diff --git a/test-network-k8s/.gitignore b/test-network-k8s/.gitignore new file mode 100644 index 00000000..b4afee58 --- /dev/null +++ b/test-network-k8s/.gitignore @@ -0,0 +1,5 @@ +.idea/ +network.log +network-debug.log +build/ +.env diff --git a/test-network-k8s/README.md b/test-network-k8s/README.md new file mode 100644 index 00000000..577c0394 --- /dev/null +++ b/test-network-k8s/README.md @@ -0,0 +1,78 @@ +# Kubernetes Test Network + +This project re-establishes the Hyperledger [test-network](../test-network) as a _cloud native_ application. + +### Objectives: + +- Provide a simple, _one click_ activity for running the Fabric test network. +- Provide a reference guide for deploying _production-style_ networks on Kubernetes. +- Provide a _cloud ready_ platform for developing chaincode, Gateway, and blockchain apps. +- Provide a Kube supplement to the Fabric [CA Operations and Deployment](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy.html) guides. +- Support a transition to [Chaincode as a Service](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html). +- Support a transition from the Internal, Docker daemon to [External Chaincode](https://hyperledger-fabric.readthedocs.io/en/latest/cc_launcher.html) builders. +- Run on any Kube. + +_Fabric, Ahoy!_ + + +## Prerequisites + +- [Docker](https://www.docker.com) +- [kubectl](https://kubernetes.io/docs/tasks/tools/) +- [kind](https://kind.sigs.k8s.io/docs/user/quick-start/#installation) + + +## Quickstart + +Create a local Kubernetes cluster: +```shell +./network kind +``` + +Launch the network, create a channel, and deploy the [basic-asset-transfer](../asset-transfer-basic) smart contract: +```shell +./network up +./network channel create +./network chaincode deploy +``` + +Invoke and query chaincode: +```shell +./network chaincode invoke '{"Args":["CreateAsset","1","blue","35","tom","1000"]}' +./network chaincode query '{"Args":["ReadAsset","1"]}' +``` + +Access the blockchain with a [REST API](https://github.com/hyperledgendary/fabric-rest-sample/tree/main/asset-transfer-basic/rest-api-typescript#rest-api): +``` +./network rest-easy +``` + +Tear down the test network: +```shell +./network down +``` + +Tear down the cluster: +```shell +./network unkind +``` + + +## [Detailed Guides](docs/README.md) + +- [`./network`](docs/NETWORK.md) +- [Working with Kubernetes](docs/KUBERNETES.md) +- [Certificate Authorities](docs/CA.md) +- [Launching the Test Network](docs/TEST_NETWORK.md) +- [Working with Channels](docs/CHANNELS.md) +- [Working with Chaincode](docs/CHAINCODE.md) +- [Working with Applications](docs/APPLICATIONS.md) + + +## Areas for Improvement / TODOs + +- [ ] Test the recipe with OCP, AWS, gcp, Azure, etc. (These should ONLY differ w.r.t. pvc and ingress) +- [ ] Implement @celder mechanism for bootstrapping dual-headed CAs w/o poisoning the root CA on expiry. +- [ ] Address any of the 20+ todo: notes in network.sh +- [ ] Implement mutual TLS across peers, orderers, and clients. +- [ ] Caliper? diff --git a/test-network-k8s/chaincode/asset-transfer-basic-debug/connection.json b/test-network-k8s/chaincode/asset-transfer-basic-debug/connection.json new file mode 100644 index 00000000..030c8ee1 --- /dev/null +++ b/test-network-k8s/chaincode/asset-transfer-basic-debug/connection.json @@ -0,0 +1,5 @@ +{ + "address": "host.docker.internal:9999", + "dial_timeout": "10s", + "tls_required": false +} diff --git a/test-network-k8s/chaincode/asset-transfer-basic-debug/metadata.json b/test-network-k8s/chaincode/asset-transfer-basic-debug/metadata.json new file mode 100644 index 00000000..bb7056c0 --- /dev/null +++ b/test-network-k8s/chaincode/asset-transfer-basic-debug/metadata.json @@ -0,0 +1,4 @@ +{ + "type": "external", + "label": "basic_1.0" +} \ No newline at end of file diff --git a/test-network-k8s/chaincode/asset-transfer-basic/connection.json b/test-network-k8s/chaincode/asset-transfer-basic/connection.json new file mode 100644 index 00000000..598ba74f --- /dev/null +++ b/test-network-k8s/chaincode/asset-transfer-basic/connection.json @@ -0,0 +1,5 @@ +{ + "address": "org1-cc-asset-transfer-basic:9999", + "dial_timeout": "10s", + "tls_required": false +} \ No newline at end of file diff --git a/test-network-k8s/chaincode/asset-transfer-basic/metadata.json b/test-network-k8s/chaincode/asset-transfer-basic/metadata.json new file mode 100644 index 00000000..bb7056c0 --- /dev/null +++ b/test-network-k8s/chaincode/asset-transfer-basic/metadata.json @@ -0,0 +1,4 @@ +{ + "type": "external", + "label": "basic_1.0" +} \ No newline at end of file diff --git a/test-network-k8s/config/org0/configtx.yaml b/test-network-k8s/config/org0/configtx.yaml new file mode 100644 index 00000000..337c83c2 --- /dev/null +++ b/test-network-k8s/config/org0/configtx.yaml @@ -0,0 +1,415 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +################################################################################ +# +# Section: Organizations +# +# - This section defines the different organizational identities which will +# be referenced later in the configuration. +# +################################################################################ +Organizations: + + # SampleOrg defines an MSP using the sampleconfig. It should never be used + # in production but may be used as a template for other definitions + - &OrdererOrg + # DefaultOrg defines the organization which is used in the sampleconfig + # of the fabric.git development environment + Name: OrdererOrg + + # ID to load the MSP definition as + ID: OrdererMSP + + # MSPDir is the filesystem path which contains the MSP configuration + MSPDir: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp + + # Policies defines the set of policies at this level of the config tree + # For organization policies, their canonical path is usually + # /Channel/// + Policies: + Readers: + Type: Signature + Rule: "OR('OrdererMSP.member')" + Writers: + Type: Signature + Rule: "OR('OrdererMSP.member')" + Admins: + Type: Signature + Rule: "OR('OrdererMSP.admin')" + + OrdererEndpoints: + - org0-orderer1:6050 + - org0-orderer2:6050 + - org0-orderer3:6050 + + - &Org1 + # DefaultOrg defines the organization which is used in the sampleconfig + # of the fabric.git development environment + Name: Org1MSP + + # ID to load the MSP definition as + ID: Org1MSP + + MSPDir: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/msp + + # Policies defines the set of policies at this level of the config tree + # For organization policies, their canonical path is usually + # /Channel/// + Policies: + Readers: + Type: Signature + Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')" + Writers: + Type: Signature + Rule: "OR('Org1MSP.admin', 'Org1MSP.client')" + Admins: + Type: Signature + Rule: "OR('Org1MSP.admin')" + Endorsement: + Type: Signature + Rule: "OR('Org1MSP.peer')" + + # leave this flag set to true. + AnchorPeers: + # AnchorPeers defines the location of peers which can be used + # for cross org gossip communication. Note, this value is only + # encoded in the genesis block in the Application section context + - Host: org1-peer1 + Port: 7051 + + - &Org2 + # DefaultOrg defines the organization which is used in the sampleconfig + # of the fabric.git development environment + Name: Org2MSP + + # ID to load the MSP definition as + ID: Org2MSP + + MSPDir: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/msp + + # Policies defines the set of policies at this level of the config tree + # For organization policies, their canonical path is usually + # /Channel/// + Policies: + Readers: + Type: Signature + Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')" + Writers: + Type: Signature + Rule: "OR('Org2MSP.admin', 'Org2MSP.client')" + Admins: + Type: Signature + Rule: "OR('Org2MSP.admin')" + Endorsement: + Type: Signature + Rule: "OR('Org2MSP.peer')" + + AnchorPeers: + # AnchorPeers defines the location of peers which can be used + # for cross org gossip communication. Note, this value is only + # encoded in the genesis block in the Application section context + - Host: org2-peer1 + Port: 7051 + +################################################################################ +# +# SECTION: Capabilities +# +# - This section defines the capabilities of fabric network. This is a new +# concept as of v1.1.0 and should not be utilized in mixed networks with +# v1.0.x peers and orderers. Capabilities define features which must be +# present in a fabric binary for that binary to safely participate in the +# fabric network. For instance, if a new MSP type is added, newer binaries +# might recognize and validate the signatures from this type, while older +# binaries without this support would be unable to validate those +# transactions. This could lead to different versions of the fabric binaries +# having different world states. Instead, defining a capability for a channel +# informs those binaries without this capability that they must cease +# processing transactions until they have been upgraded. For v1.0.x if any +# capabilities are defined (including a map with all capabilities turned off) +# then the v1.0.x peer will deliberately crash. +# +################################################################################ +Capabilities: + # Channel capabilities apply to both the orderers and the peers and must be + # supported by both. + # Set the value of the capability to true to require it. + Channel: &ChannelCapabilities + # V2_0 capability ensures that orderers and peers behave according + # to v2.0 channel capabilities. Orderers and peers from + # prior releases would behave in an incompatible way, and are therefore + # not able to participate in channels at v2.0 capability. + # Prior to enabling V2.0 channel capabilities, ensure that all + # orderers and peers on a channel are at v2.0.0 or later. + V2_0: true + + # Orderer capabilities apply only to the orderers, and may be safely + # used with prior release peers. + # Set the value of the capability to true to require it. + Orderer: &OrdererCapabilities + # V2_0 orderer capability ensures that orderers behave according + # to v2.0 orderer capabilities. Orderers from + # prior releases would behave in an incompatible way, and are therefore + # not able to participate in channels at v2.0 orderer capability. + # Prior to enabling V2.0 orderer capabilities, ensure that all + # orderers on channel are at v2.0.0 or later. + V2_0: true + + # Application capabilities apply only to the peer network, and may be safely + # used with prior release orderers. + # Set the value of the capability to true to require it. + Application: &ApplicationCapabilities + # V2_0 application capability ensures that peers behave according + # to v2.0 application capabilities. Peers from + # prior releases would behave in an incompatible way, and are therefore + # not able to participate in channels at v2.0 application capability. + # Prior to enabling V2.0 application capabilities, ensure that all + # peers on channel are at v2.0.0 or later. + V2_0: true + +################################################################################ +# +# SECTION: Application +# +# - This section defines the values to encode into a config transaction or +# genesis block for application related parameters +# +################################################################################ +Application: &ApplicationDefaults + + # Organizations is the list of orgs which are defined as participants on + # the application side of the network + Organizations: + + # Policies defines the set of policies at this level of the config tree + # For Application policies, their canonical path is + # /Channel/Application/ + Policies: + Readers: + Type: ImplicitMeta + Rule: "ANY Readers" + Writers: + Type: ImplicitMeta + Rule: "ANY Writers" + Admins: + Type: ImplicitMeta + Rule: "MAJORITY Admins" + LifecycleEndorsement: + Type: Signature + Rule: "OR('Org1MSP.peer','Org2MSP.peer')" + Endorsement: + Type: Signature + Rule: "OR('Org1MSP.peer','Org2MSP.peer')" + + Capabilities: + <<: *ApplicationCapabilities +################################################################################ +# +# SECTION: Orderer +# +# - This section defines the values to encode into a config transaction or +# genesis block for orderer related parameters +# +################################################################################ +Orderer: &OrdererDefaults + + # Orderer Type: The orderer implementation to start + OrdererType: etcdraft + + EtcdRaft: + Consenters: + - Host: org0-orderer1 + Port: 6050 + ClientTLSCert: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/signcerts/cert.pem + ServerTLSCert: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/signcerts/cert.pem + - Host: org0-orderer2 + Port: 6050 + ClientTLSCert: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/signcerts/cert.pem + ServerTLSCert: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/signcerts/cert.pem + - Host: org0-orderer3 + Port: 6050 + ClientTLSCert: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/signcerts/cert.pem + ServerTLSCert: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/signcerts/cert.pem + + + # Options to be specified for all the etcd/raft nodes. The values here + # are the defaults for all new channels and can be modified on a + # per-channel basis via configuration updates. + Options: + # TickInterval is the time interval between two Node.Tick invocations. + #TickInterval: 500ms default + TickInterval: 2500ms + + # ElectionTick is the number of Node.Tick invocations that must pass + # between elections. That is, if a follower does not receive any + # message from the leader of current term before ElectionTick has + # elapsed, it will become candidate and start an election. + # ElectionTick must be greater than HeartbeatTick. + # ElectionTick: 10 default + ElectionTick: 5 + + # HeartbeatTick is the number of Node.Tick invocations that must + # pass between heartbeats. That is, a leader sends heartbeat + # messages to maintain its leadership every HeartbeatTick ticks. + HeartbeatTick: 1 + + # MaxInflightBlocks limits the max number of in-flight append messages + # during optimistic replication phase. + MaxInflightBlocks: 5 + + # SnapshotIntervalSize defines number of bytes per which a snapshot is taken + SnapshotIntervalSize: 16 MB + + # Batch Timeout: The amount of time to wait before creating a batch + BatchTimeout: 2s + + # Batch Size: Controls the number of messages batched into a block + BatchSize: + + # Max Message Count: The maximum number of messages to permit in a batch + MaxMessageCount: 10 + + # Absolute Max Bytes: The absolute maximum number of bytes allowed for + # the serialized messages in a batch. + AbsoluteMaxBytes: 99 MB + + # Preferred Max Bytes: The preferred maximum number of bytes allowed for + # the serialized messages in a batch. A message larger than the preferred + # max bytes will result in a batch larger than preferred max bytes. + PreferredMaxBytes: 512 KB + + # Organizations is the list of orgs which are defined as participants on + # the orderer side of the network + Organizations: + + # Policies defines the set of policies at this level of the config tree + # For Orderer policies, their canonical path is + # /Channel/Orderer/ + Policies: + Readers: + Type: ImplicitMeta + Rule: "ANY Readers" + Writers: + Type: ImplicitMeta + Rule: "ANY Writers" + Admins: + Type: ImplicitMeta + Rule: "MAJORITY Admins" + # BlockValidation specifies what signatures must be included in the block + # from the orderer for the