer has defined their own K8S service, with the selector specifically choosing only one peer pod. -In this test-network, there are two peers per organization. Using a service with a different selector that -picks both peer pods, allows a degree of load balancing. - -```yaml ---- -apiVersion: v1 -kind: Service -metadata: - name: org2-peer-gateway-svc -spec: - ports: - - name: gossip - port: 7051 - protocol: TCP - selector: - org: org2 -``` - -The selector is `org: org2` that is defined in the specification of the Peer's Deployment. - -```yaml - template: - metadata: - labels: - app: org2-peer1 - org: org2 -``` - -## Kube Proxy Configuration -The proxy configuration is set to be `ipvs`. This gives a lot more scope for different load balancing algorithms. -"Round Robin" is the default configuration (as used in this test network). For more information check this [deep dive](https://kubernetes.io/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive) on the Kubernetes blog. - -For this KIND cluster, this is configured by updating the cluster configuration, add the following yaml. - -```yaml -networking: - kubeProxyMode: "ipvs" -``` - -## Application and TLS Configuration - -It is important that applications connect to the `org2-peer-gateway-svc` or `org1-peer-gateway-svc` rather that specific peer services. That way the service can load balance. However if TLS used, errors will occur as the host name that is connected to is different to that used by the application. - -The solution is to add the additional servicename to the hosts field in the SAN section of the TLS certificate. As an example here is the command that is used to create the TLS certificate for org1-peer1. Note the - -```bash -fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-ca --csr.hosts org1-peer1,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp -``` - -## Summary - -The FabricGateway and updated SDKs, improve the connection from a client application to Fabric, by needing only a single connection to one peer. By using a K8S service fronting two or more peer pods, a degree of load-balancing can be achieved. Remember that this will only be load balanced when the connection is first created. If a single peer becomes heavily loaded, K8S will not move any existing connection. - -To achieve this you would need to have a monitoring system that can trigger applications to disconnect and reconnect. - -If the connection drops, the application can reconnect and will get to a working peer. - - - diff --git a/test-network-k8s/docs/KUBERNETES.md b/test-network-k8s/docs/KUBERNETES.md deleted file mode 100644 index 4dad490e..00000000 --- a/test-network-k8s/docs/KUBERNETES.md +++ /dev/null @@ -1,261 +0,0 @@ -# Kubernetes - -To get started with the Kube test network, you will need access to a Kubernetes cluster. - -## TL/DR : - -``` -$ ./network kind -Initializing KIND cluster "kind": -βœ… - Creating cluster "kind" ... -βœ… - Launching ingress controller ... -βœ… - Launching cert-manager ... -βœ… - Launching container registry "kind-registry" at localhost:5000 ... -βœ… - Waiting for cert-manager ... -βœ… - Waiting for ingress controller ... -🏁 - Cluster is ready. -``` - -and : -``` -$ ./network unkind -Deleting cluster "kind": -☠️ - Deleting KIND cluster kind ... -🏁 - Cluster is gone. -``` - - -## Kube Context: - -For illustration purposes, this project attempts in all cases to _keep it simple_ as the -general rule. By default, we will rely on KIND ([Kubernetes IN Docker](https://kind.sigs.k8s.io)) -as a mechanism to quickly spin up ephemeral, short-lived clusters for development and -illustration. - -To maximize portability across revisions, vendor distributions, hardware profiles, and -network topologies, this project relies _exclusively_ on scripted interaction with the -Kube API controller to reflect updates in a remote cluster. While this may not be the -ideal technique for managing production workloads, the objective of this guide is to provide -clarity on the nuances of Fabric / Kubernetes deployments, rather than an opinionated -perspective on state of the art techniques for cloud Dev/Ops. Targeting -the core Kube APIs means that there is a good chance that the systems will work "as-is" -simply by setting the kubectl context to reference a cloud-native cluster (e.g. OCP, IKS, -AWS, etc.) - -If you don't have access to an existing cluster, or want to set up a short-lived cluster -for development, testing, or CI, you can create a new cluster with: - -```shell -$ ./network kind -$ ./network cluster init -``` - -By default, `kind` will set the current Kube context to reference the new cluster. Any -interaction with `kubectl` (or kube-context aware SDKs) will inherit the current context. - -```shell -$ kubectl cluster-info -Kubernetes control plane is running at https://127.0.0.1:55346 -CoreDNS is running at https://127.0.0.1:55346/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy - -To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. -``` - -When you are done with the cluster, tear it down with: -```shell -$ ./network unkind -``` -or: -```shell -$ kind delete cluster -``` - -## Rancher Desktop and k3s - -In addition to KIND, the Kube Test Network runs on the k3s Kubernetes provided by [Rancher Desktop](https://rancherdesktop.io). - -To run natively on k3s, skip the creation of a KIND cluster and: - -1. In Rancher's Kubernetes Settings: - 1. Disable Traefik - 2. Select the dockerd (moby) container runtime - 3. Increase Memory allocation to 8 GRAM - 4. Increase CPU allocation to 8 CPU - -2. Reset Kubernetes - -3. Initialize the Nginx ingress and cert-manager: - -```shell -export TEST_NETWORK_CLUSTER_RUNTIME="k3s" - -./network cluster init -``` -- containerd is also a viable runtime. When building images for chaincode-as-a-service, the `--namespace k8s.io` - argument must be applied to the `nerdctl` CLI. - -- For use with containerd: -```shell -export TEST_NETWORK_CLUSTER_RUNTIME="k3s" -export TEST_NETWORK_CONTAINER_NAMESPACE="--namespace k8s.io" -export CONTAINER_CLI="nerdctl" - -./network cluster init -``` - - -## Test Network Structure - -To emulate a more realistic example of multi-party collaboration, the test network -forms a blockchain consensus group spanning three virtual organizations. Network I/O between the -blockchain nodes is entirely constrained to Kubernetes private networks, and consuming applications -make use of a Kubernetes / Nginx ingress controller for external visibility. - -In k8s terms: - -- The blockchain is contained within a single Kubernetes `Cluster`. -- Blockchain services (nodes, orderers, chaincode, etc.) reside within a single `Namespace`. -- Each organization maintains a distinct, independent `PersistentVolumeClaim` for TLS certificates, - local MSP, private data, and transaction ledgers. -- Smart Contracts rely exclusively on the [Chaincode-as-a-Service](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html) and [External Builder](https://hyperledger-fabric.readthedocs.io/en/latest/cc_launcher.html) - patterns, running in the cluster as Kube `Deployments` with companion `Services`. -- An HTTP(s) `Ingress` and companion gateway application is required for external access to the blockchain. - -When running the test network locally, the `./network kind` bootstrap will configure the system with -an [Nginx ingress controller](link), a private [Container Registry](link), and persistent volumes / claims for -host-local organization storage. - -Behind the scenes, `./network kind` is running: - -```shell -# Create the KIND cluster and nginx ingress controller bound to :80 and :443 -kind create cluster --name ${TEST_NETWORK_CLUSTER_NAME:-kind} --config scripts/kind-config.yaml - -# Create the Kube namespace -kubectl create namespace ${TEST_NETWORK_NAMESPACE:-test-network} - -# Create host persistent volumes (tied the kind-control-plane docker image lifetime) -kubectl create -f kube/pv-fabric-org0.yaml -kubectl create -f kube/pv-fabric-org1.yaml -kubectl create -f kube/pv-fabric-org2.yaml - -# Create persistent volume claims binding to the host (docker) volumes -kubectl -n $NS create -f kube/pvc-fabric-org0.yaml -kubectl -n $NS create -f kube/pvc-fabric-org1.yaml -kubectl -n $NS create -f kube/pvc-fabric-org2.yaml -``` - -## Container Registry - -The [kube yaml descriptors](../kube) generally rely on the public Fabric images maintained at the public -Docker and GitHub container registries. For casual usage, the test network will bootstrap and launch CAs, -peers, orderers, chaincode, and sample applications without any additional configuration. - -While public images are made available for pre-canned samples, there will undoubtedly be cases -where you would like to build custom chaincode, gateway client applications, or custom builds of core -Fabric binaries without uploading your code to a public registry. For this purpose, the Kube test -network includes a [Local Registry](https://kind.sigs.k8s.io/docs/user/local-registry/) available for -you to _quickly_ deploy custom images directly into the cluster without uploading your code to the -Internet. - -By default, the [kind.sh](../scripts/kind.sh) bootstrap will configure and link up a local container -registry running at `localhost:5000/`. Images pushed to this registry will be immediately available -to Pods deployed to the local cluster. - -For dev/test/CI based flows using an external registry, the traditional Kubernetes practice of -[Adding ImagePullSecrets to a service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account) -still applies. - -In some environments, KIND may encounter issues loading the Fabric docker images from the public container -registries. In addition, for Fabric development it can be advantageous to work with Docker images built -locally, bypassing the public images entirely. For these scenarios, images may also be [directly loaded](https://kind.sigs.k8s.io/docs/user/quick-start/#loading-an-image-into-your-cluster) -into the KIND image plane, bypassing the container registry. - -The `./network` script supports these additional modes via: - -1. For network-constrained environments, pull all images to the local docker cache and load to KIND: -```shell -export TEST_NETWORK_STAGE_DOCKER_IMAGES=true - -./network kind -./network up -``` - -2. For alternate registries (e.g. local or Fabric CI/CD builds): -```shell -./network kind - -export TEST_NETWORK_FABRIC_CONTAINER_REGISTRY=hyperledger-fabric.jfrog.io -export TEST_NETWORK_FABRIC_VERSION=amd64-latest -export TEST_NETWORK_FABRIC_CA_VERSION=amd64-latest - -./network up -``` - -3. For working with Fabric images built locally: -```shell -./network kind - -make docker # in hyperledger/fabric - -export TEST_NETWORK_FABRIC_VERSION=2.4.0 - -./network cluster load-images -./network up -``` - -## Nginx Ingress Controller - -When Fabric nodes communicate within the k8s cluster, TCP sockets are established via Kube DNS service -aliases (e.g. grpcs://org1-peer1.test-network.svc.cluster.local:443) and traverse private K8s network routes. - -For access from _external clients_, all traffic into the network nodes are routed into the correct pod by -virtue of an Nginx ingress controller bound to the host OS ports :80 and :443. To differentiate between -services, the Nginx provides a "layer 6" traffic router based on the http(s) host alias. In addition to -constructing Deployments, Pods, and Services, each Fabric node exposes a set of `Ingress` routes binding -the virtual host name to the corresponding endpoint. - -TLS traffic tunneled through the ingress controller has been configured in "ssl-passthrough" mode. For -secure access to services, client applications must present the TLS root certificate of the appropriate -organization when connecting to peers, orderers, and CAs. - - -## What is `*.localho.st` ? - -In order to expose a dynamic set of DNS host aliases matching the Nginx ingress controller, the test network -employs the public DNS wildcard domain `*.localho.st` to resolve host and subdomains to the local loopback -address 127.0.0.1. - -Using this DNS wildcard alias means that all ingress points bound to the *.localho.st domain will resolve to your -local host, conveniently routing traffic into the KIND cluster on ports :80 and :443. - -To override the *.localho.st network ingress domain (for example in cloud-based environments supporting a DNS -wildcard resolver) set the `TEST_NETWORK_DOMAIN` environment variable before invoking `./network` -targets. E.g.: - -```shell -export TEST_NETWORK_DOMAIN=lvh.me - -./network up - -curl -s --insecure https://org0-ca.lvh.me/cainfo | jq -``` - -## Cloud Vendors - -While the test network primarily targets KIND clusters, the singular reliance on the Kube API plane -means that it should also work without modification on any modern cloud-based or bare metal -Kubernetes distribution. While supporting the entire ecosystem of cloud vendors is not in scope -for this sample project, we'd love to hear feedback, success stories, or bugs related to applying the -test network to additional platforms. - -In general, at a high-level the steps required to port the test network to ANY kube vendor are: - -- Configure an HTTP `Ingress` for access to any gateway, REST, or companion blockchain applications. -- Register `PersistentVolumeClaims` for each of the organizations in the test network. -- Create a `Namespace` for each instance of the test network. -- Upload your chaincode, gateway clients, and application logic to an external Container Registry. -- Run with a `ServiceAccount` and role bindings suitable for creating `Pods`, `Deployments`, and `Services`. - - -## Next : [Fabric Certificate Authorities](CA.md) diff --git a/test-network-k8s/docs/README.md b/test-network-k8s/docs/README.md deleted file mode 100644 index 1bd3db9d..00000000 --- a/test-network-k8s/docs/README.md +++ /dev/null @@ -1,47 +0,0 @@ -# Kubernetes Test Network - -Starting in release 2.0, Hyperledger introduced the [test-network](https://hyperledger-fabric.readthedocs.io/en/latest/test_network.html) -to serve as both an accelerator and learning resource for running Fabric networks. In addition to -providing a study guide for operational patterns, the test-network provided a baseline environment for members of -the Fabric community to quickly get up to speed with a working, local system, author smart contracts, and develop -simple blockchain applications. - -As a supplement to the docker-compose based test-network, this guide presents an equivalent Fabric network -suitable for running sample applications and chaincode, developing Gateway and Chaincode-as-a-Service applications, -and harmonizing CI and deployment flows with a unified container framework - Kubernetes. - -Similar to Fabric, Kubernetes introduces a steep learning curve and presents a dizzying array of operational -flexibility. In this guide, we'll outline the design considerations in the [`./network`](../network) -scripts, provide a supplement to the [Fabric CA Deployment Guide](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy.html), -and build up to a reference model for realistic production deployments on Kubernetes. - -_Ahoy!_ - - -## Network Topology - -The Kube test network establishes as consortium among a dedicated ordering organization and two peer organizations. -Participation in the network is managed over a channel, and transactions are committed to the blockchain ledgers by -invoking the [asset-transfer-basic](https://github.com/hyperledgendary/fabric-ccaas-asset-transfer-basic) -_Chaincode-as-a-Service_ running in a shared Kubernetes namespace. - -![Test Network](images/test-network.png) - - -## Detailed Guides - -- [Working with Kubernetes](KUBERNETES.md) -- [Certificate Authorities](CA.md) - - [Planning for a CA](CA.md#planning-for-a-ca) - - [Deploy the TLS CAs](CA.md#deploy-tls-ca-issuers) - - [Deploy the ECert CAs](CA.md#deploy-the-organization-ca) -- [Launching the Test Network](TEST_NETWORK.md) - - [Registering and Enrolling Identities](CA.md#registering-and-enrolling-identities) - - [Assembling Node MSPs](TEST_NETWORK.md#fabric-node-msp-context) - - [Deploy Orderers and Peers](TEST_NETWORK.md#starting-peers-and-orderers) -- [Working with Channels](CHANNELS.md) -- [Working with Chaincode](CHAINCODE.md) -- [Debugging Chaincode](CHAINCODE_AS_A_SERVICE.md) -- [Working with Applications](APPLICATIONS.md) -- [High Availability](HIGH_AVAILABILITY.md) -- [Benchmarking the performance using Hyperledger Caliper](CALIPER.md) diff --git a/test-network-k8s/docs/TEST_NETWORK.md b/test-network-k8s/docs/TEST_NETWORK.md deleted file mode 100644 index 3478b2ac..00000000 --- a/test-network-k8s/docs/TEST_NETWORK.md +++ /dev/null @@ -1,183 +0,0 @@ - -## Network Overview - -After we have set up a series of TLS and ECert CA services, we'll use the CAs to generate -[Local MSP](https://hyperledger-fabric.readthedocs.io/en/latest/membership/membership.html#local-msps) structures for -all of the nodes, using the local MSPs to launch our network peers and orderers. - - -### TL/DR : - -``` -./network up -... -βœ… - Creating local node MSP ... -βœ… - Launching orderers ... -βœ… - Launching peers ... -🏁 - Network is ready. -``` - -## Fabric Node MSP Context - -Before we launch the network peers and orderers, each node in the network needs to have available: - -- TLS Root Certificates for all organizations in the network -- TLS Certificates and Signing Keys for SSL server/hostname verification of the network node -- Enrollment Certificates validating the network node identity (local MSP) -- Enrollment Certificates for an `Admin` identity / role for the organization. - -In order to create the local node MSP, we must first register and enroll the node identities with the ECert CAs, and -then organize the TLS and MSP certificates into a location suitable for launching the network services. - -The key steps in this process