peer to validate it. + BlockValidation: + Type: ImplicitMeta + Rule: "ANY Writers" + +################################################################################ +# +# CHANNEL +# +# This section defines the values to encode into a config transaction or +# genesis block for channel related parameters. +# +################################################################################ +Channel: &ChannelDefaults + # Policies defines the set of policies at this level of the config tree + # For Channel policies, their canonical path is + # /Channel/ + Policies: + # Who may invoke the 'Deliver' API + Readers: + Type: ImplicitMeta + Rule: "ANY Readers" + # Who may invoke the 'Broadcast' API + Writers: + Type: ImplicitMeta + Rule: "ANY Writers" + # By default, who may modify elements at this config level + Admins: + Type: ImplicitMeta + Rule: "MAJORITY Admins" + + # Capabilities describes the channel level capabilities, see the + # dedicated Capabilities section elsewhere in this file for a full + # description + Capabilities: + <<: *ChannelCapabilities + +################################################################################ +# +# Profile +# +# - Different configuration profiles may be encoded here to be specified +# as parameters to the configtxgen tool +# +################################################################################ +Profiles: + + # test network profile with application (not system) channel. + TwoOrgsApplicationGenesis: + <<: *ChannelDefaults + Orderer: + <<: *OrdererDefaults + Organizations: + - *OrdererOrg + Capabilities: *OrdererCapabilities + Application: + <<: *ApplicationDefaults + Organizations: + - *Org1 + - *Org2 + Capabilities: *ApplicationCapabilities + + + # + # Unclear lineage for these profiles: nano-fab? + # + # TwoOrgsOrdererGenesis will construct a system channel as it has a Consortiums stanza, which is not + # compatible with osnadmin. + # + # @enyeart - which profile should be used for the kube test network? + # + TwoOrgsOrdererGenesis: + <<: *ChannelDefaults + Orderer: + <<: *OrdererDefaults + OrdererType: etcdraft + Organizations: + - *OrdererOrg + Capabilities: + <<: *OrdererCapabilities + Consortiums: + SampleConsortium: + Organizations: + - *Org1 + - *Org2 + TwoOrgsChannel: + Consortium: SampleConsortium + <<: *ChannelDefaults + Application: + <<: *ApplicationDefaults + Organizations: + - *Org1 + - *Org2 + Capabilities: + <<: *ApplicationCapabilities + Org1Channel: + Consortium: SampleConsortium + <<: *ChannelDefaults + Application: + <<: *ApplicationDefaults + Organizations: + - *Org1 + Capabilities: + <<: *ApplicationCapabilities + Org2Channel: + Consortium: SampleConsortium + <<: *ChannelDefaults + Application: + <<: *ApplicationDefaults + Organizations: + - *Org2 + Capabilities: + <<: *ApplicationCapabilities diff --git a/test-network-k8s/config/org0/fabric-ecert-ca-server-config.yaml b/test-network-k8s/config/org0/fabric-ecert-ca-server-config.yaml new file mode 100644 index 00000000..eff91c34 --- /dev/null +++ b/test-network-k8s/config/org0/fabric-ecert-ca-server-config.yaml @@ -0,0 +1,506 @@ +############################################################################# +# This is a configuration file for the fabric-ca-server command. +# +# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES +# ------------------------------------------------ +# Each configuration element can be overridden via command line +# arguments or environment variables. The precedence for determining +# the value of each element is as follows: +# 1) command line argument +# Examples: +# a) --port 443 +# To set the listening port +# b) --ca.keyfile ../mykey.pem +# To set the "keyfile" element in the "ca" section below; +# note the '.' separator character. +# 2) environment variable +# Examples: +# a) FABRIC_CA_SERVER_PORT=443 +# To set the listening port +# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" +# To set the "keyfile" element in the "ca" section below; +# note the '_' separator character. +# 3) configuration file +# 4) default value (if there is one) +# All default values are shown beside each element below. +# +# FILE NAME ELEMENTS +# ------------------ +# The value of all fields whose name ends with "file" or "files" are +# name or names of other files. +# For example, see "tls.certfile" and "tls.clientauth.certfiles". +# The value of each of these fields can be a simple filename, a +# relative path, or an absolute path. If the value is not an +# absolute path, it is interpretted as being relative to the location +# of this configuration file. +# +############################################################################# + +# Version of config file +version: 1.5.2 + +# Server's listening port (default: 7054) +port: 443 + +# Cross-Origin Resource Sharing (CORS) +cors: + enabled: false + origins: + - "*" + +# Enables debug logging (default: false) +debug: false + +# Size limit of an acceptable CRL in bytes (default: 512000) +crlsizelimit: 512000 + +############################################################################# +# TLS section for the server's listening port +# +# The following types are supported for client authentication: NoClientCert, +# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, +# and RequireAndVerifyClientCert. +# +# Certfiles is a list of root certificate authorities that the server uses +# when verifying client certificates. +############################################################################# +tls: + # Enable TLS (default: false) + enabled: true + # TLS for the server's listening port + certfile: + keyfile: + clientauth: + type: noclientcert + certfiles: + +############################################################################# +# The CA section contains information related to the Certificate Authority +# including the name of the CA, which should be unique for all members +# of a blockchain network. It also includes the key and certificate files +# used when issuing enrollment certificates (ECerts) and transaction +# certificates (TCerts). +# The chainfile (if it exists) contains the certificate chain which +# should be trusted for this CA, where the 1st in the chain is always the +# root CA certificate. +############################################################################# +ca: + # Name of this CA + name: org0-ecert-ca + # Key file (is only used to import a private key into BCCSP) + keyfile: + # Certificate file (default: ca-cert.pem) + certfile: + # Chain file + chainfile: + +############################################################################# +# The gencrl REST endpoint is used to generate a CRL that contains revoked +# certificates. This section contains configuration options that are used +# during gencrl request processing. +############################################################################# +crl: + # Specifies expiration for the generated CRL. The number of hours + # specified by this property is added to the UTC time, the resulting time + # is used to set the 'Next Update' date of the CRL. + expiry: 24h + +############################################################################# +# The registry section controls how the fabric-ca-server does two things: +# 1) authenticates enrollment requests which contain a username and password +# (also known as an enrollment ID and secret). +# 2) once authenticated, retrieves the identity's attribute names and +# values which the fabric-ca-server optionally puts into TCerts +# which it issues for transacting on the Hyperledger Fabric blockchain. +# These attributes are useful for making access control decisions in +# chaincode. +# There are two main configuration options: +# 1) The fabric-ca-server is the registry. +# This is true if "ldap.enabled" in the ldap section below is false. +# 2) An LDAP server is the registry, in which case the fabric-ca-server +# calls the LDAP server to perform these tasks. +# This is true if "ldap.enabled" in the ldap section below is true, +# which means this "registry" section is ignored. +############################################################################# +registry: + # Maximum number of times a password/secret can be reused for enrollment + # (default: -1, which means there is no limit) + maxenrollments: -1 + + # Contains identity information which is used when LDAP is disabled + identities: + - name: rcaadmin + pass: rcaadminpw + type: client + affiliation: "" + attrs: + hf.Registrar.Roles: "*" + hf.Registrar.DelegateRoles: "*" + hf.Revoker: true + hf.IntermediateCA: true + hf.GenCRL: true + hf.Registrar.Attributes: "*" + hf.AffiliationMgr: true + +############################################################################# +# Database section +# Supported types are: "sqlite3", "postgres", and "mysql". +# The datasource value depends on the type. +# If the type is "sqlite3", the datasource value is a file name to use +# as the database store. Since "sqlite3" is an embedded database, it +# may not be used if you want to run the fabric-ca-server in a cluster. +# To run the fabric-ca-server in a cluster, you must choose "postgres" +# or "mysql". +############################################################################# +db: + type: sqlite3 + datasource: fabric-ca-server.db + tls: + enabled: false + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# LDAP section +# If LDAP is enabled, the fabric-ca-server calls LDAP to: +# 1) authenticate enrollment ID and secret (i.e. username and password) +# for enrollment requests; +# 2) To retrieve identity attributes +############################################################################# +ldap: + # Enables or disables the LDAP client (default: false) + # If this is set to true, the "registry" section is ignored. + enabled: false + # The URL of the LDAP server + url: ldap://:@:/ + # TLS configuration for the client connection to the LDAP server + tls: + certfiles: + client: + certfile: + keyfile: + # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes + attribute: + # 'names' is an array of strings containing the LDAP attribute names which are + # requested from the LDAP server for an LDAP identity's entry + names: ['uid','member'] + # The 'converters' section is used to convert an LDAP entry to the value of + # a fabric CA attribute. + # For example, the following converts an LDAP 'uid' attribute + # whose value begins with 'revoker' to a fabric CA attribute + # named "hf.Revoker" with a value of "true" (because the boolean expression + # evaluates to true). + # converters: + # - name: hf.Revoker + # value: attr("uid") =~ "revoker*" + converters: + - name: + value: + # The 'maps' section contains named maps which may be referenced by the 'map' + # function in the 'converters' section to map LDAP responses to arbitrary values. + # For example, assume a user has an LDAP attribute named 'member' which has multiple + # values which are each a distinguished name (i.e. a DN). For simplicity, assume the + # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. + # Further assume the following configuration. + # converters: + # - name: hf.Registrar.Roles + # value: map(attr("member"),"groups") + # maps: + # groups: + # - name: dn1 + # value: peer + # - name: dn2 + # value: client + # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be + # "peer,client,dn3". This is because the value of 'attr("member")' is + # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of + # "group" replaces "dn1" with "peer" and "dn2" with "client". + maps: + groups: + - name: + value: + +############################################################################# +# Affiliations section. Fabric CA server can be bootstrapped with the +# affiliations specified in this section. Affiliations are specified as maps. +# For example: +# businessunit1: +# department1: +# - team1 +# businessunit2: +# - department2 +# - department3 +# +# Affiliations are hierarchical in nature. In the above example, +# department1 (used as businessunit1.department1) is the child of businessunit1. +# team1 (used as businessunit1.department1.team1) is the child of department1. +# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) +# are children of businessunit2. +# Note: Affiliations are case sensitive except for the non-leaf affiliations +# (like businessunit1, department1, businessunit2) that are specified in the configuration file, +# which are always stored in lower case. +############################################################################# +affiliations: + org1: + - department1 + - department2 + org2: + - department1 + +############################################################################# +# Signing section +# +# The "default" subsection is used to sign enrollment certificates; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +# +# The "ca" profile subsection is used to sign intermediate CA certificates; +# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. +# Note that "isca" is true, meaning that it issues a CA certificate. +# A maxpathlen of 0 means that the intermediate CA cannot issue other +# intermediate CA certificates, though it can still issue end entity certificates. +# (See RFC 5280, section 4.2.1.9) +# +# The "tls" profile subsection is used to sign TLS certificate requests; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +############################################################################# +signing: + default: + usage: + - digital signature + expiry: 8760h + profiles: + ca: + usage: + - cert sign + - crl sign + expiry: 43800h + caconstraint: + isca: true + maxpathlen: 0 + tls: + usage: + - signing + - key encipherment + - server auth + - client auth + - key agreement + expiry: 8760h + +########################################################################### +# Certificate Signing Request (CSR) section. +# This controls the creation of the root CA certificate. +# The expiration for the root CA certificate is configured with the +# "ca.expiry" field below, whose default value is "131400h" which is +# 15 years in hours. +# The pathlength field is used to limit CA certificate hierarchy as described +# in section 4.2.1.9 of RFC 5280. +# Examples: +# 1) No pathlength value means no limit is requested. +# 2) pathlength == 1 means a limit of 1 is requested which is the default for +# a root CA. This means the root CA can issue intermediate CA certificates, +# but these intermediate CAs may not in turn issue other CA certificates +# though they can still issue end entity certificates. +# 3) pathlength == 0 means a limit of 0 is requested; +# this is the default for an intermediate CA, which means it can not issue +# CA certificates though it can still issue end entity certificates. +########################################################################### +csr: + cn: fabric-ca-server + keyrequest: + algo: ecdsa + size: 256 + names: + - C: US + ST: "North Carolina" + L: + O: Hyperledger + OU: Fabric + hosts: + - localhost + - 127.0.0.1 + - org0-ecert-ca + - org0-ecert-ca.test-network.svc.cluster.local + ca: + expiry: 131400h + pathlength: 1 + +########################################################################### +# Each CA can issue both X509 enrollment certificate as well as Idemix +# Credential. This section specifies configuration for the issuer component +# that is responsible for issuing Idemix credentials. +########################################################################### +idemix: + # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an + # Idemix credential. The issuer will create a pool revocation handles of this specified size. When + # a credential is requested, issuer will get handle from the pool and assign it to the credential. + # Issuer will repopulate the pool with new handles when the last handle in the pool is used. + # A revocation handle and credential revocation information (CRI) are used to create non revocation proof + # by the prover to prove to the verifier that her credential is not revoked. + rhpoolsize: 1000 + + # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer + # and second step is send credential request that is constructed using the nonce to the isuser to + # request a credential. This configuration property specifies expiration for the nonces. By default is + # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). + nonceexpiration: 15s + + # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. + # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) + noncesweepinterval: 15m + +############################################################################# +# BCCSP (BlockChain Crypto Service Provider) section is used to select which +# crypto library implementation to use +############################################################################# +bccsp: + default: SW + sw: + hash: SHA2 + security: 256 + filekeystore: + # The directory used for the software file-based keystore + keystore: msp/keystore + +############################################################################# +# Multi CA section +# +# Each Fabric CA server contains one CA by default. This section is used +# to configure multiple CAs in a single server. +# +# 1) --cacount +# Automatically generate non-default CAs. The names of these +# additional CAs are "ca1", "ca2", ... "caN", where "N" is +# This is particularly useful in a development environment to quickly set up +# multiple CAs. Note that, this config option is not applicable to intermediate CA server +# i.e., Fabric CA server that is started with intermediate.parentserver.url config +# option (-u command line option) +# +# 2) --cafiles +# For each CA config file in the list, generate a separate signing CA. Each CA +# config file in this list MAY contain all of the same elements as are found in +# the server config file except port, debug, and tls sections. +# +# Examples: +# fabric-ca-server start -b admin:adminpw --cacount 2 +# +# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml +# --cafiles ca/ca2/fabric-ca-server-config.yaml +# +############################################################################# + +cacount: + +cafiles: + +############################################################################# +# Intermediate CA section +# +# The relationship between servers and CAs is as follows: +# 1) A single server process may contain or function as one or more CAs. +# This is configured by the "Multi CA section" above. +# 2) Each CA is either a root CA or an intermediate CA. +# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. +# +# This section pertains to configuration of #2 and #3. +# If the "intermediate.parentserver.url" property is set, +# then this is an intermediate CA with the specified parent +# CA. +# +# parentserver section +# url - The URL of the parent server +# caname - Name of the CA to enroll within the server +# +# enrollment section used to enroll intermediate CA with parent CA +# profile - Name of the signing profile to use in issuing the certificate +# label - Label to use in HSM operations +# +# tls section for secure socket connection +# certfiles - PEM-encoded list of trusted root certificate files +# client: +# certfile - PEM-encoded certificate file for when client authentication +# is enabled on server +# keyfile - PEM-encoded key file for when client authentication +# is enabled on server +############################################################################# +intermediate: + parentserver: + url: + caname: + + enrollment: + hosts: + profile: + label: + + tls: + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# CA configuration section +# +# Configure the number of incorrect password attempts are allowed for +# identities. By default, the value of 'passwordattempts' is 10, which +# means that 10 incorrect password attempts can be made before an identity get +# locked out. +############################################################################# +cfg: + identities: + passwordattempts: 10 + +############################################################################### +# +# Operations section +# +############################################################################### +operations: + # host and port for the operations server + listenAddress: 127.0.0.1:9443 + + # TLS configuration for the operations endpoint + tls: + # TLS enabled + enabled: false + + # path to PEM encoded server certificate for the operations server + cert: + file: + + # path to PEM encoded server key for the operations server + key: + file: + + # require client certificate authentication to access all resources + clientAuthRequired: false + + # paths to PEM encoded ca certificates to trust for client authentication + clientRootCAs: + files: [] + +############################################################################### +# +# Metrics section +# +############################################################################### +metrics: + # statsd, prometheus, or disabled + provider: disabled + + # statsd configuration + statsd: + # network type: tcp or udp + network: udp + + # statsd server address + address: 127.0.0.1:8125 + + # the interval at which locally cached counters and gauges are pushsed + # to statsd; timings are pushed immediately + writeInterval: 10s + + # prefix is prepended to all emitted statsd merics + prefix: server diff --git a/test-network-k8s/config/org0/fabric-tls-ca-server-config.yaml b/test-network-k8s/config/org0/fabric-tls-ca-server-config.yaml new file mode 100644 index 00000000..b574e72b --- /dev/null +++ b/test-network-k8s/config/org0/fabric-tls-ca-server-config.yaml @@ -0,0 +1,496 @@ +############################################################################# +# This is a configuration file for the fabric-ca-server command. +# +# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES +# ------------------------------------------------ +# Each configuration element can be overridden via command line +# arguments or environment variables. The precedence for determining +# the value of each element is as follows: +# 1) command line argument +# Examples: +# a) --port 443 +# To set the listening port +# b) --ca.keyfile ../mykey.pem +# To set the "keyfile" element in the "ca" section below; +# note the '.' separator character. +# 2) environment variable +# Examples: +# a) FABRIC_CA_SERVER_PORT=443 +# To set the listening port +# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" +# To set the "keyfile" element in the "ca" section below; +# note the '_' separator character. +# 3) configuration file +# 4) default value (if there is one) +# All default values are shown beside each element below. +# +# FILE NAME ELEMENTS +# ------------------ +# The value of all fields whose name ends with "file" or "files" are +# name or names of other files. +# For example, see "tls.certfile" and "tls.clientauth.certfiles". +# The value of each of these fields can be a simple filename, a +# relative path, or an absolute path. If the value is not an +# absolute path, it is interpretted as being relative to the location +# of this configuration file. +# +############################################################################# + +# Version of config file +version: 1.5.2 + +# Server's listening port (default: 7054) +port: 443 + +# Cross-Origin Resource Sharing (CORS) +cors: + enabled: false + origins: + - "*" + +# Enables debug logging (default: false) +debug: false + +# Size limit of an acceptable CRL in bytes (default: 512000) +crlsizelimit: 512000 + +############################################################################# +# TLS section for the server's listening port +# +# The following types are supported for client authentication: NoClientCert, +# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, +# and RequireAndVerifyClientCert. +# +# Certfiles is a list of root certificate authorities that the server uses +# when verifying client certificates. +############################################################################# +tls: + # Enable TLS (default: false) + enabled: true + # TLS for the server's listening port + certfile: + keyfile: + clientauth: + type: noclientcert + certfiles: + +############################################################################# +# The CA section contains information related to the Certificate Authority +# including the name of the CA, which should be unique for all members +# of a blockchain network. It also includes the key and certificate files +# used when issuing enrollment certificates (ECerts) and transaction +# certificates (TCerts). +# The chainfile (if it exists) contains the certificate chain which +# should be trusted for this CA, where the 1st in the chain is always the +# root CA certificate. +############################################################################# +ca: + # Name of this CA + name: org0-tls-ca + # Key file (is only used to import a private key into BCCSP) + keyfile: + # Certificate file (default: ca-cert.pem) + certfile: + # Chain file + chainfile: + +############################################################################# +# The gencrl REST endpoint is used to generate a CRL that contains revoked +# certificates. This section contains configuration options that are used +# during gencrl request processing. +############################################################################# +crl: + # Specifies expiration for the generated CRL. The number of hours + # specified by this property is added to the UTC time, the resulting time + # is used to set the 'Next Update' date of the CRL. + expiry: 24h + +############################################################################# +# The registry section controls how the fabric-ca-server does two things: +# 1) authenticates enrollment requests which contain a username and password +# (also known as an enrollment ID and secret). +# 2) once authenticated, retrieves the identity's attribute names and +# values which the fabric-ca-server optionally puts into TCerts +# which it issues for transacting on the Hyperledger Fabric blockchain. +# These attributes are useful for making access control decisions in +# chaincode. +# There are two main configuration options: +# 1) The fabric-ca-server is the registry. +# This is true if "ldap.enabled" in the ldap section below is false. +# 2) An LDAP server is the registry, in which case the fabric-ca-server +# calls the LDAP server to perform these tasks. +# This is true if "ldap.enabled" in the ldap section below is true, +# which means this "registry" section is ignored. +############################################################################# +registry: + # Maximum number of times a password/secret can be reused for enrollment + # (default: -1, which means there is no limit) + maxenrollments: -1 + + # Contains identity information which is used when LDAP is disabled + identities: + - name: tlsadmin + pass: tlsadminpw + type: client + affiliation: "" + attrs: + hf.Registrar.Roles: "*" + hf.Registrar.DelegateRoles: "*" + hf.Revoker: true + hf.IntermediateCA: true + hf.GenCRL: true + hf.Registrar.Attributes: "*" + hf.AffiliationMgr: true + +############################################################################# +# Database section +# Supported types are: "sqlite3", "postgres", and "mysql". +# The datasource value depends on the type. +# If the type is "sqlite3", the datasource value is a file name to use +# as the database store. Since "sqlite3" is an embedded database, it +# may not be used if you want to run the fabric-ca-server in a cluster. +# To run the fabric-ca-server in a cluster, you must choose "postgres" +# or "mysql". +############################################################################# +db: + type: sqlite3 + datasource: fabric-ca-server.db + tls: + enabled: false + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# LDAP section +# If LDAP is enabled, the fabric-ca-server calls LDAP to: +# 1) authenticate enrollment ID and secret (i.e. username and password) +# for enrollment requests; +# 2) To retrieve identity attributes +############################################################################# +ldap: + # Enables or disables the LDAP client (default: false) + # If this is set to true, the "registry" section is ignored. + enabled: false + # The URL of the LDAP server + url: ldap://:@:/ + # TLS configuration for the client connection to the LDAP server + tls: + certfiles: + client: + certfile: + keyfile: + # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes + attribute: + # 'names' is an array of strings containing the LDAP attribute names which are + # requested from the LDAP server for an LDAP identity's entry + names: ['uid','member'] + # The 'converters' section is used to convert an LDAP entry to the value of + # a fabric CA attribute. + # For example, the following converts an LDAP 'uid' attribute + # whose value begins with 'revoker' to a fabric CA attribute + # named "hf.Revoker" with a value of "true" (because the boolean expression + # evaluates to true). + # converters: + # - name: hf.Revoker + # value: attr("uid") =~ "revoker*" + converters: + - name: + value: + # The 'maps' section contains named maps which may be referenced by the 'map' + # function in the 'converters' section to map LDAP responses to arbitrary values. + # For example, assume a user has an LDAP attribute named 'member' which has multiple + # values which are each a distinguished name (i.e. a DN). For simplicity, assume the + # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. + # Further assume the following configuration. + # converters: + # - name: hf.Registrar.Roles + # value: map(attr("member"),"groups") + # maps: + # groups: + # - name: dn1 + # value: peer + # - name: dn2 + # value: client + # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be + # "peer,client,dn3". This is because the value of 'attr("member")' is + # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of + # "group" replaces "dn1" with "peer" and "dn2" with "client". + maps: + groups: + - name: + value: + +############################################################################# +# Affiliations section. Fabric CA server can be bootstrapped with the +# affiliations specified in this section. Affiliations are specified as maps. +# For example: +# businessunit1: +# department1: +# - team1 +# businessunit2: +# - department2 +# - department3 +# +# Affiliations are hierarchical in nature. In the above example, +# department1 (used as businessunit1.department1) is the child of businessunit1. +# team1 (used as businessunit1.department1.team1) is the child of department1. +# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) +# are children of businessunit2. +# Note: Affiliations are case sensitive except for the non-leaf affiliations +# (like businessunit1, department1, businessunit2) that are specified in the configuration file, +# which are always stored in lower case. +############################################################################# +affiliations: + org1: + - department1 + - department2 + org2: + - department1 + +############################################################################# +# Signing