are: - -- [Registering and enrolling identities with a CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#registering-and-enrolling-identities-with-a-ca) -- [Create the local MSP of a node](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#create-the-local-msp-of-a-node) - -In the test network, each organization includes a function that wraps the registration, enrollment, and MSP aggregation -into a series of fabric-ca-client calls. [The script](../scripts/test_network.sh) will be executed directly on the -org's ECert CA pod, with access to the persistent volume for storage of the MSP and TLS certificates. While this is -largely boilerplate scripting, the process is straightforward: For each node in the network, we'll use the CAs to -generate TLS+MSP certificates, bundling into an MSP with a `config.yaml` specifying the fabric roles associated with -the target usage in the network. - -For example, the ordering organization sets up the node local MSP with: -```shell -# Each identity in the network needs a registration and enrollment. -fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp -fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp -fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp - -fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp -fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp -fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp - -# Create an MSP config.yaml (why is this not generated by the enrollment by fabric-ca-client?) -echo "NodeOUs: - Enable: true - ClientOUIdentifier: - Certificate: cacerts/org0-ca.pem - OrganizationalUnitIdentifier: client - PeerOUIdentifier: - Certificate: cacerts/org0-ca.pem - OrganizationalUnitIdentifier: peer - AdminOUIdentifier: - Certificate: cacerts/org0-ca.pem - OrganizationalUnitIdentifier: admin - OrdererOUIdentifier: - Certificate: cacerts/org0-ca.pem - OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml - -cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp/config.yaml -cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp/config.yaml -``` - - -## External Chaincode Builders - -Running Fabric in Kubernetes places some unique constraints on the Chaincode lifecycle: - -- Many cloud-native vendors rely on [containerd.io](https://containerd.io) to manage the lifecycle of containers - within a cluster. By contrast, Fabric assumes the presence of a Docker daemon to compile and launch chaincode - containers. Without a local Docker daemon, Fabric's default chaincode pipeline is doomed! - - -- For security and operational concerns, it is a "non-starter" to run a docker daemon on Kubernetes worker nodes. - - -- For cloud-ready development, test, validation, CI/CD, and production practices, the use of the - [Chaincode as a Service](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html) pattern provides a - _vastly superior user experience_. - - -- Running Chaincode builds in Docker in Docker, running in Kubernetes in Docker is ... interesting. Let's - step back and _keep it simple_. - - -In the Kubernetes Test Network, we've incorporated the default `ccaas` external builder -(See [fabric #2884](https://github.com/hyperledger/fabric/issues/2884)) as an accelerator for working with -Chaincode-as-a-Service on Kubernetes. For `ccaas` smart contracts, when chaincode is installed on a peer, the -external builder binaries will be invoked, bypassing the reliance on a local Docker daemon running in Kubernetes. - -This configuration is accomplished by registering an external builder in the peer core.yaml: - -```yaml - externalBuilders: - - name: ccaas_builder - path: /opt/hyperledger/ccaas_builder - propagateEnvironment: - - CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG -``` - -To trigger the external builder for a chaincode service, set the metadata.json `type` attribute to `ccaas`. E.g.: -```json -{ - "type": "ccaas", - "label": "basic_1.0" -} -``` - -- [x] Pro tip: Use the companion container registry at `localhost:5000` to deploy custom chaincode into the test network. -- [x] Pro tip: Deploy a chaincode with `address: host.docker.internal:9999` and attach your chaincode in a debugger. - - -## Starting Peers and Orderers - -```shell -βœ… - Launching orderers ... -βœ… - Launching peers ... -``` - -Once the local MSP structures for the network nodes have been created, the orderers and peers may be launched in the -namespace. System nodes will read base configuration files (orderer.yaml and core.yaml) from the organization -config folder, made available in Kubernetes as the `${org}-config` config map. - -Each orderer and peer creates one `Deployment`, `Pod`, and `Service` in the namespace. In addition, each org -defines an `orgN-peerM-config` `ConfigMap` with environment variable overrides replacing the default settings -in the core.yaml file. Note that each node's [environment](../kube/org1/org1-peer1.yaml) includes pointers to the -node local MSP folders, certificates, and TLS signing keys that we generated above. - -Note that the deployment yaml files include some basic template substitution and parameters. For simplicity and -clarity, we elected to use basic string substitution with `envsubst`, rather than introduce a Kube template -binding system (e.g. Helm, Kustomize, Kapitan, Ansible, etc.) for manipulating yaml templates. Any environment -variables declared in the `./network` script will be applied to these k8s templates. E.g.: - -```shell -export FABRIC_VERSION=2.4.2 -... - -cat kube/org0/org0-orderer1.yaml | envsubst | kubectl -n $NS -f - -cat kube/org0/org0-orderer2.yaml | envsubst | kubectl -n $NS -f - -cat kube/org0/org0-orderer3.yaml | envsubst | kubectl -n $NS -f - - -# Wait for the orderers to completely start before launching the network peer nodes. -kubectl -n $NS rollout status deploy/org0-orderer1 -kubectl -n $NS rollout status deploy/org0-orderer2 -kubectl -n $NS rollout status deploy/org0-orderer3 -``` - -## Next Steps : - -After the peers and orderers have started, the Kube namespace includes pods, deployments, and service bindings for: - -- Org0 (org0.example.com): - - ECert Certificate Authority : https://org0-ca - - Orderer1 : grpcs://org0-orderer1 - - Orderer2 : grpcs://org0-orderer2 - - Orderer3 : grpcs://org0-orderer3 - - -- Org1 (org1.example.com): - - ECert Certificate Authority : https://org1-ca - - Peer Node 1 : grpcs://org1-peer1 - - Peer Node 2 : grpcs://org1-peer2 - - -- Org2 (org2.example.com): - - ECert Certificate Authority : https://org2-ca - - Peer Node 1 : grpcs://org2-peer1 - - Peer Node 2 : grpcs://org2-peer2 - - - -### Next : [Working With Channels](CHANNELS.md) diff --git a/test-network-k8s/docs/images/test-network.png b/test-network-k8s/docs/images/test-network.png deleted file mode 100644 index b993135c..00000000 Binary files a/test-network-k8s/docs/images/test-network.png and /dev/null differ diff --git a/test-network-k8s/kube/application-deployment.yaml b/test-network-k8s/kube/application-deployment.yaml deleted file mode 100644 index 4e02f706..00000000 --- a/test-network-k8s/kube/application-deployment.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: application-deployment -spec: - replicas: 1 - selector: - matchLabels: - app: application-deployment - template: - metadata: - labels: - app: application-deployment - spec: - containers: - - name: main - image: - imagePullPolicy: Always - envFrom: - - configMapRef: - name: app-fabric-org1-v1-map - resources: - requests: - memory: "50Mi" - cpu: "0.1" - volumeMounts: - - name: fabricids - mountPath: /fabric/application/wallet - - name: fabric-ccp - mountPath: /fabric/application/gateways - - name: tlscerts - mountPath: /fabric/tlscacerts - volumes: - - name: fabric-ccp - configMap: - name: app-fabric-ccp-v1-map - - name: fabricids - configMap: - name: app-fabric-ids-v1-map - - name: tlscerts - configMap: - name: app-fabric-tls-v1-map diff --git a/test-network-k8s/kube/fabric-builder-role.yaml b/test-network-k8s/kube/fabric-builder-role.yaml deleted file mode 100644 index c1d6d4ff..00000000 --- a/test-network-k8s/kube/fabric-builder-role.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: fabric-builder-role -rules: - - apiGroups: - - "" - - apps - - batch - resources: - - pods - - jobs - - configmaps - - secrets - verbs: - - get - - list - - watch - - create - - delete - - patch \ No newline at end of file diff --git a/test-network-k8s/kube/fabric-builder-rolebinding.yaml b/test-network-k8s/kube/fabric-builder-rolebinding.yaml deleted file mode 100644 index 057ccb0f..00000000 --- a/test-network-k8s/kube/fabric-builder-rolebinding.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: fabric-builder-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: fabric-builder-role -subjects: - - namespace: ${ORG1_NS} - kind: ServiceAccount - name: default \ No newline at end of file diff --git a/test-network-k8s/kube/fabric-rest-sample.yaml b/test-network-k8s/kube/fabric-rest-sample.yaml deleted file mode 100644 index 8c3847e6..00000000 --- a/test-network-k8s/kube/fabric-rest-sample.yaml +++ /dev/null @@ -1,261 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: fabric-rest-sample-config-example -data: - HLF_CONNECTION_PROFILE_ORG1: | - { - "name": "Org1", - "version": "1.0.0", - "client": { - "organization": "Org1", - "connection": { - "timeout": { - "peer": { - "endorser": "500" - } - } - } - }, - "organizations": { - "Org1": { - "mspid": "Org1MSP", - "peers": [ - "org1-peers" - ], - "certificateAuthorities": [ - "org1-ca" - ] - } - }, - "peers": { - "org1-peers": { - "url": "grpcs://org1-peer-gateway-svc:7051", - "tlsCACerts": { - "pem": "-----BEGIN CERTIFICATE-----\\nMIICvzCCAmWgAwIBAgIULJGws7jbEY6ruSgDuvi9L7VphvIwCgYIKoZIzj0EAwIw\\naDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt\\nY2Etc2VydmVyMB4XDTIxMDkyMDE2MDkwMFoXDTIyMDkyMDE2MTQwMFowYDELMAkG\\nA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl\\ncmxlZGdlcjENMAsGA1UECxMEcGVlcjETMBEGA1UEAxMKb3JnMS1wZWVyMTBZMBMG\\nByqGSM49AgEGCCqGSM49AwEHA0IABL9e3GZBf1MeoObGxwSHkcgDEjMo+/13Qc4u\\nfSG2MKrveHBIEA4MRkHNqd+sTjoz0/1B15y2n+RiPo8uJvlyC/CjgfQwgfEwDgYD\\nVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV\\nHRMBAf8EAjAAMB0GA1UdDgQWBBSeytspiXlEzMAsnF9/wxqc9fydETAfBgNVHSME\\nGDAWgBQwru1VH0OwH3dxfPdD8w74ZIlLRzAVBgNVHREEDjAMggpvcmcxLXBlZXIx\\nMFsGCCoDBAUGBwgBBE97ImF0dHJzIjp7ImhmLkFmZmlsaWF0aW9uIjoiIiwiaGYu\\nRW5yb2xsbWVudElEIjoib3JnMS1wZWVyMSIsImhmLlR5cGUiOiJwZWVyIn19MAoG\\nCCqGSM49BAMCA0gAMEUCIQDJEjPxceCfXU5B/emrHE4JbEzrZKxLVViBWCNMsHiR\\nFgIgY+8jsvr3rlBPkpRhl8CtT2DgaP7iWvovtMYsPKhLAqk=\\n-----END CERTIFICATE-----\\n" - }, - "grpcOptions": { - "grpc-wait-for-ready-timeout": 100000, - "ssl-target-name-override": "org1-peer-gateway-svc", - "hostnameOverride": "org1-peer-gateway-svc" - } - } - }, - "certificateAuthorities": { - "org1-ca": { - "url": "https://org1-ca", - "caName": "org1-ca", - "tlsCACerts": { - "pem": "TODO" - }, - "httpOptions": { - "verify": "false" - } - } - } - } - HLF_CERTIFICATE_ORG1: | - -----BEGIN CERTIFICATE----- - MIIC2DCCAn6gAwIBAgIUTfcXDyxCS+2EQnznfjERUo4Vri8wCgYIKoZIzj0EAwIw - aDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK - EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt - Y2Etc2VydmVyMB4XDTIxMDkyMDExNDEwMFoXDTIyMDkyMDExNDYwMFowYTELMAkG - A1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl - cmxlZGdlcjEOMAwGA1UECxMFYWRtaW4xEzARBgNVBAMTCm9yZzEtYWRtaW4wWTAT - BgcqhkjOPQIBBggqhkjOPQMBBwNCAAT8zvJEg3FgJ5iUA5GO+n/j48bL83STpz7N - TqejWIZNVTraxE4fjT6traKiswme7gT2NY9Jl0Dj4tbif9l2I9+Oo4IBCzCCAQcw - DgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFO1zWPynvyER - n9ml6XV5VvC9tIjTMB8GA1UdIwQYMBaAFPbIrI+lh8KayoRpW1YStWMhzJZSMCcG - A1UdEQQgMB6CHG9yZzEtdGxzLWNhLTg1NjdiOTg5OWYtdzU3amYwfgYIKgMEBQYH - CAEEcnsiYXR0cnMiOnsiYWJhYy5pbml0IjoidHJ1ZSIsImFkbWluIjoidHJ1ZSIs - ImhmLkFmZmlsaWF0aW9uIjoiIiwiaGYuRW5yb2xsbWVudElEIjoib3JnMS1hZG1p - biIsImhmLlR5cGUiOiJhZG1pbiJ9fTAKBggqhkjOPQQDAgNIADBFAiEAv99I2J9t - WtOmIzpYix8OFl4Z+ZGRHtay83ux//sZP+MCID02hFqnNpOL/ggGFaDVpVQ/eu0t - KTfVxZEMyZnJtAhp - -----END CERTIFICATE----- - HLF_PRIVATE_KEY_ORG1: | - -----BEGIN PRIVATE KEY----- - MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg7Lb+jwZqhxT3x0lT - FpU0QSmioptgfv8TI2RP5Mjp9UKhRANCAAT8zvJEg3FgJ5iUA5GO+n/j48bL83ST - pz7NTqejWIZNVTraxE4fjT6traKiswme7gT2NY9Jl0Dj4tbif9l2I9+O - -----END PRIVATE KEY----- - HLF_CONNECTION_PROFILE_ORG2: | - { - "name": "Org2", - "version": "1.0.0", - "client": { - "organization": "Org2", - "connection": { - "timeout": { - "peer": { - "endorser": "300" - } - } - } - }, - "organizations": { - "Org2": { - "mspid": "Org2MSP", - "peers": [ - "org2-peers" - ], - "certificateAuthorities": [ - "org2-ca" - ] - } - }, - "peers": { - "org2-peers": { - "url": "org2-peer-gateway-svc:7051", - "tlsCACerts": { - "pem": "-----BEGIN CERTIFICATE-----\\nMIICKDCCAc6gAwIBAgIUJJ4wGOSCfw8XOOIx29o67wBpFB4wCgYIKoZIzj0EAwIw\\naDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt\\nY2Etc2VydmVyMB4XDTIxMDkyMDExNDEwMFoXDTM2MDkxNjExNDEwMFowaDELMAkG\\nA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl\\ncmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2Vy\\ndmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyzGJLZX6pe59QAIBacjfzU4I\\nHezBYLyEu4ySpFx4xwxNLE4BWqLhB1VaOuenSQATM8pmSAy7i1830oM9elKWK6NW\\nMFQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\\nFEoAAhmjq/3M8CFPc7N8SL53erL5MA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E\\nAwIDSAAwRQIhAJQ5PJOT4Gg8oiBU2KthMPkZqOLeu3Li4S3yBpLFgbsgAiB960P2\\nXPMu3HLoNXrktYOL9JzWlGyYRSPAnkap5Bsj0w==\\n-----END CERTIFICATE-----\\n" - }, - "grpcOptions": { - "ssl-target-name-override": "org2-peer-gateway-svc", - "hostnameOverride": "org2-peer-gateway-svc" - } - } - }, - "certificateAuthorities": { - "org2-ca": { - "url": "https://org2-ca", - "caName": "org2-ca", - "tlsCACerts": { - "pem": ["-----BEGIN CERTIFICATE-----\\nMIICKDCCAc6gAwIBAgIUJAF4fQK1KsnvdaUjau462D/5HPYwCgYIKoZIzj0EAwIw\\naDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt\\nY2Etc2VydmVyMB4XDTIxMDkxOTExMTcwMFoXDTM2MDkxNTExMTcwMFowaDELMAkG\\nA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl\\ncmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2Vy\\ndmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8bLvzagP3YANMGHVomZoGCQD\\nRgM3SenagZQ4IWqNQJSV3yTxzdgAWnPhwc+B/HdAOvAq2Oz54FmiSL9dAJoivqNW\\nMFQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\\nFDdBAwT47jtbj48aXdMfRvMPbD5tMA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E\\nAwIDSAAwRQIhAITSk4lYWqu12jZkR94aNoKT36ctaeKHuRvXs7m2qaHSAiAtUPO7\\nXlHtI9SDTRvI4DNSb2O7y7+B3WxVeCx50fivDw==\\n-----END CERTIFICATE-----\\n"] - }, - "httpOptions": { - "verify": "false" - } - } - } - } - HLF_CERTIFICATE_ORG2: | - -----BEGIN CERTIFICATE----- - MIIC2DCCAn6gAwIBAgIUY/B19uAV6H5zK4bgqF/BcYC79eEwCgYIKoZIzj0EAwIw - aDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK - EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt - Y2Etc2VydmVyMB4XDTIxMDkyMDExNDEwMFoXDTIyMDkyMDExNDYwMFowYTELMAkG - A1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl - cmxlZGdlcjEOMAwGA1UECxMFYWRtaW4xEzARBgNVBAMTCm9yZzItYWRtaW4wWTAT - BgcqhkjOPQIBBggqhkjOPQMBBwNCAARKTC+25gFIgbLQgSQSec3DaUJOZS6aHBAi - 0bmArVbMOxLUBT/W42ycXzfFJ9c0UAEZecDu8jxgBfEGWcbeWWMXo4IBCzCCAQcw - DgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGIXcrVhcyJ9 - WTH2zgc9/RdE1hJsMB8GA1UdIwQYMBaAFFS96ExY5RWOcsODBAfXZe+FQIq0MCcG - A1UdEQQgMB6CHG9yZzItdGxzLWNhLTY5Yzg1Zjg5YmMtNzIyZ2cwfgYIKgMEBQYH - CAEEcnsiYXR0cnMiOnsiYWJhYy5pbml0IjoidHJ1ZSIsImFkbWluIjoidHJ1ZSIs - ImhmLkFmZmlsaWF0aW9uIjoiIiwiaGYuRW5yb2xsbWVudElEIjoib3JnMi1hZG1p - biIsImhmLlR5cGUiOiJhZG1pbiJ9fTAKBggqhkjOPQQDAgNIADBFAiEAhrXwM7Ng - IGxgF8irY7NbkQp1xqphy3tv6JbK6HPF+O8CIELMkzOclVK2rRC1K5PF99G7Cmmm - KsVw31cJcV4NTDI7 - -----END CERTIFICATE----- - HLF_PRIVATE_KEY_ORG2: | - -----BEGIN PRIVATE KEY----- - MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPJgLniT9EqcaUNbi - F3EqGyBP9LDg1baXR/5dV6xedt+hRANCAARKTC+25gFIgbLQgSQSec3DaUJOZS6a - HBAi0bmArVbMOxLUBT/W42ycXzfFJ9c0UAEZecDu8jxgBfEGWcbeWWMX - -----END PRIVATE KEY----- - - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: fabric-rest-sample -spec: - replicas: 1 - selector: - matchLabels: - app: fabric-rest-sample - template: - metadata: - labels: - app: fabric-rest-sample - spec: - containers: - - name: main - image: ghcr.io/hyperledger/fabric-rest-sample - imagePullPolicy: IfNotPresent - env: - - name: LOG_LEVEL - value: debug - - name: HFC_LOGGING - value: '{ "debug": "console" }' - - name: PORT - value: "3000" - - name: RETRY_DELAY - value: "3000" - - name: MAX_RETRY_COUNT - value: "5" - - name: HLF_COMMIT_TIMEOUT - value: "3000" - - name: HLF_ENDORSE_TIMEOUT - value: "30" - - name: REDIS_HOST - value: "localhost" - - name: REDIS_PORT - value: "6379" - - name: ORG1_APIKEY - value: "97834158-3224-4CE7-95F9-A148C886653E" - - name: ORG2_APIKEY - value: "BC42E734-062D-4AEE-A591-5973CB763430" - - name: AS_LOCAL_HOST - value: "false" - - name: HLF_CHAINCODE_NAME - value: "asset-transfer-basic" -# - name: REDIS_USERNAME -# value: redisuser -# - name: REDIS_PASSWORD -# value: redispasword - - envFrom: - - configMapRef: - name: fabric-rest-sample-config - ports: - - containerPort: 3000 - - name: redis - image: redis:6.2.5 - ports: - - containerPort: 6379 - ---- -apiVersion: v1 -kind: Service -metadata: - name: fabric-rest-sample -spec: - ports: - - name: http - port: 3000 - protocol: TCP - selector: - app: fabric-rest-sample - ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s - labels: - app: fabric-rest-sample - name: fabric-rest-sample -spec: - ingressClassName: nginx - rules: - - host: fabric-rest-sample.