section +# +# The "default" subsection is used to sign enrollment certificates; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +# +# The "ca" profile subsection is used to sign intermediate CA certificates; +# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. +# Note that "isca" is true, meaning that it issues a CA certificate. +# A maxpathlen of 0 means that the intermediate CA cannot issue other +# intermediate CA certificates, though it can still issue end entity certificates. +# (See RFC 5280, section 4.2.1.9) +# +# The "tls" profile subsection is used to sign TLS certificate requests; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +############################################################################# +signing: + default: + authremote: {} + caconstraint: {} + expiry: 8760h + usage: + - signing + - key encipherment + - server auth + - client auth + - key agreement + profiles: null + +########################################################################### +# Certificate Signing Request (CSR) section. +# This controls the creation of the root CA certificate. +# The expiration for the root CA certificate is configured with the +# "ca.expiry" field below, whose default value is "131400h" which is +# 15 years in hours. +# The pathlength field is used to limit CA certificate hierarchy as described +# in section 4.2.1.9 of RFC 5280. +# Examples: +# 1) No pathlength value means no limit is requested. +# 2) pathlength == 1 means a limit of 1 is requested which is the default for +# a root CA. This means the root CA can issue intermediate CA certificates, +# but these intermediate CAs may not in turn issue other CA certificates +# though they can still issue end entity certificates. +# 3) pathlength == 0 means a limit of 0 is requested; +# this is the default for an intermediate CA, which means it can not issue +# CA certificates though it can still issue end entity certificates. +########################################################################### +csr: + cn: fabric-ca-server + keyrequest: + algo: ecdsa + size: 256 + names: + - C: US + ST: "North Carolina" + L: + O: Hyperledger + OU: Fabric + hosts: + - localhost + - 127.0.0.1 + - org0-tls-ca + - org0-tls-ca.test-network.svc.cluster.local + ca: + expiry: 131400h + pathlength: 1 + +########################################################################### +# Each CA can issue both X509 enrollment certificate as well as Idemix +# Credential. This section specifies configuration for the issuer component +# that is responsible for issuing Idemix credentials. +########################################################################### +idemix: + # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an + # Idemix credential. The issuer will create a pool revocation handles of this specified size. When + # a credential is requested, issuer will get handle from the pool and assign it to the credential. + # Issuer will repopulate the pool with new handles when the last handle in the pool is used. + # A revocation handle and credential revocation information (CRI) are used to create non revocation proof + # by the prover to prove to the verifier that her credential is not revoked. + rhpoolsize: 1000 + + # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer + # and second step is send credential request that is constructed using the nonce to the isuser to + # request a credential. This configuration property specifies expiration for the nonces. By default is + # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). + nonceexpiration: 15s + + # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. + # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) + noncesweepinterval: 15m + +############################################################################# +# BCCSP (BlockChain Crypto Service Provider) section is used to select which +# crypto library implementation to use +############################################################################# +bccsp: + default: SW + sw: + hash: SHA2 + security: 256 + filekeystore: + # The directory used for the software file-based keystore + keystore: msp/keystore + +############################################################################# +# Multi CA section +# +# Each Fabric CA server contains one CA by default. This section is used +# to configure multiple CAs in a single server. +# +# 1) --cacount +# Automatically generate non-default CAs. The names of these +# additional CAs are "ca1", "ca2", ... "caN", where "N" is +# This is particularly useful in a development environment to quickly set up +# multiple CAs. Note that, this config option is not applicable to intermediate CA server +# i.e., Fabric CA server that is started with intermediate.parentserver.url config +# option (-u command line option) +# +# 2) --cafiles +# For each CA config file in the list, generate a separate signing CA. Each CA +# config file in this list MAY contain all of the same elements as are found in +# the server config file except port, debug, and tls sections. +# +# Examples: +# fabric-ca-server start -b admin:adminpw --cacount 2 +# +# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml +# --cafiles ca/ca2/fabric-ca-server-config.yaml +# +############################################################################# + +cacount: + +cafiles: + +############################################################################# +# Intermediate CA section +# +# The relationship between servers and CAs is as follows: +# 1) A single server process may contain or function as one or more CAs. +# This is configured by the "Multi CA section" above. +# 2) Each CA is either a root CA or an intermediate CA. +# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. +# +# This section pertains to configuration of #2 and #3. +# If the "intermediate.parentserver.url" property is set, +# then this is an intermediate CA with the specified parent +# CA. +# +# parentserver section +# url - The URL of the parent server +# caname - Name of the CA to enroll within the server +# +# enrollment section used to enroll intermediate CA with parent CA +# profile - Name of the signing profile to use in issuing the certificate +# label - Label to use in HSM operations +# +# tls section for secure socket connection +# certfiles - PEM-encoded list of trusted root certificate files +# client: +# certfile - PEM-encoded certificate file for when client authentication +# is enabled on server +# keyfile - PEM-encoded key file for when client authentication +# is enabled on server +############################################################################# +intermediate: + parentserver: + url: + caname: + + enrollment: + hosts: + profile: + label: + + tls: + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# CA configuration section +# +# Configure the number of incorrect password attempts are allowed for +# identities. By default, the value of 'passwordattempts' is 10, which +# means that 10 incorrect password attempts can be made before an identity get +# locked out. +############################################################################# +cfg: + identities: + passwordattempts: 10 + +############################################################################### +# +# Operations section +# +############################################################################### +operations: + # host and port for the operations server + listenAddress: 127.0.0.1:9444 + + # TLS configuration for the operations endpoint + tls: + # TLS enabled + enabled: false + + # path to PEM encoded server certificate for the operations server + cert: + file: + + # path to PEM encoded server key for the operations server + key: + file: + + # require client certificate authentication to access all resources + clientAuthRequired: false + + # paths to PEM encoded ca certificates to trust for client authentication + clientRootCAs: + files: [] + +############################################################################### +# +# Metrics section +# +############################################################################### +metrics: + # statsd, prometheus, or disabled + provider: disabled + + # statsd configuration + statsd: + # network type: tcp or udp + network: udp + + # statsd server address + address: 127.0.0.1:8125 + + # the interval at which locally cached counters and gauges are pushsed + # to statsd; timings are pushed immediately + writeInterval: 10s + + # prefix is prepended to all emitted statsd merics + prefix: server diff --git a/test-network-k8s/config/org0/orderer.yaml b/test-network-k8s/config/org0/orderer.yaml new file mode 100644 index 00000000..c8e25a07 --- /dev/null +++ b/test-network-k8s/config/org0/orderer.yaml @@ -0,0 +1,420 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + + +--- +################################################################################ +# +# Orderer Configuration +# +# - This controls the type and configuration of the orderer. +# +################################################################################ +General: + # Listen address: The IP on which to bind to listen. + ListenAddress: 0.0.0.0 + + # Listen port: The port on which to bind to listen. + ListenPort: 6050 + + # TLS: TLS settings for the GRPC server. + TLS: + # Require server-side TLS + Enabled: false + # PrivateKey governs the file location of the private key of the TLS certificate. + PrivateKey: tls/server.key + # Certificate governs the file location of the server TLS certificate. + Certificate: tls/server.crt + # RootCAs contains a list of additional root certificates used for verifying certificates + # of other orderer nodes during outbound connections. + # It is not required to be set, but can be used to augment the set of TLS CA certificates + # available from the MSPs of each channel’s configuration. + RootCAs: + - tls/ca.crt + # Require client certificates / mutual TLS for inbound connections. + ClientAuthRequired: false + # If mutual TLS is enabled, ClientRootCAs contains a list of additional root certificates + # used for verifying certificates of client connections. + # It is not required to be set, but can be used to augment the set of TLS CA certificates + # available from the MSPs of each channel’s configuration. + ClientRootCAs: + # Keepalive settings for the GRPC server. + Keepalive: + # ServerMinInterval is the minimum permitted time between client pings. + # If clients send pings more frequently, the server will + # disconnect them. + ServerMinInterval: 60s + # ServerInterval is the time between pings to clients. + ServerInterval: 7200s + # ServerTimeout is the duration the server waits for a response from + # a client before closing the connection. + ServerTimeout: 20s + # Cluster settings for ordering service nodes that communicate with other ordering service nodes + # such as Raft based ordering service. + Cluster: + # SendBufferSize is the maximum number of messages in the egress buffer. + # Consensus messages are dropped if the buffer is full, and transaction + # messages are waiting for space to be freed. + SendBufferSize: 10 + + # ClientCertificate governs the file location of the client TLS certificate + # used to establish mutual TLS connections with other ordering service nodes. + # If not set, the server General.TLS.Certificate is re-used. + ClientCertificate: + # ClientPrivateKey governs the file location of the private key of the client TLS certificate. + # If not set, the server General.TLS.PrivateKey is re-used. + ClientPrivateKey: + + # The below 4 properties should be either set together, or be unset together. + # If they are set, then the orderer node uses a separate listener for intra-cluster + # communication. If they are unset, then the general orderer listener is used. + # This is useful if you want to use a different TLS server certificates on the + # client-facing and the intra-cluster listeners. + + # ListenPort defines the port on which the cluster listens to connections. + ListenPort: + # ListenAddress defines the IP on which to listen to intra-cluster communication. + ListenAddress: + # ServerCertificate defines the file location of the server TLS certificate used for intra-cluster + # communication. + ServerCertificate: + # ServerPrivateKey defines the file location of the private key of the TLS certificate. + ServerPrivateKey: + + # Bootstrap method: The method by which to obtain the bootstrap block + # system channel is specified. The option can be one of: + # "file" - path to a file containing the genesis block or config block of system channel + # "none" - allows an orderer to start without a system channel configuration + BootstrapMethod: none + + # Bootstrap file: The file containing the bootstrap block to use when + # initializing the orderer system channel and BootstrapMethod is set to + # "file". The bootstrap file can be the genesis block, and it can also be + # a config block for late bootstrap of some consensus methods like Raft. + # Generate a genesis block by updating $FABRIC_CFG_PATH/configtx.yaml and + # using configtxgen command with "-outputBlock" option. + # Defaults to file "genesisblock" (in $FABRIC_CFG_PATH directory) if not specified. + BootstrapFile: + + # LocalMSPDir is where to find the private crypto material needed by the + # orderer. It is set relative here as a default for dev environments but + # should be changed to the real location in production. + LocalMSPDir: msp + + # LocalMSPID is the identity to register the local MSP material with the MSP + # manager. IMPORTANT: The local MSP ID of an orderer needs to match the MSP + # ID of one of the organizations defined in the orderer system channel's + # /Channel/Orderer configuration. The sample organization defined in the + # sample configuration provided has an MSP ID of "SampleOrg". + LocalMSPID: SampleOrg + + # Enable an HTTP service for Go "pprof" profiling as documented at: + # https://golang.org/pkg/net/http/pprof + Profile: + Enabled: false + Address: 0.0.0.0:6060 + + # BCCSP configures the blockchain crypto service providers. + BCCSP: + # Default specifies the preferred blockchain crypto service provider + # to use. If the preferred provider is not available, the software + # based provider ("SW") will be used. + # Valid providers are: + # - SW: a software based crypto provider + # - PKCS11: a CA hardware security module crypto provider. + Default: SW + + # SW configures the software based blockchain crypto provider. + SW: + # TODO: The default Hash and Security level needs refactoring to be + # fully configurable. Changing these defaults requires coordination + # SHA2 is hardcoded in several places, not only BCCSP + Hash: SHA2 + Security: 256 + # Location of key store. If this is unset, a location will be + # chosen using: 'LocalMSPDir'/keystore + FileKeyStore: + KeyStore: + + # Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11) + PKCS11: + # Location of the PKCS11 module library + Library: + # Token Label + Label: + # User PIN + Pin: + Hash: + Security: + FileKeyStore: + KeyStore: + + # Authentication contains configuration parameters related to authenticating + # client messages + Authentication: + # the acceptable difference between the current server time and the + # client's time as specified in a client request message + TimeWindow: 15m + + +################################################################################ +# +# SECTION: File Ledger +# +# - This section applies to the configuration of the file ledger. +# +################################################################################ +FileLedger: + + # Location: The directory to store the blocks in. + Location: /var/hyperledger/production/orderer + +################################################################################ +# +# SECTION: Kafka +# +# - This section applies to the configuration of the Kafka-based orderer, and +# its interaction with the Kafka cluster. +# +################################################################################ +Kafka: + + # Retry: What do if a connection to the Kafka cluster cannot be established, + # or if a metadata request to the Kafka cluster needs to be repeated. + Retry: + # When a new channel is created, or when an existing channel is reloaded + # (in case of a just-restarted orderer), the orderer interacts with the + # Kafka cluster in the following ways: + # 1. It creates a Kafka producer (writer) for the Kafka partition that + # corresponds to the channel. + # 2. It uses that producer to post a no-op CONNECT message to that + # partition + # 3. It creates a Kafka consumer (reader) for that partition. + # If any of these steps fail, they will be re-attempted every + # for a total of , and then every + # for a total of until they succeed. + # Note that the orderer will be unable to write to or read from a + # channel until all of the steps above have been completed successfully. + ShortInterval: 5s + ShortTotal: 10m + LongInterval: 5m + LongTotal: 12h + # Affects the socket timeouts when waiting for an initial connection, a + # response, or a transmission. See Config.Net for more info: + # https://godoc.org/github.com/Shopify/sarama#Config + NetworkTimeouts: + DialTimeout: 10s + ReadTimeout: 10s + WriteTimeout: 10s + # Affects the metadata requests when the Kafka cluster is in the middle + # of a leader election.See Config.Metadata for more info: + # https://godoc.org/github.com/Shopify/sarama#Config + Metadata: + RetryBackoff: 250ms + RetryMax: 3 + # What to do if posting a message to the Kafka cluster fails. See + # Config.Producer for more info: + # https://godoc.org/github.com/Shopify/sarama#Config + Producer: + RetryBackoff: 100ms + RetryMax: 3 + # What to do if reading from the Kafka cluster fails. See + # Config.Consumer for more info: + # https://godoc.org/github.com/Shopify/sarama#Config + Consumer: + RetryBackoff: 2s + # Settings to use when creating Kafka topics. Only applies when + # Kafka.Version is v0.10.1.0 or higher + Topic: + # The number of Kafka brokers across which to replicate the topic + ReplicationFactor: 3 + # Verbose: Enable logging for interactions with the Kafka cluster. + Verbose: false + + # TLS: TLS settings for the orderer's connection to the Kafka cluster. + TLS: + + # Enabled: Use TLS when connecting to the Kafka cluster. + Enabled: false + + # PrivateKey: PEM-encoded private key the orderer will use for + # authentication. + PrivateKey: + # As an alternative to specifying the PrivateKey here, uncomment the + # following "File" key and specify the file name from which to load the + # value of PrivateKey. + #File: path/to/PrivateKey + + # Certificate: PEM-encoded signed public key certificate the orderer will + # use for authentication. + Certificate: + # As an alternative to specifying the Certificate here, uncomment the + # following "File" key and specify the file name from which to load the + # value of Certificate. + #File: path/to/Certificate + + # RootCAs: PEM-encoded trusted root certificates used to validate + # certificates from the Kafka cluster. + RootCAs: + # As an alternative to specifying the RootCAs here, uncomment the + # following "File" key and specify the file name from which to load the + # value of RootCAs. + #File: path/to/RootCAs + + # SASLPlain: Settings for using SASL/PLAIN authentication with Kafka brokers + SASLPlain: + # Enabled: Use SASL/PLAIN to authenticate with Kafka brokers + Enabled: false + # User: Required when Enabled is set to true + User: + # Password: Required when Enabled is set to true + Password: + + # Kafka protocol version used to communicate with the Kafka cluster brokers + # (defaults to 0.10.2.0 if not specified) + Version: + +################################################################################ +# +# Debug Configuration +# +# - This controls the debugging options for the orderer +# +################################################################################ +Debug: + + # BroadcastTraceDir when set will cause each request to the Broadcast service + # for this orderer to be written to a file in this directory + BroadcastTraceDir: + + # DeliverTraceDir when set will cause each request to the Deliver service + # for this orderer to be written to a file in this directory + DeliverTraceDir: + +################################################################################ +# +# Operations Configuration +# +# - This configures the operations server endpoint for the orderer +# +################################################################################ +Operations: + # host and port for the operations server + ListenAddress: 0.0.0.0:8443 + + # TLS configuration for the operations endpoint + TLS: + # TLS enabled + Enabled: false + + # Certificate is the location of the PEM encoded TLS certificate + Certificate: + + # PrivateKey points to the location of the PEM-encoded key + PrivateKey: + + # Most operations service endpoints require client authentication when TLS + # is enabled. ClientAuthRequired requires client certificate authentication + # at the TLS layer to access all resources. + ClientAuthRequired: false + + # Paths to PEM encoded ca certificates to trust for client authentication + ClientRootCAs: [] + +################################################################################ +# +# Metrics Configuration +# +# - This configures metrics collection for the orderer +# +################################################################################ +Metrics: + # The metrics provider is one of statsd, prometheus, or disabled + Provider: disabled + + # The statsd configuration + Statsd: + # network type: tcp or udp + Network: udp + + # the statsd server address + Address: 127.0.0.1:8125 + + # The interval at which locally cached counters and gauges are pushed + # to statsd; timings are pushed immediately + WriteInterval: 30s + + # The prefix is prepended to all emitted statsd metrics + Prefix: + +################################################################################ +# +# Admin Configuration +# +# - This configures the admin server endpoint for the orderer +# +################################################################################ +Admin: + # host and port for the admin server + ListenAddress: 0.0.0.0:9443 + + # TLS configuration for the admin endpoint + TLS: + # TLS enabled + Enabled: false + + # Certificate is the location of the PEM encoded TLS certificate + Certificate: + + # PrivateKey points to the location of the PEM-encoded key + PrivateKey: + + # Most admin service endpoints require client authentication when TLS + # is enabled. ClientAuthRequired requires client certificate authentication + # at the TLS layer to access all resources. + # + # NOTE: When TLS is enabled, the admin endpoint requires mutual TLS. The + # orderer will panic on startup if this value is set to false. + ClientAuthRequired: true + + # Paths to PEM encoded ca certificates to trust for client authentication + ClientRootCAs: [] + +################################################################################ +# +# Channel participation API Configuration +# +# - This provides the channel participation API configuration for the orderer. +# - Channel participation uses the ListenAddress and TLS settings of the Admin +# service. +# +################################################################################ +ChannelParticipation: + # Channel participation API is enabled. + Enabled: true + + # The maximum size of the request body when joining a channel. + MaxRequestBodySize: 1 MB + + +################################################################################ +# +# Consensus Configuration +# +# - This section contains config options for a consensus plugin. It is opaque +# to orderer, and completely up to consensus implementation to make use of. +# +################################################################################ +Consensus: + # The allowed key-value pairs here depend on consensus plugin. For etcd/raft, + # we use following options: + + # WALDir specifies the location at which Write Ahead Logs for etcd/raft are + # stored. Each channel will have its own subdir named after channel ID. + WALDir: /var/hyperledger/production/orderer/etcdraft/wal + + # SnapDir specifies the location at which snapshots for etcd/raft are + # stored. Each channel will have its own subdir named after channel ID. + SnapDir: /var/hyperledger/production/orderer/etcdraft/snapshot diff --git a/test-network-k8s/config/org1/core.yaml b/test-network-k8s/config/org1/core.yaml new file mode 100644 index 00000000..ca60ae52 --- /dev/null +++ b/test-network-k8s/config/org1/core.yaml @@ -0,0 +1,759 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +############################################################################### +# +# Peer section +# +############################################################################### +peer: + + # The peer id provides a name for this peer instance and is used when + # naming docker resources. + id: jdoe + + # The networkId allows for logical separation of networks and is used when + # naming docker resources. + networkId: dev + + # The Address at local network interface this Peer will listen on. + # By default, it will listen on all network interfaces + listenAddress: 0.0.0.0:7051 + + # The endpoint this peer uses to listen for inbound chaincode connections. + # If this is commented-out, the listen address is selected to be + # the peer's address (see below) with port 7052 + # chaincodeListenAddress: 0.0.0.0:7052 + + # The endpoint the chaincode for this peer uses to connect to the peer. + # If this is not specified, the chaincodeListenAddress address is selected. + # And if chaincodeListenAddress is not specified, address is selected from + # peer address (see below). If specified peer address is invalid then it + # will fallback to the auto detected IP (local IP) regardless of the peer + # addressAutoDetect value. + # chaincodeAddress: 0.0.0.0:7052 + + # When used as peer config, this represents the endpoint to other peers + # in the same organization. For peers in other organization, see + # gossip.externalEndpoint for more info. + # When used as CLI config, this means the peer's endpoint to interact with + address: 0.0.0.0:7051 + + # Whether the Peer should programmatically determine its address + # This case is useful for docker containers. + # When set to true, will override peer address. + addressAutoDetect: false + + # Keepalive settings for peer server and clients + keepalive: + # Interval is the duration after which if the server does not see + # any activity from the client it pings the client to see if it's alive + interval: 7200s + # Timeout is the duration the server waits for a response + # from the client after sending a ping before closing the connection + timeout: 20s + # MinInterval is the minimum permitted time between client pings. + # If clients send pings more frequently, the peer server will + # disconnect them + minInterval: 60s + # Client keepalive settings for communicating with other peer nodes + client: + # Interval is the time between pings to peer nodes. This must + # greater than or equal to the minInterval specified by peer + # nodes + interval: 60s + # Timeout is the duration the client waits for a response from + # peer nodes before closing the connection + timeout: 20s + # DeliveryClient keepalive settings for communication with ordering + # nodes. + deliveryClient: + # Interval is the time between pings to ordering nodes. This must + # greater than or equal to the minInterval specified by ordering + # nodes. + interval: 60s + # Timeout is the duration the client waits for a response from + # ordering nodes before closing the connection + timeout: 20s + + + # Gossip related configuration + gossip: + # Bootstrap set to initialize gossip with. + # This is a list of other peers that this peer reaches out to at startup. + # Important: The endpoints here have to be endpoints of peers in the same + # organization, because the peer would refuse connecting to these endpoints + # unless they are in the same organization as the peer. + bootstrap: 127.0.0.1:7051 + + # NOTE: orgLeader and useLeaderElection parameters are mutual exclusive. + # Setting both to true would result in the termination of the peer + # since this is undefined state. If the peers are configured with + # useLeaderElection=false, make sure there is at least 1 peer in the + # organization that its orgLeader is set to true. + + # Defines whenever peer will initialize dynamic algorithm for + # "leader" selection, where leader is the peer to establish + # connection with ordering service and use delivery protocol + # to pull ledger blocks from ordering service. + useLeaderElection: false + # Statically defines peer to be an organization "leader", + # where this means that current peer will maintain connection + # with ordering service and disseminate block across peers in + # its own organization. Multiple peers or all peers in an organization + # may be configured as org leaders, so that they all pull + # blocks directly from ordering service. + orgLeader: true + + # Interval for membershipTracker polling + membershipTrackerInterval: 5s + + # Overrides the endpoint that the peer publishes to peers + # in its organization. For peers in foreign organizations + # see 'externalEndpoint' + endpoint: + # Maximum count of blocks stored in memory + maxBlockCountToStore: 10 + # Max time between consecutive message pushes(unit: millisecond) + maxPropagationBurstLatency: 10ms + # Max number of messages stored until a push is triggered to remote peers + maxPropagationBurstSize: 10 + # Number of times a message is pushed to remote peers + propagateIterations: 1 + # Number of peers selected to push messages to + propagatePeerNum: 3 + # Determines frequency of pull phases(unit: second) + # Must be greater than digestWaitTime + responseWaitTime + pullInterval: 4s + # Number of peers to pull from + pullPeerNum: 3 + # Determines frequency of pulling state info messages from peers(unit: second) + requestStateInfoInterval: 4s + # Determines frequency of pushing state info messages to peers(unit: second) + publishStateInfoInterval: 4s + # Maximum time a stateInfo message is kept until expired + stateInfoRetentionInterval: + # Time from startup certificates are included in Alive messages(unit: second) + publishCertPeriod: 10s + # Should we skip verifying block messages or not (currently not in use) + skipBlockVerification: false + # Dial timeout(unit: second) + dialTimeout: 3s + # Connection timeout(unit: second) + connTimeout: 2s + # Buffer size of received messages + recvBuffSize: 20 + # Buffer size of sending messages + sendBuffSize: 200 + # Time to wait before pull engine processes incoming digests (unit: second) + # Should be slightly smaller than requestWaitTime + digestWaitTime: 1s + # Time to wait before pull engine removes incoming nonce (unit: milliseconds) + # Should be slightly bigger than digestWaitTime + requestWaitTime: 1500ms + # Time to wait before pull engine ends pull (unit: second) + responseWaitTime: 