${DOMAIN} - http: - paths: - - backend: - service: - name: fabric-rest-sample - port: - name: http - path: / - pathType: ImplementationSpecific - diff --git a/test-network-k8s/kube/ingress-nginx-k3s.yaml b/test-network-k8s/kube/ingress-nginx-k3s.yaml deleted file mode 100644 index 16c7c07b..00000000 --- a/test-network-k8s/kube/ingress-nginx-k3s.yaml +++ /dev/null @@ -1,683 +0,0 @@ -#GENERATED FOR K8S 1.20 -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - name: ingress-nginx ---- -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - ingress-controller-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: v1 -data: - allow-snippet-annotations: "true" -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-controller - namespace: ingress-nginx ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - externalTrafficPolicy: Local - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - appProtocol: http - name: http - port: 80 - protocol: TCP - targetPort: http - - appProtocol: https - name: https - port: 443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: LoadBalancer ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - ports: - - appProtocol: https - name: https-webhook - port: 443 - targetPort: webhook - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - minReadySeconds: 0 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - spec: - containers: - - args: - - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --ingress-class=nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - - --enable-ssl-passthrough - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: controller - ports: - - containerPort: 80 - name: http - protocol: TCP - - containerPort: 443 - name: https - protocol: TCP - - containerPort: 8443 - name: webhook - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 90Mi - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - runAsUser: 101 - volumeMounts: - - mountPath: /usr/local/certificates/ - name: webhook-cert - readOnly: true - dnsPolicy: ClusterFirst - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: ingress-nginx - terminationGracePeriodSeconds: 300 - volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - annotations: - helm.sh/hook: pre-install,pre-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission-create - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission-create - spec: - containers: - - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - name: create - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - annotations: - helm.sh/hook: post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission-patch - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission-patch - spec: - containers: - - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - name: patch - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: ingress-nginx-admission ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: nginx -spec: - controller: k8s.io/ingress-nginx ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: ingress-nginx-controller-admission - namespace: ingress-nginx - path: /networking/v1/ingresses - failurePolicy: Fail - matchPolicy: Equivalent - name: validate.nginx.ingress.kubernetes.io - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - sideEffects: None diff --git a/test-network-k8s/kube/ingress-nginx-kind.yaml b/test-network-k8s/kube/ingress-nginx-kind.yaml deleted file mode 100644 index 6644f215..00000000 --- a/test-network-k8s/kube/ingress-nginx-kind.yaml +++ /dev/null @@ -1,694 +0,0 @@ -#GENERATED FOR K8S 1.20 -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - name: ingress-nginx ---- -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - ingress-controller-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: v1 -data: - allow-snippet-annotations: "true" -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-controller - namespace: ingress-nginx ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - appProtocol: http - name: http - port: 80 - protocol: TCP - targetPort: http - - appProtocol: https - name: https - port: 443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: NodePort ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - ports: - - appProtocol: https - name: https-webhook - port: 443 - targetPort: webhook - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - minReadySeconds: 0 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - strategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - spec: - containers: - - args: - - /nginx-ingress-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --ingress-class=nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - - --watch-ingress-without-class=true - - --publish-status-address=localhost - - --enable-ssl-passthrough - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - image: k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: controller - ports: - - containerPort: 80 - hostPort: 80 - name: http - protocol: TCP - - containerPort: 443 - hostPort: 443 - name: https - protocol: TCP - - containerPort: 8443 - name: webhook - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 90Mi - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - runAsUser: 101 - volumeMounts: - - mountPath: /usr/local/certificates/ - name: webhook-cert - readOnly: true - dnsPolicy: ClusterFirst - nodeSelector: - ingress-ready: "true" - kubernetes.io/os: linux - serviceAccountName: ingress-nginx - terminationGracePeriodSeconds: 0 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Equal - volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - annotations: - helm.sh/hook: pre-install,pre-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission-create - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission-create - spec: - containers: - - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - name: create - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - annotations: - helm.sh/hook: post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission-patch - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission-patch - spec: - containers: - - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - name: patch - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: ingress-nginx-admission ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: nginx -spec: - controller: k8s.io/ingress-nginx ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.1.2 - helm.sh/chart: ingress-nginx-4.0.18 - name: ingress-nginx-admission -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: ingress-nginx-controller-admission - namespace: ingress-nginx - path: /networking/v1/ingresses - failurePolicy: Fail - matchPolicy: Equivalent - name: validate.nginx.ingress.kubernetes.io - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - sideEffects: None diff --git a/test-network-k8s/kube/ns-test-network.yaml b/test-network-k8s/kube/ns-test-network.yaml deleted file mode 100644 index f9ef39e0..00000000 --- a/test-network-k8s/kube/ns-test-network.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: v1 -kind: Namespace -metadata: - name: test-network diff --git a/test-network-k8s/kube/org0/org0-ca.yaml b/test-network-k8s/kube/org0/org0-ca.yaml deleted file mode 100644 index 87c081ac..00000000 --- a/test-network-k8s/kube/org0/org0-ca.yaml +++ /dev/null @@ -1,124 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org0-ca-tls-cert -spec: - isCA: false - privateKey: - algorithm: ECDSA - size: 256 - dnsNames: - - localhost - - org0-ca - - org0-ca.${ORG0_NS}.svc.cluster.local - - org0-ca.${DOMAIN} - ipAddresses: - - 127.0.0.1 - secretName: org0-ca-tls-cert - issuerRef: - name: org0-tls-cert-issuer - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org0-ca -spec: - replicas: 1 - selector: - matchLabels: - app: org0-ca - template: - metadata: - labels: - app: org0-ca - spec: - containers: - - name: main - image: ${FABRIC_CONTAINER_REGISTRY}/fabric-ca:${FABRIC_CA_VERSION} - imagePullPolicy: IfNotPresent - env: - - name: FABRIC_CA_SERVER_CA_NAME - value: "org0-ca" - - name: FABRIC_CA_SERVER_DEBUG - value: "false" - - name: FABRIC_CA_SERVER_HOME - value: "/var/hyperledger/fabric-ca-server" - - name: FABRIC_CA_SERVER_TLS_CERTFILE - value: "/var/hyperledger/fabric/config/tls/tls.crt" - - name: FABRIC_CA_SERVER_TLS_KEYFILE - value: "/var/hyperledger/fabric/config/tls/tls.key" - - name: FABRIC_CA_CLIENT_HOME - value: "/var/hyperledger/fabric-ca-client" - ports: - - containerPort: 443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml - subPath: fabric-ca-server-config.yaml - - name: tls-cert-volume - mountPath: /var/hyperledger/fabric/config/tls - readOnly: true - readinessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 2 - periodSeconds: 5 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org0 - - name: fabric-config - configMap: - name: org0-config - - name: tls-cert-volume - secret: - secretName: org0-ca-tls-cert - ---- -apiVersion: v1 -kind: Service -metadata: - name: org0-ca -spec: - ports: - - name: https - port: 443 - protocol: TCP - selector: - app: org0-ca - ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - labels: - app: org0-ca - name: org0-ca -spec: - ingressClassName: nginx - rules: - - host: org0-ca.${DOMAIN} - http: - paths: - - backend: - service: - name: org0-ca - port: - name: https - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - org0-ca.${DOMAIN} diff --git a/test-network-k8s/kube/org0/org0-job-scrub-fabric-volumes.yaml b/test-network-k8s/kube/org0/org0-job-scrub-fabric-volumes.yaml deleted file mode 100644 index 92847115..00000000 --- a/test-network-k8s/kube/org0/org0-job-scrub-fabric-volumes.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: job-scrub-fabric-volumes -spec: - backoffLimit: 0 - completions: 1 - template: - metadata: - name: job-scrub-fabric-volumes - spec: - restartPolicy: "Never" - containers: - - name: main - image: busybox:latest - command: - - sh - - -c - - "rm -rvf /mnt/fabric-*/*" - volumeMounts: - - name: fabric-org0-volume - mountPath: /mnt/fabric-org0 - volumes: - - name: fabric-org0-volume - persistentVolumeClaim: - claimName: fabric-org0 diff --git a/test-network-k8s/kube/org0/org0-orderer1.yaml b/test-network-k8s/kube/org0/org0-orderer1.yaml deleted file mode 100644 index 108d1b0b..00000000 --- a/test-network-k8s/kube/org0/org0-orderer1.yaml +++ /dev/null @@ -1,159 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org0-orderer1-tls-cert - namespace: ${ORG0_NS} -spec: - isCA: false - privateKey: - algorithm: ECDSA - size: 256 - dnsNames: - - localhost - - org0-orderer1 - - org0-orderer1.${ORG0_NS}.svc.cluster.local - - org0-orderer1.${DOMAIN} - - org0-orderer1-admin.${DOMAIN} - ipAddresses: - - 127.0.0.1 - secretName: org0-orderer1-tls-cert - issuerRef: - name: org0-tls-cert-issuer - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: org0-orderer1-env -data: - FABRIC_CFG_PATH: /var/hyperledger/fabric/config - FABRIC_LOGGING_SPEC: INFO # debug:cauthdsl,policies,msp,common.configtx,common.channelconfig=info - ORDERER_GENERAL_LISTENADDRESS: 0.0.0.0 - ORDERER_GENERAL_LISTENPORT: "6050" - ORDERER_GENERAL_LOCALMSPID: OrdererMSP - ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp - ORDERER_GENERAL_TLS_ENABLED: "true" - ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt - ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt - ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key - ORDERER_GENERAL_BOOTSTRAPMETHOD: none - ORDERER_ADMIN_TLS_ENABLED: "true" - ORDERER_ADMIN_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt - ORDERER_ADMIN_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt - ORDERER_ADMIN_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key - # Authenticate client connections with the org's ecert / admin user enrollments - ORDERER_ADMIN_TLS_CLIENTROOTCAS: "[/var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/cacerts/org0-ca.pem]" - ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer1 - ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer1/etcdraft/wal - ORDERER_CONSENSUS_SNAPDIR: /var/hyperledger/fabric/data/orderer1/etcdraft/wal - ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:8443 - ORDERER_ADMIN_LISTENADDRESS: 0.0.0.0:9443 - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org0-orderer1 -spec: - replicas: 1 - selector: - matchLabels: - app: org0-orderer1 - template: - metadata: - labels: - app: org0-orderer1 - spec: - containers: - - name: main - image: ${FABRIC_CONTAINER_REGISTRY}/fabric-orderer:${FABRIC_VERSION} - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: org0-orderer1-env - ports: - - containerPort: 6050 - - containerPort: 8443 - - containerPort: 9443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric/config - - name: tls-cert-volume - mountPath: /var/hyperledger/fabric/config/tls - readOnly: true - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org0 - - name: fabric-config - configMap: - name: org0-config - - name: tls-cert-volume - secret: - secretName: org0-orderer1-tls-cert ---- -apiVersion: v1 -kind: Service -metadata: - name: org0-orderer1 -spec: - ports: - - name: general - port: 6050 - protocol: TCP - - name: operations - port: 8443 - protocol: TCP - - name: admin - port: 9443 - protocol: TCP - selector: - app: org0-orderer1 - ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - labels: - app: org0-orderer1 - name: org0-orderer1 -spec: - ingressClassName: nginx - rules: - - host: org0-orderer1.${DOMAIN} - http: - paths: - - backend: - service: - name: org0-orderer1 - port: - name: general - path: / - pathType: ImplementationSpecific - - host: org0-orderer1-admin.${DOMAIN} - http: - paths: - - backend: - service: - name: org0-orderer1 - port: - name: admin - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - org0-orderer1.${DOMAIN} - - hosts: - - org0-orderer1-admin.${DOMAIN} diff --git a/test-network-k8s/kube/org0/org0-orderer2.yaml b/test-network-k8s/kube/org0/org0-orderer2.yaml deleted file mode 100644 index 043b13c8..00000000 --- a/test-network-k8s/kube/org0/org0-orderer2.yaml +++ /dev/null @@ -1,159 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org0-orderer2-tls-cert - namespace: ${ORG0_NS} -spec: - isCA: false - privateKey: - algorithm: ECDSA - size: 256 - dnsNames: - - localhost - - org0-orderer2 - - org0-orderer2.${ORG0_NS}.svc.cluster.local - - org0-orderer2.${DOMAIN} - - org0-orderer2-admin.${DOMAIN} - ipAddresses: - - 127.0.0.1 - secretName: org0-orderer2-tls-cert - issuerRef: - name: org0-tls-cert-issuer - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: org0-orderer2-env -data: - FABRIC_CFG_PATH: /var/hyperledger/fabric/config - FABRIC_LOGGING_SPEC: INFO # debug:cauthdsl,policies,msp,common.configtx,common.channelconfig=info - ORDERER_GENERAL_LISTENADDRESS: 0.0.0.0 - ORDERER_GENERAL_LISTENPORT: "6050" - ORDERER_GENERAL_LOCALMSPID: OrdererMSP - ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp - ORDERER_GENERAL_TLS_ENABLED: "true" - ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt - ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt - ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key - ORDERER_GENERAL_BOOTSTRAPMETHOD: none - ORDERER_ADMIN_TLS_ENABLED: "true" - ORDERER_ADMIN_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt - ORDERER_ADMIN_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt - ORDERER_ADMIN_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key - # Authenticate client connections with the org's ecert / admin user enrollments - ORDERER_ADMIN_TLS_CLIENTROOTCAS: "[/var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp/cacerts/org0-ca.pem]" - ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer2 - ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer2/etcdraft/wal - ORDERER_CONSENSUS_SNAPDIR: /var/hyperledger/fabric/data/orderer2/etcdraft/wal - ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:8443 - ORDERER_ADMIN_LISTENADDRESS: 0.0.0.0:9443 - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org0-orderer2 -spec: - replicas: 1 - selector: - matchLabels: - app: org0-orderer2 - template: - metadata: - labels: - app: org0-orderer2 - spec: - containers: - - name: main - image: ${FABRIC_CONTAINER_REGISTRY}/fabric-orderer:${FABRIC_VERSION} - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: org0-orderer2-env - ports: - - containerPort: 6050 - - containerPort: 8443 - - containerPort: 9443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric/config - - name: tls-cert-volume - mountPath: /var/hyperledger/fabric/config/tls - readOnly: true - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org0 - - name: fabric-config - configMap: - name: org0-config - - name: tls-cert-volume - secret: - secretName: org0-orderer2-tls-cert ---- -apiVersion: v1 -kind: Service -metadata: - name: org0-orderer2 -spec: - ports: - - name: general - port: 6050 - protocol: TCP - - name: operations - port: 8443 - protocol: TCP - - name: admin - port: 9443 - protocol: TCP - selector: - app: org0-orderer2 - ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - labels: - app: org0-orderer2 - name: org0-orderer2 -spec: - ingressClassName: nginx - rules: - - host: org0-orderer2.${DOMAIN} - http: - paths: - - backend: - service: - name: org0-orderer2 - port: - name: general - path: / - pathType: ImplementationSpecific - - host: org0-orderer2-admin.${DOMAIN} - http: - paths: - - backend: - service: - name: org0-orderer2 - port: - name: admin - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - org0-orderer2.${DOMAIN} - - hosts: - - org0-orderer2-admin.${DOMAIN} diff --git a/test-network-k8s/kube/org0/org0-orderer3.yaml b/test-network-k8s/kube/org0/org0-orderer3.yaml deleted file mode 100644 index 3e42a739..00000000 --- a/test-network-k8s/kube/org0/org0-orderer3.yaml +++ /dev/null @@ -1,159 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org0-orderer3-tls-cert - namespace: ${ORG0_NS} -spec: - isCA: false - privateKey: - algorithm: ECDSA - size: 256 - dnsNames: - - localhost - - org0-orderer3 - - org0-orderer3.${ORG0_NS}.svc.cluster.local - - org0-orderer3.${DOMAIN} - - org0-orderer3-admin.