2s + # Alive check interval(unit: second) + aliveTimeInterval: 5s + # Alive expiration timeout(unit: second) + aliveExpirationTimeout: 25s + # Reconnect interval(unit: second) + reconnectInterval: 25s + # Max number of attempts to connect to a peer + maxConnectionAttempts: 120 + # Message expiration factor for alive messages + msgExpirationFactor: 20 + # This is an endpoint that is published to peers outside of the organization. + # If this isn't set, the peer will not be known to other organizations. + externalEndpoint: + # Leader election service configuration + election: + # Longest time peer waits for stable membership during leader election startup (unit: second) + startupGracePeriod: 15s + # Interval gossip membership samples to check its stability (unit: second) + membershipSampleInterval: 1s + # Time passes since last declaration message before peer decides to perform leader election (unit: second) + leaderAliveThreshold: 10s + # Time between peer sends propose message and declares itself as a leader (sends declaration message) (unit: second) + leaderElectionDuration: 5s + + pvtData: + # pullRetryThreshold determines the maximum duration of time private data corresponding for a given block + # would be attempted to be pulled from peers until the block would be committed without the private data + pullRetryThreshold: 60s + # As private data enters the transient store, it is associated with the peer's ledger's height at that time. + # transientstoreMaxBlockRetention defines the maximum difference between the current ledger's height upon commit, + # and the private data residing inside the transient store that is guaranteed not to be purged. + # Private data is purged from the transient store when blocks with sequences that are multiples + # of transientstoreMaxBlockRetention are committed. + transientstoreMaxBlockRetention: 1000 + # pushAckTimeout is the maximum time to wait for an acknowledgement from each peer + # at private data push at endorsement time. + pushAckTimeout: 3s + # Block to live pulling margin, used as a buffer + # to prevent peer from trying to pull private data + # from peers that is soon to be purged in next N blocks. + # This helps a newly joined peer catch up to current + # blockchain height quicker. + btlPullMargin: 10 + # the process of reconciliation is done in an endless loop, while in each iteration reconciler tries to + # pull from the other peers the most recent missing blocks with a maximum batch size limitation. + # reconcileBatchSize determines the maximum batch size of missing private data that will be reconciled in a + # single iteration. + reconcileBatchSize: 10 + # reconcileSleepInterval determines the time reconciler sleeps from end of an iteration until the beginning + # of the next reconciliation iteration. + reconcileSleepInterval: 1m + # reconciliationEnabled is a flag that indicates whether private data reconciliation is enable or not. + reconciliationEnabled: true + # skipPullingInvalidTransactionsDuringCommit is a flag that indicates whether pulling of invalid + # transaction's private data from other peers need to be skipped during the commit time and pulled + # only through reconciler. + skipPullingInvalidTransactionsDuringCommit: false + # implicitCollectionDisseminationPolicy specifies the dissemination policy for the peer's own implicit collection. + # When a peer endorses a proposal that writes to its own implicit collection, below values override the default values + # for disseminating private data. + # Note that it is applicable to all channels the peer has joined. The implication is that requiredPeerCount has to + # be smaller than the number of peers in a channel that has the lowest numbers of peers from the organization. + implicitCollectionDisseminationPolicy: + # requiredPeerCount defines the minimum number of eligible peers to which the peer must successfully + # disseminate private data for its own implicit collection during endorsement. Default value is 0. + requiredPeerCount: 0 + # maxPeerCount defines the maximum number of eligible peers to which the peer will attempt to + # disseminate private data for its own implicit collection during endorsement. Default value is 1. + maxPeerCount: 1 + + # Gossip state transfer related configuration + state: + # indicates whenever state transfer is enabled or not + # default value is true, i.e. state transfer is active + # and takes care to sync up missing blocks allowing + # lagging peer to catch up to speed with rest network. + # Keep in mind that when peer.gossip.useLeaderElection is true + # and there are several peers in the organization, + # or peer.gossip.useLeaderElection is false alongside with + # peer.gossip.orgleader being false, the peer's ledger may lag behind + # the rest of the peers and will never catch up due to state transfer + # being disabled. + enabled: false + # checkInterval interval to check whether peer is lagging behind enough to + # request blocks via state transfer from another peer. + checkInterval: 10s + # responseTimeout amount of time to wait for state transfer response from + # other peers + responseTimeout: 3s + # batchSize the number of blocks to request via state transfer from another peer + batchSize: 10 + # blockBufferSize reflects the size of the re-ordering buffer + # which captures blocks and takes care to deliver them in order + # down to the ledger layer. The actual buffer size is bounded between + # 0 and 2*blockBufferSize, each channel maintains its own buffer + blockBufferSize: 20 + # maxRetries maximum number of re-tries to ask + # for single state transfer request + maxRetries: 3 + + # TLS Settings + tls: + # Require server-side TLS + enabled: true + # Require client certificates / mutual TLS for inbound connections. + # Note that clients that are not configured to use a certificate will + # fail to connect to the peer. + clientAuthRequired: false + # X.509 certificate used for TLS server + cert: + file: tls/server.crt + # Private key used for TLS server + key: + file: tls/server.key + # rootcert.file represents the trusted root certificate chain used for verifying certificates + # of other nodes during outbound connections. + # It is not required to be set, but can be used to augment the set of TLS CA certificates + # available from the MSPs of each channel’s configuration. + rootcert: + file: tls/ca.crt + # If mutual TLS is enabled, clientRootCAs.files contains a list of additional root certificates + # used for verifying certificates of client connections. + # It augments the set of TLS CA certificates available from the MSPs of each channel’s configuration. + # Minimally, set your organization's TLS CA root certificate so that the peer can receive join channel requests. + clientRootCAs: + files: + - tls/ca.crt + # Private key used for TLS when making client connections. + # If not set, peer.tls.key.file will be used instead + clientKey: + file: + # X.509 certificate used for TLS when making client connections. + # If not set, peer.tls.cert.file will be used instead + clientCert: + file: + + # Authentication contains configuration parameters related to authenticating + # client messages + authentication: + # the acceptable difference between the current server time and the + # client's time as specified in a client request message + timewindow: 15m + + # Path on the file system where peer will store data (eg ledger). This + # location must be access control protected to prevent unintended + # modification that might corrupt the peer operations. + fileSystemPath: /var/hyperledger/production + + # BCCSP (Blockchain crypto provider): Select which crypto implementation or + # library to use + BCCSP: + Default: SW + # Settings for the SW crypto provider (i.e. when DEFAULT: SW) + SW: + # TODO: The default Hash and Security level needs refactoring to be + # fully configurable. Changing these defaults requires coordination + # SHA2 is hardcoded in several places, not only BCCSP + Hash: SHA2 + Security: 256 + # Location of Key Store + FileKeyStore: + # If "", defaults to 'mspConfigPath'/keystore + KeyStore: + # Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11) + PKCS11: + # Location of the PKCS11 module library + Library: + # Token Label + Label: + # User PIN + Pin: + Hash: + Security: + + # Path on the file system where peer will find MSP local configurations + mspConfigPath: msp + + # Identifier of the local MSP + # ----!!!!IMPORTANT!!!-!!!IMPORTANT!!!-!!!IMPORTANT!!!!---- + # Deployers need to change the value of the localMspId string. + # In particular, the name of the local MSP ID of a peer needs + # to match the name of one of the MSPs in each of the channel + # that this peer is a member of. Otherwise this peer's messages + # will not be identified as valid by other nodes. + localMspId: Org1MSP + + # CLI common client config options + client: + # connection timeout + connTimeout: 3s + + # Delivery service related config + deliveryclient: + # It sets the total time the delivery service may spend in reconnection + # attempts until its retry logic gives up and returns an error + reconnectTotalTimeThreshold: 3600s + + # It sets the delivery service <-> ordering service node connection timeout + connTimeout: 3s + + # It sets the delivery service maximal delay between consecutive retries + reConnectBackoffThreshold: 3600s + + # A list of orderer endpoint addresses which should be overridden + # when found in channel configurations. + addressOverrides: + # - from: + # to: + # caCertsFile: + # - from: + # to: + # caCertsFile: + + # Type for the local MSP - by default it's of type bccsp + localMspType: bccsp + + # Used with Go profiling tools only in none production environment. In + # production, it should be disabled (eg enabled: false) + profile: + enabled: false + listenAddress: 0.0.0.0:6060 + + # Handlers defines custom handlers that can filter and mutate + # objects passing within the peer, such as: + # Auth filter - reject or forward proposals from clients + # Decorators - append or mutate the chaincode input passed to the chaincode + # Endorsers - Custom signing over proposal response payload and its mutation + # Valid handler definition contains: + # - A name which is a factory method name defined in + # core/handlers/library/library.go for statically compiled handlers + # - library path to shared object binary for pluggable filters + # Auth filters and decorators are chained and executed in the order that + # they are defined. For example: + # authFilters: + # - + # name: FilterOne + # library: /opt/lib/filter.so + # - + # name: FilterTwo + # decorators: + # - + # name: DecoratorOne + # - + # name: DecoratorTwo + # library: /opt/lib/decorator.so + # Endorsers are configured as a map that its keys are the endorsement system chaincodes that are being overridden. + # Below is an example that overrides the default ESCC and uses an endorsement plugin that has the same functionality + # as the default ESCC. + # If the 'library' property is missing, the name is used as the constructor method in the builtin library similar + # to auth filters and decorators. + # endorsers: + # escc: + # name: DefaultESCC + # library: /etc/hyperledger/fabric/plugin/escc.so + handlers: + authFilters: + - + name: DefaultAuth + - + name: ExpirationCheck # This filter checks identity x509 certificate expiration + decorators: + - + name: DefaultDecorator + endorsers: + escc: + name: DefaultEndorsement + library: + validators: + vscc: + name: DefaultValidation + library: + + # library: /etc/hyperledger/fabric/plugin/escc.so + # Number of goroutines that will execute transaction validation in parallel. + # By default, the peer chooses the number of CPUs on the machine. Set this + # variable to override that choice. + # NOTE: overriding this value might negatively influence the performance of + # the peer so please change this value only if you know what you're doing + validatorPoolSize: + + # The discovery service is used by clients to query information about peers, + # such as - which peers have joined a certain channel, what is the latest + # channel config, and most importantly - given a chaincode and a channel, + # what possible sets of peers satisfy the endorsement policy. + discovery: + enabled: true + # Whether the authentication cache is enabled or not. + authCacheEnabled: true + # The maximum size of the cache, after which a purge takes place + authCacheMaxSize: 1000 + # The proportion (0 to 1) of entries that remain in the cache after the cache is purged due to overpopulation + authCachePurgeRetentionRatio: 0.75 + # Whether to allow non-admins to perform non channel scoped queries. + # When this is false, it means that only peer admins can perform non channel scoped queries. + orgMembersAllowedAccess: false + + # Limits is used to configure some internal resource limits. + limits: + # Concurrency limits the number of concurrently running requests to a service on each peer. + # Currently this option is only applied to endorser service and deliver service. + # When the property is missing or the value is 0, the concurrency limit is disabled for the service. + concurrency: + # endorserService limits concurrent requests to endorser service that handles chaincode deployment, query and invocation, + # including both user chaincodes and system chaincodes. + endorserService: 2500 + # deliverService limits concurrent event listeners registered to deliver service for blocks and transaction events. + deliverService: 2500 + +############################################################################### +# +# VM section +# +############################################################################### +vm: + + # Endpoint of the vm management system. For docker can be one of the following in general + # unix:///var/run/docker.sock + # http://localhost:2375 + # https://localhost:2376 + endpoint: unix:///var/run/docker.sock + + # settings for docker vms + docker: + tls: + enabled: false + ca: + file: docker/ca.crt + cert: + file: docker/tls.crt + key: + file: docker/tls.key + + # Enables/disables the standard out/err from chaincode containers for + # debugging purposes + attachStdout: false + + # Parameters on creating docker container. + # Container may be efficiently created using ipam & dns-server for cluster + # NetworkMode - sets the networking mode for the container. Supported + # standard values are: `host`(default),`bridge`,`ipvlan`,`none`. + # Dns - a list of DNS servers for the container to use. + # Note: `Privileged` `Binds` `Links` and `PortBindings` properties of + # Docker Host Config are not supported and will not be used if set. + # LogConfig - sets the logging driver (Type) and related options + # (Config) for Docker. For more info, + # https://docs.docker.com/engine/admin/logging/overview/ + # Note: Set LogConfig using Environment Variables is not supported. + hostConfig: + NetworkMode: host + Dns: + # - 192.168.0.1 + LogConfig: + Type: json-file + Config: + max-size: "50m" + max-file: "5" + Memory: 2147483648 + +############################################################################### +# +# Chaincode section +# +############################################################################### +chaincode: + + # The id is used by the Chaincode stub to register the executing Chaincode + # ID with the Peer and is generally supplied through ENV variables + # the `path` form of ID is provided when installing the chaincode. + # The `name` is used for all other requests and can be any string. + id: + path: + name: + + # Generic builder