${DOMAIN} - ipAddresses: - - 127.0.0.1 - secretName: org0-orderer3-tls-cert - issuerRef: - name: org0-tls-cert-issuer - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: org0-orderer3-env -data: - FABRIC_CFG_PATH: /var/hyperledger/fabric/config - FABRIC_LOGGING_SPEC: INFO # debug:cauthdsl,policies,msp,common.configtx,common.channelconfig=info - ORDERER_GENERAL_LISTENADDRESS: 0.0.0.0 - ORDERER_GENERAL_LISTENPORT: "6050" - ORDERER_GENERAL_LOCALMSPID: OrdererMSP - ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp - ORDERER_GENERAL_TLS_ENABLED: "true" - ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt - ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt - ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key - ORDERER_GENERAL_BOOTSTRAPMETHOD: none - ORDERER_ADMIN_TLS_ENABLED: "true" - ORDERER_ADMIN_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt - ORDERER_ADMIN_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt - ORDERER_ADMIN_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key - # Authenticate client connections with the org's ecert / admin user enrollments - ORDERER_ADMIN_TLS_CLIENTROOTCAS: "[/var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp/cacerts/org0-ca.pem]" - ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer3 - ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer3/etcdraft/wal - ORDERER_CONSENSUS_SNAPDIR: /var/hyperledger/fabric/data/orderer3/etcdraft/wal - ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:8443 - ORDERER_ADMIN_LISTENADDRESS: 0.0.0.0:9443 - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org0-orderer3 -spec: - replicas: 1 - selector: - matchLabels: - app: org0-orderer3 - template: - metadata: - labels: - app: org0-orderer3 - spec: - containers: - - name: main - image: ${FABRIC_CONTAINER_REGISTRY}/fabric-orderer:${FABRIC_VERSION} - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: org0-orderer3-env - ports: - - containerPort: 6050 - - containerPort: 8443 - - containerPort: 9443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric/config - - name: tls-cert-volume - mountPath: /var/hyperledger/fabric/config/tls - readOnly: true - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org0 - - name: fabric-config - configMap: - name: org0-config - - name: tls-cert-volume - secret: - secretName: org0-orderer3-tls-cert ---- -apiVersion: v1 -kind: Service -metadata: - name: org0-orderer3 -spec: - ports: - - name: general - port: 6050 - protocol: TCP - - name: operations - port: 8443 - protocol: TCP - - name: admin - port: 9443 - protocol: TCP - selector: - app: org0-orderer3 - ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - labels: - app: org0-orderer3 - name: org0-orderer3 -spec: - ingressClassName: nginx - rules: - - host: org0-orderer3.${DOMAIN} - http: - paths: - - backend: - service: - name: org0-orderer3 - port: - name: general - path: / - pathType: ImplementationSpecific - - host: org0-orderer3-admin.${DOMAIN} - http: - paths: - - backend: - service: - name: org0-orderer3 - port: - name: admin - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - org0-orderer3.${DOMAIN} - - hosts: - - org0-orderer3-admin.${DOMAIN} diff --git a/test-network-k8s/kube/org0/org0-tls-cert-issuer.yaml b/test-network-k8s/kube/org0/org0-tls-cert-issuer.yaml deleted file mode 100644 index 0745afc8..00000000 --- a/test-network-k8s/kube/org0/org0-tls-cert-issuer.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org0-tls-cert-issuer -spec: - isCA: true - privateKey: - algorithm: ECDSA - size: 256 - commonName: org0.example.com - secretName: org0-tls-cert-issuer-secret - issuerRef: - name: root-tls-cert-issuer - kind: Issuer - group: cert-manager.io - ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: org0-tls-cert-issuer -spec: - ca: - secretName: org0-tls-cert-issuer-secret - - - - diff --git a/test-network-k8s/kube/org1/org1-ca.yaml b/test-network-k8s/kube/org1/org1-ca.yaml deleted file mode 100644 index 01515226..00000000 --- a/test-network-k8s/kube/org1/org1-ca.yaml +++ /dev/null @@ -1,124 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org1-ca-tls-cert -spec: - isCA: false - privateKey: - algorithm: ECDSA - size: 256 - dnsNames: - - localhost - - org1-ca - - org1-ca.${ORG1_NS}.svc.cluster.local - - org1-ca.${DOMAIN} - ipAddresses: - - 127.0.0.1 - secretName: org1-ca-tls-cert - issuerRef: - name: org1-tls-cert-issuer - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org1-ca -spec: - replicas: 1 - selector: - matchLabels: - app: org1-ca - template: - metadata: - labels: - app: org1-ca - spec: - containers: - - name: main - image: ${FABRIC_CONTAINER_REGISTRY}/fabric-ca:${FABRIC_CA_VERSION} - imagePullPolicy: IfNotPresent - env: - - name: FABRIC_CA_SERVER_CA_NAME - value: "org1-ca" - - name: FABRIC_CA_SERVER_DEBUG - value: "false" - - name: FABRIC_CA_SERVER_HOME - value: "/var/hyperledger/fabric-ca-server" - - name: FABRIC_CA_SERVER_TLS_CERTFILE - value: "/var/hyperledger/fabric/config/tls/tls.crt" - - name: FABRIC_CA_SERVER_TLS_KEYFILE - value: "/var/hyperledger/fabric/config/tls/tls.key" - - name: FABRIC_CA_CLIENT_HOME - value: "/var/hyperledger/fabric-ca-client" - ports: - - containerPort: 443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml - subPath: fabric-ca-server-config.yaml - - name: tls-cert-volume - mountPath: /var/hyperledger/fabric/config/tls - readOnly: true - readinessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 2 - periodSeconds: 5 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org1 - - name: fabric-config - configMap: - name: org1-config - - name: tls-cert-volume - secret: - secretName: org1-ca-tls-cert ---- -apiVersion: v1 -kind: Service -metadata: - name: org1-ca -spec: - ports: - - name: https - port: 443 - protocol: TCP - selector: - app: org1-ca - ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - labels: - app: org1-ca - name: org1-ca -spec: - ingressClassName: nginx - rules: - - host: org1-ca.${DOMAIN} - http: - paths: - - backend: - service: - name: org1-ca - port: - name: https - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - org1-ca.${DOMAIN} - \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-cc-template.yaml b/test-network-k8s/kube/org1/org1-cc-template.yaml deleted file mode 100644 index 05658f52..00000000 --- a/test-network-k8s/kube/org1/org1-cc-template.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org1{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}} -spec: - replicas: 1 - selector: - matchLabels: - app: org1{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}} - template: - metadata: - labels: - app: org1{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}} - spec: - containers: - - name: main - image: {{CHAINCODE_IMAGE}} - imagePullPolicy: IfNotPresent - env: - - name: CHAINCODE_SERVER_ADDRESS - value: 0.0.0.0:9999 - - name: CHAINCODE_ID - value: {{CHAINCODE_ID}} - - name: CORE_CHAINCODE_ID_NAME - value: {{CHAINCODE_ID}} - ports: - - containerPort: 9999 - ---- -apiVersion: v1 -kind: Service -metadata: - name: org1{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}} -spec: - ports: - - name: chaincode - port: 9999 - protocol: TCP - selector: - app: org1{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}} \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-install-k8s-builder.yaml b/test-network-k8s/kube/org1/org1-install-k8s-builder.yaml deleted file mode 100644 index d6bea41b..00000000 --- a/test-network-k8s/kube/org1/org1-install-k8s-builder.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: org1-install-k8s-builder -spec: - ttlSecondsAfterFinished: 600 - backoffLimit: 0 - completions: 1 - template: - metadata: - name: org1-install-k8s-builder - spec: - restartPolicy: "Never" - containers: - - name: main - image: ${K8S_CHAINCODE_BUILDER_IMAGE}:${K8S_CHAINCODE_BUILDER_VERSION} - imagePullPolicy: IfNotPresent - command: - - sh - - -c - - "mkdir -p /mnt/fabric-org1/fabric/external_builders && cp -rv /opt/hyperledger/k8s_builder /mnt/fabric-org1/fabric/external_builders/" - volumeMounts: - - name: fabric-org1-volume - mountPath: /mnt/fabric-org1 - volumes: - - name: fabric-org1-volume - persistentVolumeClaim: - claimName: fabric-org1 \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-job-scrub-fabric-volumes.yaml b/test-network-k8s/kube/org1/org1-job-scrub-fabric-volumes.yaml deleted file mode 100644 index 43d66c4a..00000000 --- a/test-network-k8s/kube/org1/org1-job-scrub-fabric-volumes.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: job-scrub-fabric-volumes -spec: - backoffLimit: 0 - completions: 1 - template: - metadata: - name: job-scrub-fabric-volumes - spec: - restartPolicy: "Never" - containers: - - name: main - image: busybox:latest - command: - - sh - - -c - - "rm -rvf /mnt/fabric-*/*" - volumeMounts: - - name: fabric-org1-volume - mountPath: /mnt/fabric-org1 - volumes: - - name: fabric-org1-volume - persistentVolumeClaim: - claimName: fabric-org1 diff --git a/test-network-k8s/kube/org1/org1-peer1.yaml b/test-network-k8s/kube/org1/org1-peer1.yaml deleted file mode 100644 index d6393755..00000000 --- a/test-network-k8s/kube/org1/org1-peer1.yaml +++ /dev/null @@ -1,184 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org1-peer1-tls-cert - namespace: ${ORG1_NS} -spec: - isCA: false - privateKey: - algorithm: ECDSA - size: 256 - dnsNames: - - localhost - - org1-peer1 - - org1-peer1.${ORG1_NS}.svc.cluster.local - - org1-peer1.${DOMAIN} - - org1-peer-gateway-svc - - org1-peer-gateway-svc.${DOMAIN} - ipAddresses: - - 127.0.0.1 - secretName: org1-peer1-tls-cert - issuerRef: - name: org1-tls-cert-issuer - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: org1-peer1-config -data: - FABRIC_CFG_PATH: /var/hyperledger/fabric/config - FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" - CORE_PEER_TLS_ENABLED: "true" - CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/config/tls/tls.crt - CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/config/tls/tls.key - CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/config/tls/ca.crt - CORE_PEER_ID: org1-peer1.org1.example.com - CORE_PEER_ADDRESS: org1-peer1:7051 - CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 - CORE_PEER_CHAINCODEADDRESS: org1-peer1:7052 - CORE_PEER_CHAINCODELISTENADDRESS: 0.0.0.0:7052 - # bootstrap peer is the other peer in the same org - CORE_PEER_GOSSIP_BOOTSTRAP: org1-peer2:7051 - CORE_PEER_GOSSIP_EXTERNALENDPOINT: org1-peer1.${ORG1_NS}.svc.cluster.local:7051 - CORE_PEER_LOCALMSPID: Org1MSP - CORE_PEER_MSPCONFIGPATH: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp - CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443 - CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org1-peer1.org1.example.com - CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org1-peer1.org1.example.com/snapshots - CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG: "{\"peername\":\"org1peer1\"}" - FABRIC_K8S_BUILDER_OBJECT_NAME_PREFIX: org1-peer1-cc - CORE_LEDGER_STATE_STATEDATABASE: CouchDB - CORE_LEDGER_STATE_COUCHDBCONFIG_MAXRETRIESONSTARTUP: "20" - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS: localhost:5984 - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME: admin - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD: adminpw ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org1-peer1 -spec: - replicas: 1 - selector: - matchLabels: - app: org1-peer1 - template: - metadata: - labels: - app: org1-peer1 - org: org1 - spec: - containers: - - name: main - image: ${FABRIC_PEER_IMAGE} - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: org1-peer1-config - ports: - - containerPort: 7051 - - containerPort: 7052 - - containerPort: 9443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric/config - - name: tls-cert-volume - mountPath: /var/hyperledger/fabric/config/tls - readOnly: true - - name: couchdb - image: couchdb:${COUCHDB_VERSION} - imagePullPolicy: IfNotPresent - env: - - name: "COUCHDB_USER" - value: "admin" - - name: "COUCHDB_PASSWORD" - value: "adminpw" - ports: - - containerPort: 5984 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org1 - - name: fabric-config - configMap: - name: org1-config - - name: tls-cert-volume - secret: - secretName: org1-peer1-tls-cert ---- -apiVersion: v1 -kind: Service -metadata: - name: org1-peer1 -spec: - ports: - - name: grpc - port: 7051 - protocol: TCP - - name: chaincode - port: 7052 - protocol: TCP - - name: operations - port: 9443 - protocol: TCP - selector: - app: org1-peer1 ---- -apiVersion: v1 -kind: Service -metadata: - name: org1-peer-gateway-svc -spec: - ports: - - name: grpc - port: 7051 - protocol: TCP - selector: - org: org1 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - labels: - app: org1-peer1 - name: org1-peer1 -spec: - ingressClassName: nginx - rules: - - host: org1-peer1.${DOMAIN} - http: - paths: - - backend: - service: - name: org1-peer1 - port: - name: grpc - path: / - pathType: ImplementationSpecific - - host: org1-peer-gateway-svc.${DOMAIN} - http: - paths: - - backend: - service: - name: org1-peer-gateway-svc - port: - name: grpc - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - org1-peer1.${DOMAIN} - - hosts: - - org1-peer-gateway-svc.${DOMAIN} diff --git a/test-network-k8s/kube/org1/org1-peer2.yaml b/test-network-k8s/kube/org1/org1-peer2.yaml deleted file mode 100644 index f0db8a83..00000000 --- a/test-network-k8s/kube/org1/org1-peer2.yaml +++ /dev/null @@ -1,161 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org1-peer2-tls-cert - namespace: ${ORG1_NS} -spec: - isCA: false - privateKey: - algorithm: ECDSA - size: 256 - dnsNames: - - localhost - - org1-peer2 - - org1-peer-gateway-svc - - org1-peer2.${ORG1_NS}.svc.cluster.local - - org1-peer2.${DOMAIN} - - org1-peer2-gateway-svc.${DOMAIN} - ipAddresses: - - 127.0.0.1 - secretName: org1-peer2-tls-cert - issuerRef: - name: org1-tls-cert-issuer - - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: org1-peer2-config -data: - FABRIC_CFG_PATH: /var/hyperledger/fabric/config - FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" - CORE_PEER_TLS_ENABLED: "true" - CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/config/tls/tls.crt - CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/config/tls/tls.key - CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/config/tls/ca.crt - CORE_PEER_ID: org1-peer2.org1.example.com - CORE_PEER_ADDRESS: org1-peer2:7051 - CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 - CORE_PEER_CHAINCODEADDRESS: org1-peer2:7052 - CORE_PEER_CHAINCODELISTENADDRESS: 0.0.0.0:7052 - # bootstrap peer is the other peer in the same org - CORE_PEER_GOSSIP_BOOTSTRAP: org1-peer1:7051 - CORE_PEER_GOSSIP_EXTERNALENDPOINT: org1-peer2.${ORG1_NS}.svc.cluster.local:7051 - CORE_PEER_LOCALMSPID: Org1MSP - CORE_PEER_MSPCONFIGPATH: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp - CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443 - CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org1-peer2.org1.example.com - CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org1-peer2.org1.example.com/snapshots - CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG: "{\"peername\":\"org1peer2\"}" - FABRIC_K8S_BUILDER_OBJECT_NAME_PREFIX: org1-peer2-cc - CORE_LEDGER_STATE_STATEDATABASE: CouchDB - CORE_LEDGER_STATE_COUCHDBCONFIG_MAXRETRIESONSTARTUP: "20" - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS: localhost:5984 - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME: admin - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD: adminpw ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org1-peer2 -spec: - replicas: 1 - selector: - matchLabels: - app: org1-peer2 - template: - metadata: - labels: - app: org1-peer2 - org: org1 - spec: - containers: - - name: main - image: ${FABRIC_PEER_IMAGE} - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: org1-peer2-config - ports: - - containerPort: 7051 - - containerPort: 7052 - - containerPort: 9443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric/config - - name: tls-cert-volume - mountPath: /var/hyperledger/fabric/config/tls - readOnly: true - - name: couchdb - image: couchdb:${COUCHDB_VERSION} - imagePullPolicy: IfNotPresent - env: - - name: "COUCHDB_USER" - value: "admin" - - name: "COUCHDB_PASSWORD" - value: "adminpw" - ports: - - containerPort: 5984 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org1 - - name: fabric-config - configMap: - name: org1-config - - name: tls-cert-volume - secret: - secretName: org1-peer2-tls-cert ---- -apiVersion: v1 -kind: Service -metadata: - name: org1-peer2 -spec: - ports: - - name: grpc - port: 7051 - protocol: TCP - - name: chaincode - port: 7052 - protocol: TCP - - name: operations - port: 9443 - protocol: TCP - selector: - app: org1-peer2 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - labels: - app: org1-peer2 - name: org1-peer2 -spec: - ingressClassName: nginx - rules: - - host: org1-peer2.${DOMAIN} - http: - paths: - - backend: - service: - name: org1-peer2 - port: - name: grpc - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - org1-peer2.${DOMAIN} diff --git a/test-network-k8s/kube/org1/org1-tls-cert-issuer.yaml b/test-network-k8s/kube/org1/org1-tls-cert-issuer.yaml deleted file mode 100644 index 863ec0df..00000000 --- a/test-network-k8s/kube/org1/org1-tls-cert-issuer.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org1-tls-cert-issuer -spec: - isCA: true - privateKey: - algorithm: ECDSA - size: 256 - commonName: org1.example.com - secretName: org1-tls-cert-issuer-secret - issuerRef: - name: root-tls-cert-issuer - kind: Issuer - group: cert-manager.io - ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: org1-tls-cert-issuer -spec: - ca: - secretName: org1-tls-cert-issuer-secret - - diff --git a/test-network-k8s/kube/org2/org2-ca.yaml b/test-network-k8s/kube/org2/org2-ca.yaml deleted file mode 100644 index 53ce387a..00000000 --- a/test-network-k8s/kube/org2/org2-ca.yaml +++ /dev/null @@ -1,124 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org2-ca-tls-cert -spec: - isCA: false - privateKey: - algorithm: ECDSA - size: 256 - dnsNames: - - localhost - - org2-ca - - org2-ca.${ORG2_NS}.svc.cluster.local - - org2-ca.