environment, suitable for most chaincode types + builder: $(DOCKER_NS)/fabric-ccenv:$(TWO_DIGIT_VERSION) + + # Enables/disables force pulling of the base docker images (listed below) + # during user chaincode instantiation. + # Useful when using moving image tags (such as :latest) + pull: false + + golang: + # golang will never need more than baseos + runtime: $(DOCKER_NS)/fabric-baseos:$(TWO_DIGIT_VERSION) + + # whether or not golang chaincode should be linked dynamically + dynamicLink: false + + java: + # This is an image based on java:openjdk-8 with addition compiler + # tools added for java shim layer packaging. + # This image is packed with shim layer libraries that are necessary + # for Java chaincode runtime. + runtime: $(DOCKER_NS)/fabric-javaenv:$(TWO_DIGIT_VERSION) + + node: + # This is an image based on node:$(NODE_VER)-alpine + runtime: $(DOCKER_NS)/fabric-nodeenv:$(TWO_DIGIT_VERSION) + + # List of directories to treat as external builders and launchers for + # chaincode. The external builder detection processing will iterate over the + # builders in the order specified below. + externalBuilders: + - path: /var/hyperledger/fabric/chaincode/ccs-builder + name: ccs-builder + propagateEnvironment: + - HOME + - CORE_PEER_ID + - CORE_PEER_LOCALMSPID + + # The maximum duration to wait for the chaincode build and install process + # to complete. + installTimeout: 300s + + # Timeout duration for starting up a container and waiting for Register + # to come through. + startuptimeout: 300s + + # Timeout duration for Invoke and Init calls to prevent runaway. + # This timeout is used by all chaincodes in all the channels, including + # system chaincodes. + # Note that during Invoke, if the image is not available (e.g. being + # cleaned up when in development environment), the peer will automatically + # build the image, which might take more time. In production environment, + # the chaincode image is unlikely to be deleted, so the timeout could be + # reduced accordingly. + executetimeout: 30s + + # There are 2 modes: "dev" and "net". + # In dev mode, user runs the chaincode after starting peer from + # command line on local machine. + # In net mode, peer will run chaincode in a docker container. + mode: net + + # keepalive in seconds. In situations where the communication goes through a + # proxy that does not support keep-alive, this parameter will maintain connection + # between peer and chaincode. + # A value <= 0 turns keepalive off + keepalive: 0 + + # enabled system chaincodes + system: + _lifecycle: enable + cscc: enable + lscc: enable + qscc: enable + + # Logging section for the chaincode container + logging: + # Default level for all loggers within the chaincode container + level: info + # Override default level for the 'shim' logger + shim: warning + # Format for the chaincode container logs + format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}' + +############################################################################### +# +# Ledger section - ledger configuration encompasses both the blockchain +# and the state +# +############################################################################### +ledger: + + blockchain: + + state: + # stateDatabase - options are "goleveldb", "CouchDB" + # goleveldb - default state database stored in goleveldb. + # CouchDB - store state database in CouchDB + stateDatabase: goleveldb + # Limit on the number of records to return per query + totalQueryLimit: 100000 + couchDBConfig: + # It is recommended to run CouchDB on the same server as the peer, and + # not map the CouchDB container port to a server port in docker-compose. + # Otherwise proper security must be provided on the connection between + # CouchDB client (on the peer) and server. + couchDBAddress: 127.0.0.1:5984 + # This username must have read and write authority on CouchDB + username: + # The password is recommended to pass as an environment variable + # during start up (eg CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD). + # If it is stored here, the file must be access control protected + # to prevent unintended users from discovering the password. + password: + # Number of retries for CouchDB errors + maxRetries: 3 + # Number of retries for CouchDB errors during peer startup. + # The delay between retries doubles for each attempt. + # Default of 10 retries results in 11 attempts over 2 minutes. + maxRetriesOnStartup: 10 + # CouchDB request timeout (unit: duration, e.g. 20s) + requestTimeout: 35s + # Limit on the number of records per each CouchDB query + # Note that chaincode queries are only bound by totalQueryLimit. + # Internally the chaincode may execute multiple CouchDB queries, + # each of size internalQueryLimit. + internalQueryLimit: 1000 + # Limit on the number of records per CouchDB bulk update batch + maxBatchUpdateSize: 1000 + # Warm indexes after every N blocks. + # This option warms any indexes that have been + # deployed to CouchDB after every N blocks. + # A value of 1 will warm indexes after every block commit, + # to ensure fast selector queries. + # Increasing the value may improve write efficiency of peer and CouchDB, + # but may degrade query response time. + warmIndexesAfterNBlocks: 1 + # Create the _global_changes system database + # This is optional. Creating the global changes database will require + # additional system resources to track changes and maintain the database + createGlobalChangesDB: false + # CacheSize denotes the maximum mega bytes (MB) to be allocated for the in-memory state + # cache. Note that CacheSize needs to be a multiple of 32 MB. If it is not a multiple + # of 32 MB, the peer would round the size to the next multiple of 32 MB. + # To disable the cache, 0 MB needs to be assigned to the cacheSize. + cacheSize: 64 + + history: + # enableHistoryDatabase - options are true or false + # Indicates if the history of key updates should be stored. + # All history 'index' will be stored in goleveldb, regardless if using + # CouchDB or alternate database for the state. + enableHistoryDatabase: true + + pvtdataStore: + # the maximum db batch size for converting + # the ineligible missing data entries to eligible missing data entries + collElgProcMaxDbBatchSize: 5000 + # the minimum duration (in milliseconds) between writing + # two consecutive db batches for converting the ineligible missing data entries to eligible missing data entries + collElgProcDbBatchesInterval: 1000 + # The missing data entries are classified into two categories: + # (1) prioritized + # (2) deprioritized + # Initially, all missing data are in the prioritized list. When the + # reconciler is unable to fetch the missing data from other peers, + # the unreconciled missing data would be moved to the deprioritized list. + # The reconciler would retry deprioritized missing data after every + # deprioritizedDataReconcilerInterval (unit: minutes). Note that the + # interval needs to be greater than the reconcileSleepInterval + deprioritizedDataReconcilerInterval: 60m + + snapshots: + # Path on the file system where peer will store ledger snapshots + rootDir: /var/hyperledger/production/snapshots + +############################################################################### +# +# Operations section +# +############################################################################### +operations: + # host and port for the operations server + listenAddress: 127.0.0.1:9443 + + # TLS configuration for the operations endpoint + tls: + # TLS enabled + enabled: false + + # path to PEM encoded server certificate for the operations server + cert: + file: + + # path to PEM encoded server key for the operations server + key: + file: + + # most operations service endpoints require client authentication when TLS + # is enabled. clientAuthRequired requires client certificate authentication + # at the TLS layer to access all resources. + clientAuthRequired: false + + # paths to PEM encoded ca certificates to trust for client authentication + clientRootCAs: + files: [] + +############################################################################### +# +# Metrics section +# +############################################################################### +metrics: + # metrics provider is one of statsd, prometheus, or disabled + provider: disabled + + # statsd configuration + statsd: + # network type: tcp or udp + network: udp + + # statsd server address + address: 127.0.0.1:8125 + + # the interval at which locally cached counters and gauges are pushed + # to statsd; timings are pushed immediately + writeInterval: 10s + + # prefix is prepended to all emitted statsd metrics + prefix: diff --git a/test-network-k8s/config/org1/fabric-ecert-ca-server-config.yaml b/test-network-k8s/config/org1/fabric-ecert-ca-server-config.yaml new file mode 100644 index 00000000..f1ed9da4 --- /dev/null +++ b/test-network-k8s/config/org1/fabric-ecert-ca-server-config.yaml @@ -0,0 +1,506 @@ +############################################################################# +# This is a configuration file for the fabric-ca-server command. +# +# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES +# ------------------------------------------------ +# Each configuration element can be overridden via command line +# arguments or environment variables. The precedence for determining +# the value of each element is as follows: +# 1) command line argument +# Examples: +# a) --port 443 +# To set the listening port +# b) --ca.keyfile ../mykey.pem +# To set the "keyfile" element in the "ca" section below; +# note the '.' separator character. +# 2) environment variable +# Examples: +# a) FABRIC_CA_SERVER_PORT=443 +# To set the listening port +# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" +# To set the "keyfile" element in the "ca" section below; +# note the '_' separator character. +# 3) configuration file +# 4) default value (if there is one) +# All default values are shown beside each element below. +# +# FILE NAME ELEMENTS +# ------------------ +# The value of all fields whose name ends with "file" or "files" are +# name or names of other files. +# For example, see "tls.certfile" and "tls.clientauth.certfiles". +# The value of each of these fields can be a simple filename, a +# relative path, or an absolute path. If the value is not an +# absolute path, it is interpretted as being relative to the location +# of this configuration file. +# +############################################################################# + +# Version of config file +version: 1.5.2 + +# Server's listening port (default: 7054) +port: 443 + +# Cross-Origin Resource Sharing (CORS) +cors: + enabled: false + origins: + - "*" + +# Enables debug logging (default: false) +debug: false + +# Size limit of an acceptable CRL in bytes (default: 512000) +crlsizelimit: 512000 + +############################################################################# +# TLS section for the server's listening port +# +# The following types are supported for client authentication: NoClientCert, +# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, +# and RequireAndVerifyClientCert. +# +# Certfiles is a list of root certificate authorities that the server uses +# when verifying client certificates. +############################################################################# +tls: + # Enable TLS (default: false) + enabled: true + # TLS for the server's listening port + certfile: + keyfile: + clientauth: + type: noclientcert + certfiles: + +############################################################################# +# The CA section contains information related to the Certificate Authority +# including the name of the CA, which should be unique for all members +# of a blockchain network. It also includes the key and certificate files +# used when issuing enrollment certificates (ECerts) and transaction +# certificates (TCerts). +# The chainfile (if it exists) contains the certificate chain which +# should be trusted for this CA, where the 1st in the chain is always the +# root CA certificate. +############################################################################# +ca: + # Name of this CA + name: org1-ecert-ca + # Key file (is only used to import a private key into BCCSP) + keyfile: + # Certificate file (default: ca-cert.pem) + certfile: + # Chain file + chainfile: + +############################################################################# +# The gencrl REST endpoint is used to generate a CRL that contains revoked +# certificates. This section contains configuration options that are used +# during gencrl request processing. +############################################################################# +crl: + # Specifies expiration for the generated CRL. The number of hours + # specified by this property is added to the UTC time, the resulting time + # is used to set the 'Next Update' date of the CRL. + expiry: 24h + +############################################################################# +# The registry section controls how the fabric-ca-server does two things: +# 1) authenticates enrollment requests which contain a username and password +# (also known as an enrollment ID and secret). +# 2) once authenticated, retrieves the identity's attribute names and +# values which the fabric-ca-server optionally puts into TCerts +# which it issues for transacting on the Hyperledger Fabric blockchain. +# These attributes are useful for making access control decisions in +# chaincode. +# There are two main configuration options: +# 1) The fabric-ca-server is the registry. +# This is true if "ldap.enabled" in the ldap section below is false. +# 2) An LDAP server is the registry, in which case the fabric-ca-server +# calls the LDAP server to perform these tasks. +# This is true if "ldap.enabled" in the ldap section below is true, +# which means this "registry" section is ignored. +############################################################################# +registry: + # Maximum number of times a password/secret can be reused for enrollment + # (default: -1, which means there is no limit) + maxenrollments: -1 + + # Contains identity information which is used when LDAP is disabled + identities: + - name: rcaadmin + pass: rcaadminpw + type: client + affiliation: "" + attrs: + hf.Registrar.Roles: "*" + hf.Registrar.DelegateRoles: "*" + hf.Revoker: true + hf.IntermediateCA: true + hf.GenCRL: true + hf.Registrar.Attributes: "*" + hf.AffiliationMgr: true + +############################################################################# +# Database section +# Supported types are: "sqlite3", "postgres", and "mysql". +# The datasource value depends on the type. +# If the type is "sqlite3", the datasource value is a file name to use +# as the database store. Since "sqlite3" is an embedded database, it +# may not be used if you want to run the fabric-ca-server in a cluster. +# To run the fabric-ca-server in a cluster, you must choose "postgres" +# or "mysql". +############################################################################# +db: + type: sqlite3 + datasource: fabric-ca-server.db + tls: + enabled: false + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# LDAP section +# If LDAP is enabled, the fabric-ca-server calls LDAP to: +# 1) authenticate enrollment ID and secret (i.e. username and password) +# for enrollment requests; +# 2) To retrieve identity attributes +############################################################################# +ldap: + # Enables or disables the LDAP client (default: false) + # If this is set to true, the "registry" section