${DOMAIN} - ipAddresses: - - 127.0.0.1 - secretName: org2-ca-tls-cert - issuerRef: - name: org2-tls-cert-issuer - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org2-ca -spec: - replicas: 1 - selector: - matchLabels: - app: org2-ca - template: - metadata: - labels: - app: org2-ca - spec: - containers: - - name: main - image: ${FABRIC_CONTAINER_REGISTRY}/fabric-ca:${FABRIC_CA_VERSION} - imagePullPolicy: IfNotPresent - env: - - name: FABRIC_CA_SERVER_CA_NAME - value: "org2-ca" - - name: FABRIC_CA_SERVER_DEBUG - value: "false" - - name: FABRIC_CA_SERVER_HOME - value: "/var/hyperledger/fabric-ca-server" - - name: FABRIC_CA_SERVER_TLS_CERTFILE - value: "/var/hyperledger/fabric/config/tls/tls.crt" - - name: FABRIC_CA_SERVER_TLS_KEYFILE - value: "/var/hyperledger/fabric/config/tls/tls.key" - - name: FABRIC_CA_CLIENT_HOME - value: "/var/hyperledger/fabric-ca-client" - ports: - - containerPort: 443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml - subPath: fabric-ca-server-config.yaml - - name: tls-cert-volume - mountPath: /var/hyperledger/fabric/config/tls - readOnly: true - readinessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 2 - periodSeconds: 5 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org2 - - name: fabric-config - configMap: - name: org2-config - - name: tls-cert-volume - secret: - secretName: org2-ca-tls-cert ---- -apiVersion: v1 -kind: Service -metadata: - name: org2-ca -spec: - ports: - - name: https - port: 443 - protocol: TCP - selector: - app: org2-ca - ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - labels: - app: org2-ca - name: org2-ca -spec: - ingressClassName: nginx - rules: - - host: org2-ca.${DOMAIN} - http: - paths: - - backend: - service: - name: org2-ca - port: - name: https - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - org2-ca.${DOMAIN} - \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-cc-template.yaml b/test-network-k8s/kube/org2/org2-cc-template.yaml deleted file mode 100644 index 6faee80c..00000000 --- a/test-network-k8s/kube/org2/org2-cc-template.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org2{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}} -spec: - replicas: 1 - selector: - matchLabels: - app: org2{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}} - template: - metadata: - labels: - app: org2{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}} - spec: - containers: - - name: main - image: {{CHAINCODE_IMAGE}} - imagePullPolicy: IfNotPresent - env: - - name: CHAINCODE_SERVER_ADDRESS - value: 0.0.0.0:9999 - - name: CHAINCODE_ID - value: {{CHAINCODE_ID}} - - name: CORE_CHAINCODE_ID_NAME - value: {{CHAINCODE_ID}} - ports: - - containerPort: 9999 - ---- -apiVersion: v1 -kind: Service -metadata: - name: org2{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}} -spec: - ports: - - name: chaincode - port: 9999 - protocol: TCP - selector: - app: org2{{PEER_NAME}}-ccaas-{{CHAINCODE_NAME}} \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-install-k8s-builder.yaml b/test-network-k8s/kube/org2/org2-install-k8s-builder.yaml deleted file mode 100644 index a32a44b8..00000000 --- a/test-network-k8s/kube/org2/org2-install-k8s-builder.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: org2-install-k8s-builder -spec: - ttlSecondsAfterFinished: 600 - backoffLimit: 0 - completions: 1 - template: - metadata: - name: org2-install-k8s-builder - spec: - restartPolicy: "Never" - containers: - - name: main - image: ${K8S_CHAINCODE_BUILDER_IMAGE}:${K8S_CHAINCODE_BUILDER_VERSION} - imagePullPolicy: IfNotPresent - command: - - sh - - -c - - "mkdir -p /mnt/fabric-org2/fabric/external_builders && cp -rv /opt/hyperledger/k8s_builder /mnt/fabric-org2/fabric/external_builders/" - volumeMounts: - - name: fabric-org2-volume - mountPath: /mnt/fabric-org2 - volumes: - - name: fabric-org2-volume - persistentVolumeClaim: - claimName: fabric-org2 \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-job-scrub-fabric-volumes.yaml b/test-network-k8s/kube/org2/org2-job-scrub-fabric-volumes.yaml deleted file mode 100644 index b56677f2..00000000 --- a/test-network-k8s/kube/org2/org2-job-scrub-fabric-volumes.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: job-scrub-fabric-volumes -spec: - backoffLimit: 0 - completions: 1 - template: - metadata: - name: job-scrub-fabric-volumes - spec: - restartPolicy: "Never" - containers: - - name: main - image: busybox:latest - command: - - sh - - -c - - "rm -rvf /mnt/fabric-*/*" - volumeMounts: - - name: fabric-org2-volume - mountPath: /mnt/fabric-org2 - volumes: - - name: fabric-org2-volume - persistentVolumeClaim: - claimName: fabric-org2 - diff --git a/test-network-k8s/kube/org2/org2-peer1.yaml b/test-network-k8s/kube/org2/org2-peer1.yaml deleted file mode 100644 index 9ad208c2..00000000 --- a/test-network-k8s/kube/org2/org2-peer1.yaml +++ /dev/null @@ -1,184 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org2-peer1-tls-cert - namespace: ${ORG2_NS} -spec: - isCA: false - privateKey: - algorithm: ECDSA - size: 256 - dnsNames: - - localhost - - org2-peer1 - - org2-peer1.${ORG2_NS}.svc.cluster.local - - org2-peer1.${DOMAIN} - - org2-peer-gateway-svc - - org2-peer-gateway-svc.${DOMAIN} - ipAddresses: - - 127.0.0.1 - secretName: org2-peer1-tls-cert - issuerRef: - name: org2-tls-cert-issuer - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: org2-peer1-config -data: - FABRIC_CFG_PATH: /var/hyperledger/fabric/config - FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" - CORE_PEER_TLS_ENABLED: "true" - CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/config/tls/tls.crt - CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/config/tls/tls.key - CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/config/tls/ca.crt - CORE_PEER_ID: org2-peer1.org2.example.com - CORE_PEER_ADDRESS: org2-peer1:7051 - CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 - CORE_PEER_CHAINCODEADDRESS: org2-peer1:7052 - CORE_PEER_CHAINCODELISTENADDRESS: 0.0.0.0:7052 - # bootstrap peer is the other peer in the same org - CORE_PEER_GOSSIP_BOOTSTRAP: org2-peer2:7051 - CORE_PEER_GOSSIP_EXTERNALENDPOINT: org2-peer1.${ORG2_NS}.svc.cluster.local:7051 - CORE_PEER_LOCALMSPID: Org2MSP - CORE_PEER_MSPCONFIGPATH: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp - CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443 - CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org2-peer1.org2.example.com - CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org2-peer1.org2.example.com/snapshots - CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG: "{\"peername\":\"org2peer1\"}" - FABRIC_K8S_BUILDER_OBJECT_NAME_PREFIX: org2-peer1-cc - CORE_LEDGER_STATE_STATEDATABASE: CouchDB - CORE_LEDGER_STATE_COUCHDBCONFIG_MAXRETRIESONSTARTUP: "20" - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS: localhost:5984 - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME: admin - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD: adminpw ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org2-peer1 -spec: - replicas: 1 - selector: - matchLabels: - app: org2-peer1 - template: - metadata: - labels: - app: org2-peer1 - org: org2 - spec: - containers: - - name: main - image: ${FABRIC_PEER_IMAGE} - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: org2-peer1-config - ports: - - containerPort: 7051 - - containerPort: 7052 - - containerPort: 9443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric/config - - name: tls-cert-volume - mountPath: /var/hyperledger/fabric/config/tls - readOnly: true - - name: couchdb - image: couchdb:${COUCHDB_VERSION} - imagePullPolicy: IfNotPresent - env: - - name: "COUCHDB_USER" - value: "admin" - - name: "COUCHDB_PASSWORD" - value: "adminpw" - ports: - - containerPort: 5984 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org2 - - name: fabric-config - configMap: - name: org2-config - - name: tls-cert-volume - secret: - secretName: org2-peer1-tls-cert ---- -apiVersion: v1 -kind: Service -metadata: - name: org2-peer1 -spec: - ports: - - name: grpc - port: 7051 - protocol: TCP - - name: chaincode - port: 7052 - protocol: TCP - - name: operations - port: 9443 - protocol: TCP - selector: - app: org2-peer1 ---- -apiVersion: v1 -kind: Service -metadata: - name: org2-peer-gateway-svc -spec: - ports: - - name: grpc - port: 7051 - protocol: TCP - selector: - org: org2 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - labels: - app: org2-peer1 - name: org2-peer1 -spec: - ingressClassName: nginx - rules: - - host: org2-peer1.${DOMAIN} - http: - paths: - - backend: - service: - name: org2-peer1 - port: - name: grpc - path: / - pathType: ImplementationSpecific - - host: org2-peer-gateway-svc.${DOMAIN} - http: - paths: - - backend: - service: - name: org2-peer-gateway-svc - port: - name: grpc - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - org2-peer1.${DOMAIN} - - hosts: - - org2-peer-gateway-svc.${DOMAIN} diff --git a/test-network-k8s/kube/org2/org2-peer2.yaml b/test-network-k8s/kube/org2/org2-peer2.yaml deleted file mode 100644 index 747d8d2e..00000000 --- a/test-network-k8s/kube/org2/org2-peer2.yaml +++ /dev/null @@ -1,159 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org2-peer2-tls-cert - namespace: ${ORG2_NS} -spec: - isCA: false - privateKey: - algorithm: ECDSA - size: 256 - dnsNames: - - localhost - - org2-peer2 - - org2-peer-gateway-svc - - org2-peer2.${ORG2_NS}.svc.cluster.local - - org2-peer2.${DOMAIN} - ipAddresses: - - 127.0.0.1 - secretName: org2-peer2-tls-cert - issuerRef: - name: org2-tls-cert-issuer - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: org2-peer2-config -data: - FABRIC_CFG_PATH: /var/hyperledger/fabric/config - FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" - CORE_PEER_TLS_ENABLED: "true" - CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/config/tls/tls.crt - CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/config/tls/tls.key - CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/config/tls/ca.crt - CORE_PEER_ID: org2-peer2.org2.example.com - CORE_PEER_ADDRESS: org2-peer2:7051 - CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 - CORE_PEER_CHAINCODEADDRESS: org2-peer2:7052 - CORE_PEER_CHAINCODELISTENADDRESS: 0.0.0.0:7052 - # bootstrap peer is the other peer in the same org - CORE_PEER_GOSSIP_BOOTSTRAP: org2-peer1:7051 - CORE_PEER_GOSSIP_EXTERNALENDPOINT: org2-peer2.${ORG2_NS}.svc.cluster.local:7051 - CORE_PEER_LOCALMSPID: Org2MSP - CORE_PEER_MSPCONFIGPATH: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp - CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443 - CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org2-peer2.org2.example.com - CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org2-peer2.org2.example.com/snapshots - CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG: "{\"peername\":\"org2peer2\"}" - FABRIC_K8S_BUILDER_OBJECT_NAME_PREFIX: org2-peer2-cc - CORE_LEDGER_STATE_STATEDATABASE: CouchDB - CORE_LEDGER_STATE_COUCHDBCONFIG_MAXRETRIESONSTARTUP: "20" - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS: localhost:5984 - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME: admin - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD: adminpw ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org2-peer2 -spec: - replicas: 1 - selector: - matchLabels: - app: org2-peer2 - template: - metadata: - labels: - app: org2-peer2 - org: org2 - spec: - containers: - - name: main - image: ${FABRIC_PEER_IMAGE} - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: org2-peer2-config - ports: - - containerPort: 7051 - - containerPort: 7052 - - containerPort: 9443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric/config - - name: tls-cert-volume - mountPath: /var/hyperledger/fabric/config/tls - readOnly: true - - name: couchdb - image: couchdb:${COUCHDB_VERSION} - imagePullPolicy: IfNotPresent - env: - - name: "COUCHDB_USER" - value: "admin" - - name: "COUCHDB_PASSWORD" - value: "adminpw" - ports: - - containerPort: 5984 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org2 - - name: fabric-config - configMap: - name: org2-config - - name: tls-cert-volume - secret: - secretName: org2-peer2-tls-cert ---- -apiVersion: v1 -kind: Service -metadata: - name: org2-peer2 -spec: - ports: - - name: grpc - port: 7051 - protocol: TCP - - name: chaincode - port: 7052 - protocol: TCP - - name: operations - port: 9443 - protocol: TCP - selector: - app: org2-peer2 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - labels: - app: org2-peer2 - name: org2-peer2 -spec: - ingressClassName: nginx - rules: - - host: org2-peer2.${DOMAIN} - http: - paths: - - backend: - service: - name: org2-peer2 - port: - name: grpc - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - org2-peer2.${DOMAIN} \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-tls-cert-issuer.yaml b/test-network-k8s/kube/org2/org2-tls-cert-issuer.yaml deleted file mode 100644 index 86e45de1..00000000 --- a/test-network-k8s/kube/org2/org2-tls-cert-issuer.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: org2-tls-cert-issuer -spec: - isCA: true - privateKey: - algorithm: ECDSA - size: 256 - commonName: org2.example.com - secretName: org2-tls-cert-issuer-secret - issuerRef: - name: root-tls-cert-issuer - kind: Issuer - group: cert-manager.io - ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: org2-tls-cert-issuer -spec: - ca: - secretName: org2-tls-cert-issuer-secret - - diff --git a/test-network-k8s/kube/pvc-fabric-org0.yaml b/test-network-k8s/kube/pvc-fabric-org0.yaml deleted file mode 100644 index a2899e3f..00000000 --- a/test-network-k8s/kube/pvc-fabric-org0.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: fabric-org0 -spec: - accessModes: - - ReadWriteOnce - storageClassName: ${STORAGE_CLASS} - resources: - requests: - storage: 1Gi diff --git a/test-network-k8s/kube/pvc-fabric-org1.yaml b/test-network-k8s/kube/pvc-fabric-org1.yaml deleted file mode 100644 index 4f11d505..00000000 --- a/test-network-k8s/kube/pvc-fabric-org1.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: fabric-org1 -spec: - accessModes: - - ReadWriteOnce - storageClassName: ${STORAGE_CLASS} - resources: - requests: - storage: 1Gi diff --git a/test-network-k8s/kube/pvc-fabric-org2.yaml b/test-network-k8s/kube/pvc-fabric-org2.yaml deleted file mode 100644 index 25829e0b..00000000 --- a/test-network-k8s/kube/pvc-fabric-org2.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: fabric-org2 -spec: - accessModes: - - ReadWriteOnce - storageClassName: ${STORAGE_CLASS} - resources: - requests: - storage: 1Gi diff --git a/test-network-k8s/kube/root-tls-cert-issuer.yaml b/test-network-k8s/kube/root-tls-cert-issuer.yaml deleted file mode 100644 index 21f94775..00000000 --- a/test-network-k8s/kube/root-tls-cert-issuer.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: root-tls-cert-issuer -spec: - selfSigned: {} diff --git a/test-network-k8s/network b/test-network-k8s/network deleted file mode 100755 index e43fc342..00000000 --- a/test-network-k8s/network +++ /dev/null @@ -1,171 +0,0 @@ -#!/bin/bash -# -# Copyright IBM Corp All Rights Reserved -# -# SPDX-License-Identifier: Apache-2.0 -# -set -o errexit - -# todo: better handling for input parameters. Argbash? -# todo: skip storage volume init if deploying to a remote / cloud cluster (ICP IKS ROKS etc...) -# todo: for logging, set up a stack and allow multi-line status output codes -# todo: user:pass auth for tls and ecert bootstrap admins. here and in the server-config.yaml -# todo: refactor chaincode install to support other chaincode routines -# todo: allow the user to specify the chaincode name (hardcoded as 'basic') both in install and invoke/query -# todo: track down a nasty bug whereby the CA service endpoints (kube services) will occasionally reject TCP connections after network down/up. This is patched by introducing a 10s sleep after the deployments are up... - -# todo: allow relative paths for input arguments. -cd "$(dirname "$0")" - -# Set an environment variable based on an optional override (TEST_NETWORK_${name}) -# from the calling shell. If the override is not available, assign the parameter -# to a default value. -function context() { - local name=$1 - local default_value=$2 - local override_name=TEST_NETWORK_${name} - - export ${name}="${!override_name:-${default_value}}" -} - -context FABRIC_VERSION 2.5 -context FABRIC_CA_VERSION 1.5 - -context CLUSTER_RUNTIME kind # or k3s for Rancher -context CONTAINER_CLI docker # or nerdctl for containerd -context CONTAINER_NAMESPACE "" # or "--namespace k8s.io" for containerd / nerdctl - -context FABRIC_CONTAINER_REGISTRY hyperledger -context FABRIC_PEER_IMAGE ${FABRIC_CONTAINER_REGISTRY}/fabric-peer:${FABRIC_VERSION} -context COUCHDB_VERSION 3.3.3 -context NETWORK_NAME test-network -context CLUSTER_NAME kind -context KUBE_NAMESPACE ${NETWORK_NAME} -context NS ${KUBE_NAMESPACE} -context ORG0_NS ${NS} -context ORG1_NS ${NS} -context ORG2_NS ${NS} -context DOMAIN localho.st -context CHANNEL_NAME mychannel -context ORDERER_TIMEOUT 10s # see https://github.com/hyperledger/fabric/issues/3372 -context TEMP_DIR ${PWD}/build -context CHAINCODE_BUILDER ccaas # see https://github.com/hyperledgendary/fabric-builder-k8s/blob/main/docs/TEST_NETWORK_K8S.md -context K8S_CHAINCODE_BUILDER_IMAGE ghcr.io/hyperledger-labs/fabric-builder-k8s/k8s-fabric-peer -context K8S_CHAINCODE_BUILDER_VERSION 0.14.0 # For Fabric v2.5+, 0.11.0 or later should be specified - -context LOG_FILE network.log -context DEBUG_FILE network-debug.log -context LOG_ERROR_LINES 2 -context LOCAL_REGISTRY_NAME kind-registry -context LOCAL_REGISTRY_INTERFACE 127.0.0.1 -context LOCAL_REGISTRY_PORT 5000 -context STAGE_DOCKER_IMAGES false -context NGINX_HTTP_PORT 80 -context NGINX_HTTPS_PORT 443 - -context RCAADMIN_USER rcaadmin -context RCAADMIN_PASS rcaadminpw - -function print_help() { - set +x - - log - log "--- Fabric Information" - log "Fabric Version \t\t: ${FABRIC_VERSION}" - log "Fabric CA Version \t: ${FABRIC_CA_VERSION}" - log "Container Registry \t: ${FABRIC_CONTAINER_REGISTRY}" - log "Network name \t\t: ${NETWORK_NAME}" - log "Ingress domain \t\t: ${DOMAIN}" - log "Channel name \t\t: ${CHANNEL_NAME}" - log - log "--- Cluster Information" - log "Cluster runtime \t: ${CLUSTER_RUNTIME}" - log "Cluster name \t\t: ${CLUSTER_NAME}" - log "Cluster namespace \t: ${NS}" - log "Fabric Registry \t: ${FABRIC_CONTAINER_REGISTRY}" - log "Local Registry \t\t: ${LOCAL_REGISTRY_NAME}" - log "Local Registry port \t: ${LOCAL_REGISTRY_PORT}" - log "nginx http port \t: ${NGINX_HTTP_PORT}" - log "nginx https port \t: ${NGINX_HTTPS_PORT}" - log - log "--- Script Information" - log "Log file \t\t: ${LOG_FILE}" - log "Debug log file \t\t: ${DEBUG_FILE}" - log - - echo todo: help output, parse mode, flags, env, etc. -} - -. scripts/utils.sh -. scripts/prereqs.sh -. scripts/kind.sh -. scripts/cluster.sh -. scripts/fabric_config.sh -. scripts/fabric_CAs.sh -. scripts/test_network.sh -. scripts/channel.sh -. scripts/chaincode.sh -. scripts/rest_sample.sh -. scripts/application_connection.sh - -# check for kind, kubectl, etc. -check_prereqs - -# Initialize the logging system - control output to 'network.log' and everything else to 'network-debug.log' -logging_init - -## Parse mode -if [[ $# -lt 1 ]] ; then - print_help - exit 0 -else - MODE=$1 - shift -fi - -if [ "${MODE}" == "kind" ]; then - log "Creating KIND cluster \"${CLUSTER_NAME}\":" - kind_init - log "🏁 - KIND cluster is ready" - -elif [ "${MODE}" == "unkind" ]; then - log "Deleting KIND cluster \"${CLUSTER_NAME}\":" - kind_unkind - log "🏁 - KIND Cluster is gone." - -elif [[ "${MODE}" == "cluster" || "${MODE}" == "k8s" || "${MODE}" == "kube" ]]; then - cluster_command_group $@ - -elif [ "${MODE}" == "up" ]; then - log "Launching network \"${NETWORK_NAME}\":" - network_up - log "🏁 - Network is ready." - -elif [ "${MODE}" == "down" ]; then - log "Shutting down test network \"${NETWORK_NAME}\":" - network_down - log "🏁 - Fabric network is down." - -elif [ "${MODE}" == "channel" ]; then - channel_command_group $@ - -elif [[ "${MODE}" == "chaincode" || "${MODE}" == "cc" ]]; then - chaincode_command_group $@ - -elif [ "${MODE}" == "anchor" ]; then - update_anchor_peers $@ - -elif [ "${MODE}" == "rest-easy" ]; then - log "Launching fabric-rest-sample application:" - launch_rest_sample - log "🏁 - Fabric REST sample is ready." - -elif [ "${MODE}" == "application" ]; then - log "Getting application connection information:" - application_connection - log "🏁 - Application connection information ready." - -else - print_help - exit 1 -fi diff --git a/test-network-k8s/scripts/application_connection.sh b/test-network-k8s/scripts/application_connection.sh deleted file mode 100755 index d91d7ccb..00000000 --- a/test-network-k8s/scripts/application_connection.sh +++ /dev/null @@ -1,124 +0,0 @@ -#!/bin/bash -# -# Copyright IBM Corp All Rights Reserved -# -# SPDX-License-Identifier: Apache-2.0 -# - -function app_one_line_pem { - echo "`awk 'NF {sub(/\\n/, ""); printf "%s\\\\\\\n",$0;}' $1`" -} - -function app_json_ccp { - local ORG=$1 - local PP=$(one_line_pem $2) - local CP=$(one_line_pem $3) - sed -e "s/\${ORG}/$ORG/" \ - -e "s#\${PEERPEM}#$PP#" \ - -e "s#\${CAPEM}#$CP#" \ - scripts/ccp-template.json -} - -function app_id { - local MSP=$1 - local CERT=$(one_line_pem $2) - local PK=$(one_line_pem $3) - - sed -e "s#\${CERTIFICATE}#$CERT#" \ - -e "s#\${PRIVATE_KEY}#$PK#" \ - -e "s#\${MSPID}#$MSP#" \ - scripts/appuser.id.template -} - -function construct_application_configmap() { - push_fn "Constructing application connection profiles" - - ENROLLMENT_DIR=${TEMP_DIR}/enrollments - CHANNEL_MSP_DIR=${TEMP_DIR}/channel-msp - - mkdir -p build/application/wallet - mkdir -p build/application/gateways - - local peer_pem=$CHANNEL_MSP_DIR/peerOrganizations/org1/msp/tlscacerts/tlsca-signcert.pem - local ca_pem=$CHANNEL_MSP_DIR/peerOrganizations/org1/msp/cacerts/ca-signcert.pem - - echo "$(json_ccp 1 $peer_pem $ca_pem)" > build/application/gateways/org1_ccp.json - - peer_pem=$CHANNEL_MSP_DIR/peerOrganizations/org2/msp/tlscacerts/tlsca-signcert.pem - ca_pem=$CHANNEL_MSP_DIR/peerOrganizations/org2/msp/cacerts/ca-signcert.pem - - echo "$(json_ccp 2 $peer_pem $ca_pem)" > build/application/gateways/org2_ccp.json - - pop_fn - - push_fn "Getting Application Identities" - - local cert=$ENROLLMENT_DIR/org1/users/org1admin/msp/signcerts/cert.pem - local pk=$ENROLLMENT_DIR/org1/users/org1admin/msp/keystore/key.pem - - echo "$(app_id Org1MSP $cert $pk)" > build/application/wallet/appuser_org1.id - - local cert=$ENROLLMENT_DIR/org2/users/org2admin/msp/signcerts/cert.pem - local pk=$ENROLLMENT_DIR/org2/users/org2admin/msp/keystore/key.pem - - echo "$(app_id Org2MSP $cert $pk)" > build/application/wallet/appuser_org2.id - - pop_fn - - push_fn "Creating ConfigMap \"app-fabric-tls-v1-map\" with TLS certificates for the application" - kubectl -n $NS delete configmap app-fabric-tls-v1-map || true - kubectl -n $NS create configmap app-fabric-tls-v1-map --from-file=$CHANNEL_MSP_DIR/peerOrganizations/org1/msp/tlscacerts - pop_fn - - push_fn "Creating ConfigMap \"app-fabric-ids-v1-map\" with identities for the application" - kubectl -n $NS delete configmap app-fabric-ids-v1-map || true - kubectl -n $NS create configmap app-fabric-ids-v1-map --from-file=./build/application/wallet - pop_fn - - push_fn "Creating ConfigMap \"app-fabric-ccp-v1-map\" with ConnectionProfile for the application" - kubectl -n $NS delete configmap app-fabric-ccp-v1-map || true - kubectl -n $NS create configmap app-fabric-ccp-v1-map --from-file=./build/application/gateways - pop_fn - - push_fn "Creating ConfigMap \"app-fabric-org1-v1-map\" with Organization 1 information for the application" - -cat < build/app-fabric-org1-v1-map.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: app-fabric-org1-v1-map -data: - fabric_channel: ${CHANNEL_NAME} - fabric_contract: ${CHAINCODE_NAME} - fabric_wallet_dir: /fabric/application/wallet - fabric_gateway_hostport: org1-peer-gateway-svc:7051 - fabric_gateway_sslHostOverride: org1-peer-gateway-svc - fabric_user: appuser_org1 - fabric_gateway_tlsCertPath: /fabric/tlscacerts/tlsca-signcert.pem -EOF - - kubectl -n $NS apply -f build/app-fabric-org1-v1-map.yaml - - # todo: could add the second org here - - pop_fn -} - - -function application_connection() { - - construct_application_configmap - -log - log "For k8s applications:" - log "Config Maps created for the application" - log "To deploy your application updated the image name and issue these commands" - log "" - log "kubectl -n $NS apply -f kube/application-deployment.yaml" - log "kubectl -n $NS rollout status deploy/application-deployment" - log - log "For non-k8s applications:" - log "ConnectionPrfiles are in ${PWD}/build/application/gateways" - log "Identities are in ${PWD}/build/application/wallets" - log -} \ No newline at end of file diff --git a/test-network-k8s/scripts/appuser.id.template b/test-network-k8s/scripts/appuser.id.template deleted file mode 100644 index 1c67576c..00000000 --- a/test-network-k8s/scripts/appuser.id.template +++ /dev/null @@ -1,9 +0,0 @@ -{ - "credentials": { - "certificate": "${CERTIFICATE}", - "privateKey": "${PRIVATE_KEY}" - }, - "mspId": "${MSPID}", - "type": "X.509", - "version": 1 -} \ No newline at end of file diff --git a/test-network-k8s/scripts/ccp-template.json b/test-network-k8s/scripts/ccp-template.json deleted file mode 100755 index b52b773a..00000000 --- a/test-network-k8s/scripts/ccp-template.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "name": "${NS}-org${ORG}", - "version": "1.0.0", - "client": { - "organization": "Org${ORG}", - "connection": { - "timeout": { - "peer": { - "endorser": "300" - } - } - } - }, - "organizations": { - "Org${ORG}": { - "mspid": "Org${ORG}MSP", - "peers": [ - "org${ORG}-peers" - ], - "certificateAuthorities": [ - "org${ORG}-ca" - ] - } - }, - "peers": { - "org${ORG}-peers": { - "url": "grpcs://org${ORG}-peer1.${NS}.svc.cluster.local:7051", - "tlsCACerts": { - "pem": "${PEERPEM}" - }, - "grpcOptions": { - "ssl-target-name-override": "org${ORG}-peer1.${NS}.svc.cluster.local", - "hostnameOverride": "org${ORG}-peer1.${NS}.svc.cluster.local" - } - } - }, - "certificateAuthorities": { - "org${ORG}-ca": { - "url": "https://org${ORG}-ca:443", - "caName": "org${ORG}-ca", - "tlsCACerts": { - "pem": ["${CAPEM}"] - }, - "httpOptions": { - "verify": false - } - } - } -} diff --git a/test-network-k8s/scripts/chaincode.sh b/test-network-k8s/scripts/chaincode.sh deleted file mode 100755 index 5a560f64..00000000 --- a/test-network-k8s/scripts/chaincode.sh +++ /dev/null @@ -1,399 +0,0 @@ -#!/bin/bash -# -# Copyright IBM Corp All Rights Reserved -# -# SPDX-License-Identifier: Apache-2.0 -# - -# chaincode "group" commands. Like "main" for chaincode sub-command group. -function chaincode_command_group() { - #set -x - - COMMAND=$1 - shift - - if [ "${COMMAND}" == "deploy" ]; then - log "Deploying chaincode" - deploy_chaincode $@ - log "🏁 - Chaincode is ready." - - elif [ "${COMMAND}" == "activate" ]; then - log "Activating chaincode" - activate_chaincode $@ - log "🏁 - Chaincode is ready." - - elif [ "${COMMAND}" == "package" ]; then - log "Packaging chaincode" - package_chaincode $@ - log "🏁 - Chaincode package is ready." - - elif [ "${COMMAND}" == "id" ]; then - set_chaincode_id $@ - log $CHAINCODE_ID - - elif [ "${COMMAND}" == "launch" ]; then - log "Launching chaincode services" - launch_chaincode $@ - log "🏁 - Chaincode services are ready" - - elif [ "${COMMAND}" == "install" ]; then - log "Installing chaincode for org1" - install_chaincode $@ - log "🏁 - Chaincode is installed" - - elif [ "${COMMAND}" == "approve" ]; then - log "Approving chaincode for org1" - approve_chaincode $@ - log "🏁 - Chaincode is approved" - - elif [ "${COMMAND}" == "commit" ]; then - log "Committing chaincode for org1" - commit_chaincode $@ - log "🏁 - Chaincode is committed" - - elif [ "${COMMAND}" == "invoke" ]; then - invoke_chaincode $@ 2>> ${LOG_FILE} - - elif [ "${COMMAND}" == "query" ]; then - query_chaincode $@ >> ${LOG_FILE} - - elif [ "${COMMAND}" == "metadata" ]; then - query_chaincode_metadata $@ >> ${LOG_FILE} - - else - print_help - exit 1 - fi -} - -# Convenience routine to "do everything" required to bring up a sample CC. -function deploy_chaincode() { - local cc_name=$1 - local cc_label=$1 - local cc_folder=$(absolute_path $2) - local temp_folder=$(mktemp -d) - local cc_package=${temp_folder}/${cc_name}.tgz - - prepare_chaincode_image ${cc_folder} ${cc_name} - package_chaincode ${cc_name} ${cc_label} ${cc_package} - - if [ "${CHAINCODE_BUILDER}" == "ccaas" ]; then - set_chaincode_id ${cc_package} - launch_chaincode ${cc_name} ${CHAINCODE_ID} ${CHAINCODE_IMAGE} - fi - - activate_chaincode ${cc_name} ${cc_package} -} - -# Prepare a chaincode image for use in a builder package. -# Sets the CHAINCODE_IMAGE environment variable -function prepare_chaincode_image() { - local cc_folder=$1 - local cc_name=$2 - - build_chaincode_image ${cc_folder} ${cc_name} - - if [ "${CLUSTER_RUNTIME}" == "k3s" ]; then - # For rancher / k3s runtimes, bypass the local container registry and load images directly from the image cache. - export CHAINCODE_IMAGE=${cc_name} - else - # For KIND and k8s-builder environments, publish the image to a local docker registry - export CHAINCODE_IMAGE=localhost:${LOCAL_REGISTRY_PORT}/${cc_name} - publish_chaincode_image ${cc_name} ${CHAINCODE_IMAGE} - fi -} - -function build_chaincode_image() { - local cc_folder=$1 - local cc_name=$2 - - push_fn "Building chaincode image ${cc_name}" - - $CONTAINER_CLI build ${CONTAINER_NAMESPACE} -t ${cc_name} ${cc_folder} - - pop_fn -} - -# tag a docker image with a new name and publish to a remote container registry -function publish_chaincode_image() { - local cc_name=$1 - local cc_url=$2 - push_fn "Publishing chaincode image ${cc_url}" - - ${CONTAINER_CLI} tag ${cc_name} ${cc_url} - ${CONTAINER_CLI} push ${cc_url} - - pop_fn -} - -# Convenience routine to "do everything other than package and launch" a sample CC. -# When debugging a chaincode server, the process must be launched prior to completing -# the chaincode lifecycle at the peer. This routine provides a route for packaging -# and installing the chaincode out of band, and a single target to complete the peer -# chaincode lifecycle. -function activate_chaincode() { - local cc_name=$1 - local cc_package=$2 - - set_chaincode_id ${cc_package} - - install_chaincode ${cc_package} - approve_chaincode ${cc_name} ${CHAINCODE_ID} - commit_chaincode ${cc_name} -} - -function query_chaincode() { - local cc_name=$1 - shift - - set -x - - export_peer_context org1 peer1 - - peer chaincode query \ - -n $cc_name \ - -C $CHANNEL_NAME \ - -c $@ \ - ${QUERY_EXTRA_ARGS} -} - -function query_chaincode_metadata() { - local cc_name=$1 - shift - - set -x - local args='{"Args":["org.hyperledger.fabric:GetMetadata"]}' - - log '' - log 'Org1-Peer1:' - export_peer_context org1 peer1 - peer chaincode query -n $cc_name -C $CHANNEL_NAME -c $args - - log '' - log 'Org1-Peer2:' - export_peer_context org1 peer2 - peer chaincode query -n $cc_name -C $CHANNEL_NAME -c $args -} - -function invoke_chaincode() { - local cc_name=$1 - shift - - export_peer_context org1 peer1 - - peer chaincode invoke \ - -n $cc_name \ - -C $CHANNEL_NAME \ - -c $@ \ - --orderer org0-orderer1.${DOMAIN}:${NGINX_HTTPS_PORT} \ - --connTimeout ${ORDERER_TIMEOUT} \ - --tls --cafile ${TEMP_DIR}/channel-msp/ordererOrganizations/org0/orderers/org0-orderer1/tls/signcerts/tls-cert.pem \ - ${INVOKE_EXTRA_ARGS} - - sleep 2 -} - -function package_chaincode() { - - if [ "${CHAINCODE_BUILDER}" == "k8s" ]; then - package_k8s_chaincode $@ - - elif [ "${CHAINCODE_BUILDER}" == "ccaas" ]; then - package_ccaas_chaincode $@ - - else - log "Unknown CHAINCODE_BUILDER ${CHAINCODE_BUILDER}" - exit 1 - fi -} - -# The k8s builder expects EXACTLY an IMMUTABLE image digest referencing a SPECIFIC image layer at a container registry. -function package_k8s_chaincode() { - local cc_name=$1 - local cc_label=$2 - local cc_archive=$3 - - local cc_folder=$(dirname $cc_archive) - local archive_name=$(basename $cc_archive) - - push_fn "Packaging k8s chaincode ${cc_archive}" - - mkdir -p ${cc_folder} - - # Find the docker image digest associated with the image at the container registry - local cc_digest=$(${CONTAINER_CLI} inspect --format='{{index .RepoDigests 0}}' ${CHAINCODE_IMAGE} | cut -d'@' -f2) - - cat << IMAGEJSON-EOF > ${cc_folder}/image.json -{ - "name": "${CHAINCODE_IMAGE}", - "digest": "${cc_digest}" -} -IMAGEJSON-EOF - - cat << METADATAJSON-EOF > ${cc_folder}/metadata.json -{ - "type": "k8s", - "label": "${cc_label}" -} -METADATAJSON-EOF - - tar -C ${cc_folder} -zcf ${cc_folder}/code.tar.gz image.json - tar -C ${cc_folder} -zcf ${cc_archive} code.tar.gz metadata.json - - rm ${cc_folder}/code.tar.gz - - pop_fn -} - -function package_ccaas_chaincode() { - local cc_name=$1 - local cc_label=$2 - local cc_archive=$3 - - local cc_folder=$(dirname $cc_archive) - local archive_name=$(basename $cc_archive) - - push_fn "Packaging ccaas chaincode ${cc_label}" - - mkdir -p ${cc_folder} - - # Allow the user to override the service URL for the endpoint. This allows, for instance, - # local debugging at the 'host.docker.internal' DNS alias. - local cc_default_address="{{.peername}}-ccaas-${cc_name}:9999" - local cc_address=${TEST_NETWORK_CHAINCODE_ADDRESS:-$cc_default_address} - - cat << EOF > ${cc_folder}/connection.json -{ - "address": "${cc_address}", - "dial_timeout": "10s", - "tls_required": false -} -EOF - - cat << EOF > ${cc_folder}/metadata.json -{ - "type": "ccaas", - "label": "${cc_label}" -} -EOF - - tar -C ${cc_folder} -zcf ${cc_folder}/code.tar.gz connection.json - tar -C ${cc_folder} -zcf ${cc_archive} code.tar.gz metadata.json - - rm ${cc_folder}/code.tar.gz - - pop_fn -} - -function launch_chaincode_service() { - local org=$1 - local peer=$2 - local cc_name=$3 - local cc_id=$4 - local cc_image=$5 - push_fn "Launching chaincode container \"${cc_image}\"" - - # The chaincode endpoint needs to have the generated chaincode ID available in the environment. - # This could be from a config map, a secret, or by directly editing the deployment spec. Here we'll keep - # things simple by using sed to substitute script variables into a yaml template. - cat kube/${org}/${org}-cc-template.yaml \ - | sed 's,{{CHAINCODE_NAME}},'${cc_name}',g' \ - | sed 's,{{CHAINCODE_ID}},'${cc_id}',g' \ - | sed 's,{{CHAINCODE_IMAGE}},'${cc_image}',g' \ - | sed 's,{{PEER_NAME}},'${peer}',g' \ - | exec kubectl -n $ORG1_NS apply -f - - - kubectl -n $ORG1_NS rollout status deploy/${org}${peer}-ccaas-${cc_name} - - pop_fn -} - -function launch_chaincode() { - local org=org1 - local cc_name=$1 - local cc_id=$2 - local cc_image=$3 - - launch_chaincode_service ${org} peer1 ${cc_name} ${cc_id} ${cc_image} - launch_chaincode_service ${org} peer2 ${cc_name} ${cc_id} ${cc_image} -} - -function install_chaincode_for() { - local org=$1 - local peer=$2 - local cc_package=$3 - push_fn "Installing chaincode for org ${org} peer ${peer}" - - export_peer_context $org $peer - - peer lifecycle chaincode install $cc_package ${INSTALL_EXTRA_ARGS} - - pop_fn -} - -# Package and install the chaincode, but do not activate. -function install_chaincode() { - local org=org1 - local cc_package=$1 - - install_chaincode_for ${org} peer1 ${cc_package} - install_chaincode_for ${org} peer2 ${cc_package} -} - -# approve the chaincode package for an org and assign a name -function approve_chaincode() { - local org=org1 - local peer=peer1 - local cc_name=$1 - local cc_id=$2 - push_fn "Approving chaincode ${cc_name} with ID ${cc_id}" - - export_peer_context $org $peer - - peer lifecycle \ - chaincode approveformyorg \ - --channelID ${CHANNEL_NAME} \ - --name ${cc_name} \ - --version 1 \ - --package-id ${cc_id} \ - --sequence 1 \ - --orderer org0-orderer1.${DOMAIN}:${NGINX_HTTPS_PORT} \ - --connTimeout ${ORDERER_TIMEOUT} \ - --tls --cafile ${TEMP_DIR}/channel-msp/ordererOrganizations/org0/orderers/org0-orderer1/tls/signcerts/tls-cert.pem \ - ${APPROVE_EXTRA_ARGS} - - pop_fn -} - -# commit the named chaincode for an org -function commit_chaincode() { - local org=org1 - local peer=peer1 - local cc_name=$1 - push_fn "Committing chaincode ${cc_name}" - - export_peer_context $org $peer - - peer lifecycle \ - chaincode commit \ - --channelID ${CHANNEL_NAME} \ - --name ${cc_name} \ - --version 1 \ - --sequence 1 \ - --orderer org0-orderer1.${DOMAIN}:${NGINX_HTTPS_PORT} \ - --connTimeout ${ORDERER_TIMEOUT} \ - --tls --cafile ${TEMP_DIR}/channel-msp/ordererOrganizations/org0/orderers/org0-orderer1/tls/signcerts/tls-cert.pem \ - ${COMMIT_EXTRA_ARGS} - - pop_fn -} - -function set_chaincode_id() { - local cc_package=$1 - - cc_sha256=$(shasum -a 256 ${cc_package} | tr -s ' ' | cut -d ' ' -f 1) - cc_label=$(tar zxfO ${cc_package} metadata.json | jq -r '.label') - - CHAINCODE_ID=${cc_label}:${cc_sha256} -} - diff --git a/test-network-k8s/scripts/channel.sh b/test-network-k8s/scripts/channel.sh deleted file mode 100644 index b0e76ffc..00000000 --- a/test-network-k8s/scripts/channel.sh +++ /dev/null @@ -1,276 +0,0 @@ -#!/bin/bash -# -# Copyright IBM Corp All Rights Reserved -# -# SPDX-License-Identifier: Apache-2.0 -# - -function channel_command_group() { - # set -x - - COMMAND=$1 - shift - - if [ "${COMMAND}" == "create" ]; then - log "Creating channel \"${CHANNEL_NAME}\":" - channel_up - log "🏁 - Channel is ready." - - else - print_help - exit 1 - fi -} - -function channel_up() { - - register_org_admins - enroll_org_admins - - create_channel_MSP - create_genesis_block - - join_channel_orderers - join_channel_peers -} - -function register_org_admins() { - push_fn "Registering org Admin users" - - register_org_admin org0 org0admin org0adminpw - register_org_admin org1 org1admin org1adminpw - register_org_admin org2 org2admin org2adminpw - - pop_fn -} - -# Register the org admin user -function register_org_admin() { - local type=admin - local org=$1 - local id_name=$2 - local id_secret=$3 - local ca_name=${org}-ca - - echo "Registering org admin $username" - - fabric-ca-client register \ - --id.name ${id_name} \ - --id.secret ${id_secret} \ - --id.type ${type} \ - --url https://${ca_name}.${DOMAIN}:${NGINX_HTTPS_PORT} \ - --tls.certfiles $TEMP_DIR/cas/${ca_name}/tlsca-cert.pem \ - --mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp \ - --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -} - -function enroll_org_admins() { - push_fn "Enrolling org Admin users" - - enroll_org_admin orderer org0 org0admin org0adminpw - enroll_org_admin peer org1 org1admin org1adminpw - enroll_org_admin peer org2 org2admin org2adminpw - - pop_fn -} - -# Enroll the admin client to the local certificate storage folder. -function enroll_org_admin() { - local type=$1 - local org=$2 - local username=$3 - local password=$4 - - echo "Enrolling $type org admin $username" - - ENROLLMENTS_DIR=${TEMP_DIR}/enrollments - ORG_ADMIN_DIR=${ENROLLMENTS_DIR}/${org}/users/${username} - - # skip the enrollment if the admin certificate is available. - if [ -f "${ORG_ADMIN_DIR}/msp/keystore/key.pem" ]; then - echo "Found an existing admin enrollment at ${ORG_ADMIN_DIR}" - return - fi - - # Determine the CA information and TLS certificate - CA_NAME=${org}-ca - CA_DIR=${TEMP_DIR}/cas/${CA_NAME} - - CA_AUTH=${username}:${password} - CA_HOST=${CA_NAME}.${DOMAIN} - CA_PORT=${NGINX_HTTPS_PORT} - CA_URL=https://${CA_AUTH}@${CA_HOST}:${CA_PORT} - - # enroll the org admin - FABRIC_CA_CLIENT_HOME=${ORG_ADMIN_DIR} fabric-ca-client enroll \ - --url ${CA_URL} \ - --tls.certfiles ${CA_DIR}/tlsca-cert.pem - - # Construct an msp config.yaml - CA_CERT_NAME=${CA_NAME}-$(echo $DOMAIN | tr -s . -)-${CA_PORT}.pem - - create_msp_config_yaml ${CA_NAME} ${CA_CERT_NAME} ${ORG_ADMIN_DIR}/msp - - # private keys are hashed by name, but we only support one enrollment. - # test-network examples refer to this as "server.key", which is incorrect. - # This is the private key used to endorse transactions using the admin's - # public key. - mv ${ORG_ADMIN_DIR}/msp/keystore/*_sk ${ORG_ADMIN_DIR}/msp/keystore/key.pem -} - -# create an enrollment MSP config.yaml -function create_msp_config_yaml() { - local ca_name=$1 - local ca_cert_name=$2 - local msp_dir=$3 - echo "Creating msp config ${msp_dir}/config.yaml with cert ${ca_cert_name}" - - cat << EOF > ${msp_dir}/config.yaml -NodeOUs: - Enable: true - ClientOUIdentifier: - Certificate: cacerts/${ca_cert_name} - OrganizationalUnitIdentifier: client - PeerOUIdentifier: - Certificate: cacerts/${ca_cert_name} - OrganizationalUnitIdentifier: peer - AdminOUIdentifier: - Certificate: cacerts/${ca_cert_name} - OrganizationalUnitIdentifier: admin - OrdererOUIdentifier: - Certificate: cacerts/${ca_cert_name} - OrganizationalUnitIdentifier: orderer -EOF -} - -function create_channel_MSP() { - push_fn "Creating channel MSP" - - create_channel_org_MSP org0 orderer $ORG0_NS - create_channel_org_MSP org1 peer $ORG1_NS - create_channel_org_MSP org2 peer $ORG2_NS - - extract_orderer_tls_cert org0 orderer1 - extract_orderer_tls_cert org0 orderer2 - extract_orderer_tls_cert org0 orderer3 - - pop_fn -} - -function create_channel_org_MSP() { - local org=$1 - local type=$2 - local ns=$3 - local ca_name=${org}-ca - - ORG_MSP_DIR=${TEMP_DIR}/channel-msp/${type}Organizations/${org}/msp - mkdir -p ${ORG_MSP_DIR}/cacerts - mkdir -p ${ORG_MSP_DIR}/tlscacerts - - # extract the CA's signing authority from the CA/cainfo response - curl -s \ - --cacert ${TEMP_DIR}/cas/${ca_name}/tlsca-cert.pem \ - https://${ca_name}.${DOMAIN}:${NGINX_HTTPS_PORT}/cainfo \ - | jq -r .result.CAChain \ - | base64 -d \ - > ${ORG_MSP_DIR}/cacerts/ca-signcert.pem - - # extract the CA's TLS CA certificate from the cert-manager secret - kubectl -n $ns get secret ${ca_name}-tls-cert -o json \ - | jq -r .data.\"ca.crt\" \ - | base64 -d \ - > ${ORG_MSP_DIR}/tlscacerts/tlsca-signcert.pem - - # create an MSP config.yaml with the CA's signing certificate - create_msp_config_yaml ${ca_name} ca-signcert.pem ${ORG_MSP_DIR} -} - -# Extract an orderer's TLS signing certificate for inclusion in the channel config block -function extract_orderer_tls_cert() { - local org=$1 - local orderer=$2 - local ns=$ORG0_NS - - echo "Extracting TLS cert for $org $orderer" - - ORDERER_TLS_DIR=${TEMP_DIR}/channel-msp/ordererOrganizations/${org}/orderers/${org}-${orderer}/tls - mkdir -p $ORDERER_TLS_DIR/signcerts - - kubectl -n $ns get secret ${org}-${orderer}-tls-cert -o json \ - | jq -r .data.\"tls.crt\" \ - | base64 -d \ - > ${ORDERER_TLS_DIR}/signcerts/tls-cert.pem -} - -function create_genesis_block() { - push_fn "Creating channel genesis block" - cat ${PWD}/config/org0/configtx-template.yaml | envsubst > ${TEMP_DIR}/configtx.yaml - FABRIC_CFG_PATH=${TEMP_DIR} \ - configtxgen \ - -profile TwoOrgsApplicationGenesis \ - -channelID $CHANNEL_NAME \ - -outputBlock ${TEMP_DIR}/genesis_block.pb - - # configtxgen -inspectBlock ${TEMP_DIR}/genesis_block.pb - - pop_fn -} - -function join_channel_orderers() { - push_fn "Joining orderers to channel ${CHANNEL_NAME}" - - join_channel_orderer org0 orderer1 - join_channel_orderer org0 orderer2 - join_channel_orderer org0 orderer3 - - # todo: readiness / liveiness equivalent for channel? Needs a little bit to settle before peers can join. - sleep 10 - - pop_fn -} - -# Request from the channel ADMIN api that the orderer joins the target channel -function join_channel_orderer() { - local org=$1 - local orderer=$2 - - # The client certificate presented in this case is the admin user's enrollment key. This is a stronger assertion - # of identity than the Docker Compose network, which transmits the orderer node's TLS key pair directly - osnadmin channel join \ - --orderer-address ${org}-${orderer}-admin.${DOMAIN}:${NGINX_HTTPS_PORT} \ - --ca-file ${TEMP_DIR}/channel-msp/ordererOrganizations/${org}/orderers/${org}-${orderer}/tls/signcerts/tls-cert.pem \ - --client-cert ${TEMP_DIR}/enrollments/${org}/users/${org}admin/msp/signcerts/cert.pem \ - --client-key ${TEMP_DIR}/enrollments/${org}/users/${org}admin/msp/keystore/key.pem \ - --channelID ${CHANNEL_NAME} \ - --config-block ${TEMP_DIR}/genesis_block.pb -} - -function join_channel_peers() { - join_org_peers org1 - join_org_peers org2 -} - -function join_org_peers() { - local org=$1 - push_fn "Joining ${org} peers to channel ${CHANNEL_NAME}" - - # Join peers to channel - join_channel_peer $org peer1 - join_channel_peer $org peer2 - - pop_fn -} - -function join_channel_peer() { - local org=$1 - local peer=$2 - - export_peer_context $org $peer - - peer channel join \ - --blockpath ${TEMP_DIR}/genesis_block.pb \ - --orderer org0-orderer1.${DOMAIN} \ - --connTimeout ${ORDERER_TIMEOUT} \ - --tls \ - --cafile ${TEMP_DIR}/channel-msp/ordererOrganizations/org0/orderers/org0-orderer1/tls/signcerts/tls-cert.pem -} diff --git a/test-network-k8s/scripts/cluster.sh b/test-network-k8s/scripts/cluster.sh deleted file mode 100644 index c93cee69..00000000 --- a/test-network-k8s/scripts/cluster.sh +++ /dev/null @@ -1,145 +0,0 @@ -#!/bin/bash -# -# Copyright IBM Corp All Rights Reserved -# -# SPDX-License-Identifier: Apache-2.0 -# - -# cluster "group" commands. Like "main" for the fabric-cli "cluster" sub-command -function cluster_command_group() { - - # Default COMMAND is 'init' if not specified - if [ "$#" -eq 0 ]; then - COMMAND="init" - - else - COMMAND=$1 - shift - fi - - if [ "${COMMAND}" == "init" ]; then - log "Initializing K8s cluster" - cluster_init - log "🏁 - Cluster is ready" - - elif [ "${COMMAND}" == "clean" ]; then - log "Cleaning k8s cluster" - cluster_clean - log "🏁 - Cluster is cleaned" - - elif [ "${COMMAND}" == "load-images" ]; then - log "Loading Docker images" - load_images - log "🏁 - Images are loaded" - - else - print_help - exit 1 - fi -} - -function pull_docker_images() { - push_fn "Pulling docker images for Fabric ${FABRIC_VERSION}" - - $CONTAINER_CLI pull ${CONTAINER_NAMESPACE} ${FABRIC_CONTAINER_REGISTRY}/fabric-ca:$FABRIC_CA_VERSION - $CONTAINER_CLI pull ${CONTAINER_NAMESPACE} ${FABRIC_CONTAINER_REGISTRY}/fabric-orderer:$FABRIC_VERSION - $CONTAINER_CLI pull ${CONTAINER_NAMESPACE} ${FABRIC_PEER_IMAGE} - $CONTAINER_CLI pull ${CONTAINER_NAMESPACE} couchdb:$COUCHDB_VERSION - - $CONTAINER_CLI pull ${CONTAINER_NAMESPACE} ghcr.io/hyperledger/fabric-rest-sample:latest - $CONTAINER_CLI pull ${CONTAINER_NAMESPACE} redis:6.2.5 - - pop_fn -} - -function cluster_init() { - - apply_nginx_ingress - apply_cert_manager - - sleep 2 - - wait_for_cert_manager - wait_for_nginx_ingress - - if [ "${STAGE_DOCKER_IMAGES}" == true ]; then - pull_docker_images - kind_load_docker_images - fi -} - -function apply_nginx() { - apply_nginx_ingress - wait_for_nginx_ingress -} - -function apply_nginx_ingress() { - push_fn "Launching ${CLUSTER_RUNTIME} ingress controller" - - # 1.1.2 static ingress with modifications to enable ssl-passthrough - # k3s : 'cloud' - # kind : 'kind' - # kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/cloud/deploy.yaml - - kubectl apply -f kube/ingress-nginx-${CLUSTER_RUNTIME}.yaml - - pop_fn -} - -function delete_nginx_ingress() { - push_fn "Deleting ${CLUSTER_RUNTIME} ingress controller" - - cat kube/ingress-nginx-${CLUSTER_RUNTIME}.yaml | kubectl delete -f - - - pop_fn -} - -function wait_for_nginx_ingress() { - push_fn "Waiting for ingress controller" - - kubectl wait --namespace ingress-nginx \ - --for=condition=ready pod \ - --selector=app.kubernetes.io/component=controller \ - --timeout=2m - - pop_fn -} - -function apply_cert_manager() { - push_fn "Launching cert-manager" - - # Install cert-manager to manage TLS certificates - kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml - - pop_fn -} - -function delete_cert_manager() { - push_fn "Deleting cert-manager" - - # Install cert-manager to manage TLS certificates - curl https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml | kubectl delete -f - - - pop_fn -} - -function wait_for_cert_manager() { - push_fn "Waiting for cert-manager" - - kubectl -n cert-manager rollout status deploy/cert-manager - kubectl -n cert-manager rollout status deploy/cert-manager-cainjector - kubectl -n cert-manager rollout status deploy/cert-manager-webhook - - pop_fn -} - -function cluster_clean() { - delete_nginx_ingress - delete_cert_manager -} - -function load_images() { - if [ "${CLUSTER_RUNTIME}" == "kind" ]; then - kind_load_docker_images - fi -} \ No newline at end of file diff --git a/test-network-k8s/scripts/fabric_CAs.sh b/test-network-k8s/scripts/fabric_CAs.sh deleted file mode 100755 index 17b9979c..00000000 --- a/test-network-k8s/scripts/fabric_CAs.sh +++ /dev/null @@ -1,81 +0,0 @@ -#!/bin/bash -# -# Copyright IBM Corp All Rights Reserved -# -# SPDX-License-Identifier: Apache-2.0 -# - -function launch_ECert_CAs() { - push_fn "Launching Fabric CAs" - - apply_template kube/org0/org0-ca.yaml $ORG0_NS - apply_template kube/org1/org1-ca.yaml $ORG1_NS - apply_template kube/org2/org2-ca.yaml $ORG2_NS - - kubectl -n $ORG0_NS rollout status deploy/org0-ca - kubectl -n $ORG1_NS rollout status deploy/org1-ca - kubectl -n $ORG2_NS rollout status deploy/org2-ca - - # todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up - sleep 5 - - pop_fn -} - -# experimental: create TLS CA issuers using cert-manager for each org. -function init_tls_cert_issuers() { - push_fn "Initializing TLS certificate Issuers" - - # Create a self-signing certificate issuer / root TLS certificate for the blockchain. - # TODO : Bring-Your-Own-Key - allow the network bootstrap to read an optional ECDSA key pair for the TLS trust root CA. - kubectl -n $ORG0_NS apply -f kube/root-tls-cert-issuer.yaml - kubectl -n $ORG0_NS wait --timeout=30s --for=condition=Ready issuer/root-tls-cert-issuer - kubectl -n $ORG1_NS apply -f kube/root-tls-cert-issuer.yaml - kubectl -n $ORG1_NS wait --timeout=30s --for=condition=Ready issuer/root-tls-cert-issuer - kubectl -n $ORG2_NS apply -f kube/root-tls-cert-issuer.yaml - kubectl -n $ORG2_NS wait --timeout=30s --for=condition=Ready issuer/root-tls-cert-issuer - - # Use the self-signing issuer to generate three Issuers, one for each org. - kubectl -n $ORG0_NS apply -f kube/org0/org0-tls-cert-issuer.yaml - kubectl -n $ORG1_NS apply -f kube/org1/org1-tls-cert-issuer.yaml - kubectl -n $ORG2_NS apply -f kube/org2/org2-tls-cert-issuer.yaml - - kubectl -n $ORG0_NS wait --timeout=30s --for=condition=Ready issuer/org0-tls-cert-issuer - kubectl -n $ORG1_NS wait --timeout=30s --for=condition=Ready issuer/org1-tls-cert-issuer - kubectl -n $ORG2_NS wait --timeout=30s --for=condition=Ready issuer/org2-tls-cert-issuer - - pop_fn -} - -function enroll_bootstrap_ECert_CA_user() { - local org=$1 - local ns=$2 - - # Determine the CA information and TLS certificate - CA_NAME=${org}-ca - CA_DIR=${TEMP_DIR}/cas/${CA_NAME} - mkdir -p ${CA_DIR} - - # Read the CA's TLS certificate from the cert-manager CA secret - echo "retrieving ${CA_NAME} TLS root cert" - kubectl -n $ns get secret ${CA_NAME}-tls-cert -o json \ - | jq -r .data.\"ca.crt\" \ - | base64 -d \ - > ${CA_DIR}/tlsca-cert.pem - - # Enroll the root CA user - fabric-ca-client enroll \ - --url https://${RCAADMIN_USER}:${RCAADMIN_PASS}@${CA_NAME}.${DOMAIN}:${NGINX_HTTPS_PORT} \ - --tls.certfiles $TEMP_DIR/cas/${CA_NAME}/tlsca-cert.pem \ - --mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp -} - -function enroll_bootstrap_ECert_CA_users() { - push_fn "Enrolling bootstrap ECert CA users" - - enroll_bootstrap_ECert_CA_user org0 $ORG0_NS - enroll_bootstrap_ECert_CA_user org1 $ORG1_NS - enroll_bootstrap_ECert_CA_user org2 $ORG2_NS - - pop_fn -} \ No newline at end of file diff --git a/test-network-k8s/scripts/fabric_config.sh b/test-network-k8s/scripts/fabric_config.sh deleted file mode 100755 index d4c7eee2..00000000 --- a/test-network-k8s/scripts/fabric_config.sh +++ /dev/null @@ -1,82 +0,0 @@ -#!/bin/bash -# -# Copyright IBM Corp All Rights Reserved -# -# SPDX-License-Identifier: Apache-2.0 -# - -function init_namespace() { - local namespaces=$(echo "$ORG0_NS $ORG1_NS $ORG2_NS" | xargs -n1 | sort -u) - for ns in $namespaces; do - push_fn "Creating namespace \"$ns\"" - kubectl create namespace $ns || true - pop_fn - done -} - -function delete_namespace() { - local namespaces=$(echo "$ORG0_NS $ORG1_NS $ORG2_NS" | xargs -n1 | sort -u) - for ns in $namespaces; do - push_fn "Deleting namespace \"$ns\"" - kubectl delete namespace $ns || true - pop_fn - done -} - -function init_storage_volumes() { - push_fn "Provisioning volume storage" - - # Both KIND and k3s use the Rancher local-path provider. In KIND, this is installed - # as the 'standard' storage class, and in Rancher as the 'local-path' storage class. - if [ "${CLUSTER_RUNTIME}" == "kind" ]; then - export STORAGE_CLASS="standard" - - elif [ "${CLUSTER_RUNTIME}" == "k3s" ]; then - export STORAGE_CLASS="local-path" - - else - echo "Unknown CLUSTER_RUNTIME ${CLUSTER_RUNTIME}" - exit 1 - fi - - cat kube/pvc-fabric-org0.yaml | envsubst | kubectl -n $ORG0_NS create -f - || true - cat kube/pvc-fabric-org1.yaml | envsubst | kubectl -n $ORG1_NS create -f - || true - cat kube/pvc-fabric-org2.yaml | envsubst | kubectl -n $ORG2_NS create -f - || true - - pop_fn -} - -function load_org_config() { - push_fn "Creating fabric config maps" - - kubectl -n $ORG0_NS delete configmap org0-config || true - kubectl -n $ORG1_NS delete configmap org1-config || true - kubectl -n $ORG2_NS delete configmap org2-config || true - - kubectl -n $ORG0_NS create configmap org0-config --from-file=config/org0 - kubectl -n $ORG1_NS create configmap org1-config --from-file=config/org1 - kubectl -n $ORG2_NS create configmap org2-config --from-file=config/org2 - - pop_fn -} - -function apply_k8s_builder_roles() { - push_fn "Applying k8s chaincode builder roles" - - apply_template kube/fabric-builder-role.yaml $ORG1_NS - apply_template kube/fabric-builder-rolebinding.yaml $ORG1_NS - - pop_fn -} - -function apply_k8s_builders() { - push_fn "Installing k8s chaincode builders" - - apply_template kube/org1/org1-install-k8s-builder.yaml $ORG1_NS - apply_template kube/org2/org2-install-k8s-builder.yaml $ORG2_NS - - kubectl -n $ORG1_NS wait --for=condition=complete --timeout=60s job/org1-install-k8s-builder - kubectl -n $ORG2_NS wait --for=condition=complete --timeout=60s job/org2-install-k8s-builder - - pop_fn -} \ No newline at end of file diff --git a/test-network-k8s/scripts/kind.sh b/test-network-k8s/scripts/kind.sh deleted file mode 100755 index 880f5d7d..00000000 --- a/test-network-k8s/scripts/kind.sh +++ /dev/null @@ -1,142 +0,0 @@ -#!/bin/bash -# -# Copyright IBM Corp All Rights Reserved -# -# SPDX-License-Identifier: Apache-2.0 -# - -function kind_create() { - push_fn "Creating cluster \"${CLUSTER_NAME}\"" - - # prevent the next kind cluster from using the previous Fabric network's enrollments. - rm -rf $PWD/build - - # todo: always delete? Maybe return no-op if the cluster already exists? - kind delete cluster --name $CLUSTER_NAME - - local reg_name=${LOCAL_REGISTRY_NAME} - local reg_port=${LOCAL_REGISTRY_PORT} - local ingress_http_port=${NGINX_HTTP_PORT} - local ingress_https_port=${NGINX_HTTPS_PORT} - - # the 'ipvs'proxy mode permits better HA abilities - - cat </dev/null || true)" - if [ "${running}" != 'true' ]; then - docker run \ - --detach \ - --restart always \ - --name "${reg_name}" \ - --publish "${reg_interface}:${reg_port}:5000" \ - registry:2 - fi - - # connect the registry to the cluster network - # (the network may already be connected) - docker network connect "kind" "${reg_name}" || true - - # Document the local registry - # https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry - cat < /dev/null - if [[ $? -ne 0 ]]; then - echo "No '${CONTAINER_CLI}' binary available?" - exit 1 - fi - - if [ "${CLUSTER_RUNTIME}" == "kind" ]; then - kind version > /dev/null - if [[ $? -ne 0 ]]; then - echo "No 'kind' binary available? (https://kind.sigs.k8s.io/docs/user/quick-start/#installation)" - exit 1 - fi - fi - - kubectl > /dev/null - if [[ $? -ne 0 ]]; then - echo "No 'kubectl' binary available? (https://kubernetes.io/docs/tasks/tools/)" - exit 1 - fi - - jq --version > /dev/null - if [[ $? -ne 0 ]]; then - echo "No 'jq' binary available? (https://stedolan.github.io/jq/)" - exit 1 - fi - - echo | envsubst > /dev/null - if [[ $? -ne 0 ]]; then - echo "No 'envsubst' binary (gettext package) available? (https://www.gnu.org/software/gettext/)" - exit 1 - fi - - # Use the local fabric binaries if available. If not, go get them. - bin/peer version &> /dev/null - if [[ $? -ne 0 ]]; then - echo "Downloading LATEST Fabric binaries and config" - curl -sSL https://raw.githubusercontent.com/hyperledger/fabric/main/scripts/bootstrap.sh \ - | bash -s -- -s -d - - # remove sample config files extracted by the installation script - rm config/configtx.yaml - rm config/core.yaml - rm config/orderer.yaml - fi - - export PATH=bin:$PATH - - # Double-check that the binary transfer was OK - peer version > /dev/null - if [[ $? -ne 0 ]]; then - log "No 'peer' binary available?" - exit 1 - fi - - set -e -} \ No newline at end of file diff --git a/test-network-k8s/scripts/rest_sample.sh b/test-network-k8s/scripts/rest_sample.sh deleted file mode 100755 index 8da61efd..00000000 --- a/test-network-k8s/scripts/rest_sample.sh +++ /dev/null @@ -1,82 +0,0 @@ -#!/bin/bash -# -# Copyright IBM Corp All Rights Reserved -# -# SPDX-License-Identifier: Apache-2.0 -# - -# This magical awk script led to 30 hours of debugging a "TLS handshake error" -# moral: do not edit / alter the number of '\' in the following transform: -function one_line_pem { - echo "`awk 'NF {sub(/\\n/, ""); printf "%s\\\\\\\n",$0;}' $1`" -} - -function json_ccp { - local ORG=$1 - local PP=$(one_line_pem $2) - local CP=$(one_line_pem $3) - local NS=$4 - sed -e "s/\${ORG}/$ORG/" \ - -e "s#\${PEERPEM}#$PP#" \ - -e "s#\${CAPEM}#$CP#" \ - -e "s#\${NS}#$NS#" \ - scripts/ccp-template.json -} - -function construct_rest_sample_configmap() { - local ns=$ORG1_NS - push_fn "Constructing fabric-rest-sample connection profiles" - - ENROLLMENT_DIR=${TEMP_DIR}/enrollments - CHANNEL_MSP_DIR=${TEMP_DIR}/channel-msp - CONFIG_DIR=${TEMP_DIR}/fabric-rest-sample-config - - mkdir -p $CONFIG_DIR - - local peer_pem=$CHANNEL_MSP_DIR/peerOrganizations/org1/msp/tlscacerts/tlsca-signcert.pem - local ca_pem=$CHANNEL_MSP_DIR/peerOrganizations/org1/msp/cacerts/ca-signcert.pem - echo "$(json_ccp 1 $peer_pem $ca_pem $ORG1_NS)" > build/fabric-rest-sample-config/HLF_CONNECTION_PROFILE_ORG1 - - peer_pem=$CHANNEL_MSP_DIR/peerOrganizations/org2/msp/tlscacerts/tlsca-signcert.pem - ca_pem=$CHANNEL_MSP_DIR/peerOrganizations/org2/msp/cacerts/ca-signcert.pem - echo "$(json_ccp 2 $peer_pem $ca_pem $ORG2_NS)" > build/fabric-rest-sample-config/HLF_CONNECTION_PROFILE_ORG2 - - cp $ENROLLMENT_DIR/org1/users/org1admin/msp/signcerts/cert.pem $CONFIG_DIR/HLF_CERTIFICATE_ORG1 - cp $ENROLLMENT_DIR/org2/users/org2admin/msp/signcerts/cert.pem $CONFIG_DIR/HLF_CERTIFICATE_ORG2 - - cp $ENROLLMENT_DIR/org1/users/org1admin/msp/keystore/key.pem $CONFIG_DIR/HLF_PRIVATE_KEY_ORG1 - cp $ENROLLMENT_DIR/org2/users/org2admin/msp/keystore/key.pem $CONFIG_DIR/HLF_PRIVATE_KEY_ORG2 - - kubectl -n $ns delete configmap fabric-rest-sample-config || true - kubectl -n $ns create configmap fabric-rest-sample-config --from-file=$CONFIG_DIR - - pop_fn -} - -function rollout_rest_sample() { - local ns=$ORG1_NS - push_fn "Starting fabric-rest-sample" - - kubectl -n $ns apply -f kube/fabric-rest-sample.yaml - kubectl -n $ns rollout status deploy/fabric-rest-sample - - pop_fn -} - -function launch_rest_sample() { - local ns=$ORG1_NS - construct_rest_sample_configmap - - apply_template kube/fabric-rest-sample.yaml $ns - - kubectl -n $ns rollout status deploy/fabric-rest-sample - - log "" - log "The fabric-rest-sample has started." - log "See https://github.com/hyperledger/fabric-samples/tree/main/asset-transfer-basic/rest-api-typescript for additional usage details." - log "To access the endpoint:" - log "" - log "export SAMPLE_APIKEY=97834158-3224-4CE7-95F9-A148C886653E" - log 'curl -s --header "X-Api-Key: ${SAMPLE_APIKEY}" http://fabric-rest-sample.'${DOMAIN}'/api/assets' - log "" -} \ No newline at end of file diff --git a/test-network-k8s/scripts/set_anchor_peer.sh b/test-network-k8s/scripts/set_anchor_peer.sh deleted file mode 100755 index 3942aa16..00000000 --- a/test-network-k8s/scripts/set_anchor_peer.sh +++ /dev/null @@ -1,110 +0,0 @@ -#!/bin/bash -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# - -function fetch_channel_config() { - local output=$1 - - echo "Fetching the most recent configuration block for channel ${CHANNEL_NAME}" - peer channel \ - fetch config config_block.pb \ - -o org0-orderer1:6050 \ - -c ${CHANNEL_NAME} \ - --tls --cafile ${ORDERER_TLS_CA_FILE} - - echo "Decoding config block to JSON and isolating config to ${output}" - configtxlator proto_decode \ - --input config_block.pb \ - --type common.Block \ - | jq .data.data[0].payload.data.config > ${output} -} - -verify_result() { - if [ $1 -ne 0 ]; then - echo $2 - exit $1 - fi -} - -function create_config_update() { - local original=$1 - local modified=$2 - local output=$3 - - configtxlator proto_encode --input "${original}" --type common.Config --output original_config.pb - configtxlator proto_encode --input "${modified}" --type common.Config --output modified_config.pb - - # returns non-zero if no updates were detected between current and new config - configtxlator compute_update --channel_id "${CHANNEL_NAME}" --original original_config.pb --updated modified_config.pb --output config_update.pb - if [ $? -ne 0 ]; then - echo "Anchor peer has already been set to ${ANCHOR_PEER_HOST}:${ANCHOR_PEER_PORT} - no update required." - return 1 - fi - - configtxlator proto_decode --input config_update.pb --type common.ConfigUpdate --output config_update.json - echo '{"payload":{"header":{"channel_header":{"channel_id":"'${CHANNEL_NAME}'", "type":2}},"data":{"config_update":'$(cat config_update.json)'}}}' | jq . > config_update_in_envelope.json - configtxlator proto_encode --input config_update_in_envelope.json --type common.Envelope --output ${output} - - return 0 -} - -function create_anchor_peer_update() { - echo "Generating anchor peer update transaction for Org${ORG_NUM} on channel ${CHANNEL_NAME}" - fetch_channel_config config.json - - set -x - # Modify the configuration to append the anchor peer - jq '.channel_group.groups.Application.groups.'${CORE_PEER_LOCALMSPID}'.values += {"AnchorPeers":{"mod_policy": "Admins","value":{"anchor_peers": [{"host": "'${ANCHOR_PEER_HOST}'","port": '${ANCHOR_PEER_PORT}'}]},"version": "0"}}' config.json > modified_config.json - { set +x; } 2>/dev/null - - # Compute a config update, based on the differences between - # config.json and modified_config.json, write - # it as a transaction to anchors.tx - create_config_update config.json modified_config.json anchors.tx - return $? -} - -function update_anchor_peer() { - peer channel \ - update -f anchors.tx \ - -o org0-orderer1:6050 \ - -c ${CHANNEL_NAME} \ - --tls --cafile ${ORDERER_TLS_CA_FILE} >& log.txt - - res=$? - cat log.txt - - verify_result $res "Anchor peer update failed" - - echo "Anchor peer set for org ${ORG_NAME} on channel ${CHANNEL_NAME} to ${ANCHOR_PEER_HOST}:${ANCHOR_PEER_PORT}" -} - -function set_anchor_peer() { - echo "Updating org ${ORG_NUM} anchor peer for channel ${CHANNEL_NAME} to ${ANCHOR_PEER_HOST}:${ANCHOR_PEER_PORT}" - - create_anchor_peer_update - res=$? - - if [ $res -eq 0 ]; then - update_anchor_peer - fi -} - -set -x - -ORG_NUM=$1 -CHANNEL_NAME=$2 -PEER_NAME=$3 -ORG_NAME=org${ORG_NUM} -ANCHOR_PEER_HOST=${ORG_NAME}-${PEER_NAME} -ANCHOR_PEER_PORT=7051 -ORDERER_TLS_CA_FILE=/var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem - -export CORE_PEER_LOCALMSPID=Org${ORG_NUM}MSP - -set_anchor_peer - -{ set +x; } 2>/dev/null diff --git a/test-network-k8s/scripts/test_network.sh b/test-network-k8s/scripts/test_network.sh deleted file mode 100755 index 2f5ea858..00000000 --- a/test-network-k8s/scripts/test_network.sh +++ /dev/null @@ -1,204 +0,0 @@ -#!/bin/bash -# -# Copyright IBM Corp All Rights Reserved -# -# SPDX-License-Identifier: Apache-2.0 -# - -function launch_orderers() { - push_fn "Launching orderers" - - apply_template kube/org0/org0-orderer1.yaml $ORG0_NS - apply_template kube/org0/org0-orderer2.yaml $ORG0_NS - apply_template kube/org0/org0-orderer3.yaml $ORG0_NS - - kubectl -n $ORG0_NS rollout status deploy/org0-orderer1 - kubectl -n $ORG0_NS rollout status deploy/org0-orderer2 - kubectl -n $ORG0_NS rollout status deploy/org0-orderer3 - - pop_fn -} - -function launch_peers() { - push_fn "Launching peers" - - apply_template kube/org1/org1-peer1.yaml $ORG1_NS - apply_template kube/org1/org1-peer2.yaml $ORG1_NS - apply_template kube/org2/org2-peer1.yaml $ORG2_NS - apply_template kube/org2/org2-peer2.yaml $ORG2_NS - - kubectl -n $ORG1_NS rollout status deploy/org1-peer1 - kubectl -n $ORG1_NS rollout status deploy/org1-peer2 - kubectl -n $ORG2_NS rollout status deploy/org2-peer1 - kubectl -n $ORG2_NS rollout status deploy/org2-peer2 - - pop_fn -} - -# Each network node needs a registration, enrollment, and MSP config.yaml -function create_node_local_MSP() { - local node_type=$1 - local org=$2 - local node=$3 - local csr_hosts=$4 - local ns=$5 - local id_name=${org}-${node} - local id_secret=${node_type}pw - local ca_name=${org}-ca - - # Register the node admin - rc=0 - fabric-ca-client register \ - --id.name ${id_name} \ - --id.secret ${id_secret} \ - --id.type ${node_type} \ - --url https://${ca_name}.${DOMAIN}:${NGINX_HTTPS_PORT} \ - --tls.certfiles $TEMP_DIR/cas/${ca_name}/tlsca-cert.pem \ - --mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp \ - || rc=$? # trap error code from registration without exiting the network driver script" - - if [ $rc -eq 1 ]; then - echo "CA admin was (probably) previously registered - continuing" - fi - - # Enroll the node admin user from within k8s. This will leave the certificates available on a volume share in the - # cluster for access by the nodes when launching in a container. - cat < /var/hyperledger/fabric/organizations/${node_type}Organizations/${org}.example.com/${node_type}s/${id_name}.${org}.example.com/msp/config.yaml -EOF -} - -function create_orderer_local_MSP() { - local org=$1 - local orderer=$2 - local csr_hosts=${org}-${orderer} - - create_node_local_MSP orderer $org $orderer $csr_hosts $ORG0_NS -} - -function create_peer_local_MSP() { - local org=$1 - local peer=$2 - local ns=$3 - local csr_hosts=localhost,${org}-${peer},${org}-peer-gateway-svc - - create_node_local_MSP peer $org $peer $csr_hosts ${ns} -} - -function create_local_MSP() { - push_fn "Creating local node MSP" - - create_orderer_local_MSP org0 orderer1 - create_orderer_local_MSP org0 orderer2 - create_orderer_local_MSP org0 orderer3 - - create_peer_local_MSP org1 peer1 $ORG1_NS - create_peer_local_MSP org1 peer2 $ORG1_NS - - create_peer_local_MSP org2 peer1 $ORG2_NS - create_peer_local_MSP org2 peer2 $ORG2_NS - - pop_fn -} - -function network_up() { - - # Kube config - init_namespace - init_storage_volumes - load_org_config - - # Service account permissions for the k8s builder - if [ "${CHAINCODE_BUILDER}" == "k8s" ]; then - apply_k8s_builder_roles - apply_k8s_builders - fi - - # Network TLS CAs - init_tls_cert_issuers - - # Network ECert CAs - launch_ECert_CAs - enroll_bootstrap_ECert_CA_users - - # Test Network - create_local_MSP - - launch_orderers - launch_peers -} - -function stop_services() { - push_fn "Stopping Fabric services" - for ns in $ORG0_NS $ORG1_NS $ORG2_NS; do - kubectl -n $ns delete ingress --all - kubectl -n $ns delete deployment --all - kubectl -n $ns delete pod --all - kubectl -n $ns delete service --all - kubectl -n $ns delete configmap --all - kubectl -n $ns delete cert --all - kubectl -n $ns delete issuer --all - kubectl -n $ns delete secret --all - done - - pop_fn -} - -function scrub_org_volumes() { - push_fn "Scrubbing Fabric volumes" - for org in org0 org1 org2; do - # clean job to make this function can be rerun - local namespace_variable=${org^^}_NS - kubectl -n ${!namespace_variable} delete jobs --all - - # scrub all pv contents - kubectl -n ${!namespace_variable} create -f kube/${org}/${org}-job-scrub-fabric-volumes.yaml - kubectl -n ${!namespace_variable} wait --for=condition=complete --timeout=60s job/job-scrub-fabric-volumes - kubectl -n ${!namespace_variable} delete jobs --all - done - pop_fn -} - -function network_down() { - - set +e - for ns in $ORG0_NS $ORG1_NS $ORG2_NS; do - kubectl get namespace $ns > /dev/null - if [[ $? -ne 0 ]]; then - echo "No namespace $ns found - nothing to do." - return - fi - done - set -e - - stop_services - scrub_org_volumes - - delete_namespace - - rm -rf $PWD/build -} diff --git a/test-network-k8s/scripts/utils.sh b/test-network-k8s/scripts/utils.sh deleted file mode 100644 index 4f1615c3..00000000 --- a/test-network-k8s/scripts/utils.sh +++ /dev/null @@ -1,114 +0,0 @@ -#!/bin/bash -# -# Copyright IBM Corp All Rights Reserved -# -# SPDX-License-Identifier: Apache-2.0 -# - -function logging_init() { - # Reset the output and debug log files - printf '' > ${LOG_FILE} > ${DEBUG_FILE} - - # Write all output to the control flow log to STDOUT - tail -f ${LOG_FILE} & - - # Call the exit handler when we exit. - trap "exit_fn" EXIT - - # Send stdout and stderr from child programs to the debug log file - exec 1>>${DEBUG_FILE} 2>>${DEBUG_FILE} - - # There can be a race between the tail starting and the next log statement - sleep 0.5 -} - -function exit_fn() { - rc=$? - set +x - - # Write an error icon to the current logging statement. - if [ "0" -ne $rc ]; then - pop_fn $rc - fi - - # always remove the log trailer when the process exits. - pkill -P $$ -} - -function push_fn() { - #echo -ne " - entering ${FUNCNAME[1]} with arguments $@" - - echo -ne " - $@ ..." >> ${LOG_FILE} -} - -function log() { - echo -e $@ >> ${LOG_FILE} -} - -function pop_fn() { -# echo exiting ${FUNCNAME[1]} - - if [ $# -eq 0 ]; then - echo -ne "\rβœ…" >> ${LOG_FILE} - echo "" >> ${LOG_FILE} - return - fi - - local res=$1 - if [ $res -eq 0 ]; then - echo -ne "\rβœ…\n" >> ${LOG_FILE} - - elif [ $res -eq 1 ]; then - echo -ne "\r⚠️\n" >> ${LOG_FILE} - - elif [ $res -eq 2 ]; then - echo -ne "\r☠️\n" >> ${LOG_FILE} - - elif [ $res -eq 127 ]; then - echo -ne "\r☠️\n" >> ${LOG_FILE} - - else - echo -ne "\r\n" >> ${LOG_FILE} - fi - - if [ $res -ne 0 ]; then - tail -${LOG_ERROR_LINES} network-debug.log >> ${LOG_FILE} - fi - - #echo "" >> ${LOG_FILE} -} - -# Apply the current environment to a k8s template and apply to the cluster. -function apply_template() { - - echo "Applying template $1:" - cat $1 | envsubst - - cat $1 | envsubst | kubectl -n $2 apply -f - -} - -# Set the calling context to refer the peer binary to the correct org / peer instance -# -# todo: Expose the output of this function to a target that prints the context to STDOUT. -# -# e.g.: -# bash $ source $(network set-peer-context org1 peer2) -# bash $ peer chaincode list -# bash $ ... -function export_peer_context() { - local org=$1 - local peer=$2 - - export FABRIC_CFG_PATH=${PWD}/config/${org} - export CORE_PEER_ADDRESS=${org}-${peer}.${DOMAIN}:${NGINX_HTTPS_PORT} - export CORE_PEER_MSPCONFIGPATH=${TEMP_DIR}/enrollments/${org}/users/${org}admin/msp - export CORE_PEER_TLS_ROOTCERT_FILE=${TEMP_DIR}/channel-msp/peerOrganizations/${org}/msp/tlscacerts/tlsca-signcert.pem -} - -function absolute_path() { - local relative_path=$1 - - local abspath="$( cd "${relative_path}" && pwd )" - - echo $abspath -}