is ignored. + enabled: false + # The URL of the LDAP server + url: ldap://:@:/ + # TLS configuration for the client connection to the LDAP server + tls: + certfiles: + client: + certfile: + keyfile: + # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes + attribute: + # 'names' is an array of strings containing the LDAP attribute names which are + # requested from the LDAP server for an LDAP identity's entry + names: ['uid','member'] + # The 'converters' section is used to convert an LDAP entry to the value of + # a fabric CA attribute. + # For example, the following converts an LDAP 'uid' attribute + # whose value begins with 'revoker' to a fabric CA attribute + # named "hf.Revoker" with a value of "true" (because the boolean expression + # evaluates to true). + # converters: + # - name: hf.Revoker + # value: attr("uid") =~ "revoker*" + converters: + - name: + value: + # The 'maps' section contains named maps which may be referenced by the 'map' + # function in the 'converters' section to map LDAP responses to arbitrary values. + # For example, assume a user has an LDAP attribute named 'member' which has multiple + # values which are each a distinguished name (i.e. a DN). For simplicity, assume the + # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. + # Further assume the following configuration. + # converters: + # - name: hf.Registrar.Roles + # value: map(attr("member"),"groups") + # maps: + # groups: + # - name: dn1 + # value: peer + # - name: dn2 + # value: client + # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be + # "peer,client,dn3". This is because the value of 'attr("member")' is + # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of + # "group" replaces "dn1" with "peer" and "dn2" with "client". + maps: + groups: + - name: + value: + +############################################################################# +# Affiliations section. Fabric CA server can be bootstrapped with the +# affiliations specified in this section. Affiliations are specified as maps. +# For example: +# businessunit1: +# department1: +# - team1 +# businessunit2: +# - department2 +# - department3 +# +# Affiliations are hierarchical in nature. In the above example, +# department1 (used as businessunit1.department1) is the child of businessunit1. +# team1 (used as businessunit1.department1.team1) is the child of department1. +# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) +# are children of businessunit2. +# Note: Affiliations are case sensitive except for the non-leaf affiliations +# (like businessunit1, department1, businessunit2) that are specified in the configuration file, +# which are always stored in lower case. +############################################################################# +affiliations: + org1: + - department1 + - department2 + org2: + - department1 + +############################################################################# +# Signing section +# +# The "default" subsection is used to sign enrollment certificates; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +# +# The "ca" profile subsection is used to sign intermediate CA certificates; +# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. +# Note that "isca" is true, meaning that it issues a CA certificate. +# A maxpathlen of 0 means that the intermediate CA cannot issue other +# intermediate CA certificates, though it can still issue end entity certificates. +# (See RFC 5280, section 4.2.1.9) +# +# The "tls" profile subsection is used to sign TLS certificate requests; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +############################################################################# +signing: + default: + usage: + - digital signature + expiry: 8760h + profiles: + ca: + usage: + - cert sign + - crl sign + expiry: 43800h + caconstraint: + isca: true + maxpathlen: 0 + tls: + usage: + - signing + - key encipherment + - server auth + - client auth + - key agreement + expiry: 8760h + +########################################################################### +# Certificate Signing Request (CSR) section. +# This controls the creation of the root CA certificate. +# The expiration for the root CA certificate is configured with the +# "ca.expiry" field below, whose default value is "131400h" which is +# 15 years in hours. +# The pathlength field is used to limit CA certificate hierarchy as described +# in section 4.2.1.9 of RFC 5280. +# Examples: +# 1) No pathlength value means no limit is requested. +# 2) pathlength == 1 means a limit of 1 is requested which is the default for +# a root CA. This means the root CA can issue intermediate CA certificates, +# but these intermediate CAs may not in turn issue other CA certificates +# though they can still issue end entity certificates. +# 3) pathlength == 0 means a limit of 0 is requested; +# this is the default for an intermediate CA, which means it can not issue +# CA certificates though it can still issue end entity certificates. +########################################################################### +csr: + cn: fabric-ca-server + keyrequest: + algo: ecdsa + size: 256 + names: + - C: US + ST: "North Carolina" + L: + O: Hyperledger + OU: Fabric + hosts: + - localhost + - 127.0.0.1 + - org1-ecert-ca + - org1-ecert-ca.test-network.svc.cluster.local + ca: + expiry: 131400h + pathlength: 1 + +########################################################################### +# Each CA can issue both X509 enrollment certificate as well as Idemix +# Credential. This section specifies configuration for the issuer component +# that is responsible for issuing Idemix credentials. +########################################################################### +idemix: + # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an + # Idemix credential. The issuer will create a pool revocation handles of this specified size. When + # a credential is requested, issuer will get handle from the pool and assign it to the credential. + # Issuer will repopulate the pool with new handles when the last handle in the pool is used. + # A revocation handle and credential revocation information (CRI) are used to create non revocation proof + # by the prover to prove to the verifier that her credential is not revoked. + rhpoolsize: 1000 + + # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer + # and second step is send credential request that is constructed using the nonce to the isuser to + # request a credential. This configuration property specifies expiration for the nonces. By default is + # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). + nonceexpiration: 15s + + # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. + # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) + noncesweepinterval: 15m + +############################################################################# +# BCCSP (BlockChain Crypto Service Provider) section is used to select which +# crypto library implementation to use +############################################################################# +bccsp: + default: SW + sw: + hash: SHA2 + security: 256 + filekeystore: + # The directory used for the software file-based keystore + keystore: msp/keystore + +############################################################################# +# Multi CA section +# +# Each Fabric CA server contains one CA by default. This section is used +# to configure multiple CAs in a single server. +# +# 1) --cacount +# Automatically generate non-default CAs. The names of these +# additional CAs are "ca1", "ca2", ... "caN", where "N" is +# This is particularly useful in a development environment to quickly set up +# multiple CAs. Note that, this config option is not applicable to intermediate CA server +# i.e., Fabric CA server that is started with intermediate.parentserver.url config +# option (-u command line option) +# +# 2) --cafiles +# For each CA config file in the list, generate a separate signing CA. Each CA +# config file in this list MAY contain all of the same elements as are found in +# the server config file except port, debug, and tls sections. +# +# Examples: +# fabric-ca-server start -b admin:adminpw --cacount 2 +# +# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml +# --cafiles ca/ca2/fabric-ca-server-config.yaml +# +############################################################################# + +cacount: + +cafiles: + +############################################################################# +# Intermediate CA section +# +# The relationship between servers and CAs is as follows: +# 1) A single server process may contain or function as one or more CAs. +# This is configured by the "Multi CA section" above. +# 2) Each CA is either a root CA or an intermediate CA. +# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. +# +# This section pertains to configuration of #2 and #3. +# If the "intermediate.parentserver.url" property is set, +# then this is an intermediate CA with the specified parent +# CA. +# +# parentserver section +# url - The URL of the parent server +# caname - Name of the CA to enroll within the server +# +# enrollment section used to enroll intermediate CA with parent CA +# profile - Name of the signing profile to use in issuing the certificate +# label - Label to use in HSM operations +# +# tls section for secure socket connection +# certfiles - PEM-encoded list of trusted root certificate files +# client: +# certfile - PEM-encoded certificate file for when client authentication +# is enabled on server +# keyfile - PEM-encoded key file for when client authentication +# is enabled on server +############################################################################# +intermediate: + parentserver: + url: + caname: + + enrollment: + hosts: + profile: + label: + + tls: + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# CA configuration section +# +# Configure the number of incorrect password attempts are allowed for +# identities. By default, the value of 'passwordattempts' is 10, which +# means that 10 incorrect password attempts can be made before an identity get +# locked out. +############################################################################# +cfg: + identities: + passwordattempts: 10 + +############################################################################### +# +# Operations section +# +############################################################################### +operations: + # host and port for the operations server + listenAddress: 127.0.0.1:9443 + + # TLS configuration for the operations endpoint + tls: + # TLS enabled + enabled: false + + # path to PEM encoded server certificate for the operations server + cert: + file: + + # path to PEM encoded server key for the operations server + key: + file: + + # require client certificate authentication to access all resources + clientAuthRequired: false + + # paths to PEM encoded ca certificates to trust for client authentication + clientRootCAs: + files: [] + +############################################################################### +# +# Metrics section +# +############################################################################### +metrics: + # statsd, prometheus, or disabled + provider: disabled + + # statsd configuration + statsd: + # network type: tcp or udp + network: udp + + # statsd server address + address: 127.0.0.1:8125 + + # the interval at which locally cached counters and gauges are pushsed + # to statsd; timings are pushed immediately + writeInterval: 10s + + # prefix is prepended to all emitted statsd merics + prefix: server diff --git a/test-network-k8s/config/org1/fabric-tls-ca-server-config.yaml b/test-network-k8s/config/org1/fabric-tls-ca-server-config.yaml new file mode 100644 index 00000000..23860537 --- /dev/null +++ b/test-network-k8s/config/org1/fabric-tls-ca-server-config.yaml @@ -0,0 +1,496 @@ +############################################################################# +# This is a configuration file for the fabric-ca-server command. +# +# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES +# ------------------------------------------------ +# Each configuration element can be overridden via command line +# arguments or environment variables. The precedence for determining +# the value of each element is as follows: +# 1) command line argument +# Examples: +# a) --port 443 +# To set the listening port +# b) --ca.keyfile ../mykey.pem +# To set the "keyfile" element in the "ca" section below; +# note the '.' separator character. +# 2) environment variable +# Examples: +# a) FABRIC_CA_SERVER_PORT=443 +# To set the listening port +# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" +# To set the "keyfile" element in the "ca" section below; +# note the '_' separator character. +# 3) configuration file +# 4) default value (if there is one) +# All default values are shown beside each element below. +# +# FILE NAME ELEMENTS +# ------------------ +# The value of all fields whose name ends with "file" or "files" are +# name or names of other files. +# For example, see "tls.certfile" and "tls.clientauth.certfiles". +# The value of each of these fields can be a simple filename, a +# relative path, or an absolute path. If the value is not an +# absolute path, it is interpretted as being relative to the location +# of this configuration file. +# +############################################################################# + +# Version of config file +version: 1.5.2 + +# Server's listening port (default: 7054) +port: 443 + +# Cross-Origin Resource Sharing (CORS) +cors: + enabled: false + origins: + - "*" + +# Enables debug logging (default: false) +debug: false + +# Size limit of an acceptable CRL in bytes (default: 512000) +crlsizelimit: 512000 + +############################################################################# +# TLS section for the server's listening port +# +# The following types are supported for client authentication: NoClientCert, +# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, +# and RequireAndVerifyClientCert. +# +# Certfiles is a list of root certificate authorities that the server uses +# when verifying client certificates. +############################################################################# +tls: + # Enable TLS (default: false) + enabled: true + # TLS for the server's listening port + certfile: + keyfile: + clientauth: + type: noclientcert + certfiles: + +############################################################################# +# The CA section contains information related to the Certificate Authority +# including the name of the CA, which should be unique for all members +# of a blockchain network. It also includes the key and certificate files +# used when issuing enrollment certificates (ECerts) and transaction +# certificates (TCerts). +# The chainfile (if it exists) contains the certificate chain which +# should be trusted for this CA, where the 1st in the chain is always the +# root CA certificate. +############################################################################# +ca: + # Name of this CA + name: org1-tls-ca + # Key file (is only used to import a private key into BCCSP) + keyfile: + # Certificate file (default: ca-cert.pem) + certfile: + # Chain file + chainfile: + +############################################################################# +# The gencrl REST endpoint is used to generate a CRL that contains revoked +# certificates. This section contains configuration options that are used +# during gencrl request processing. +############################################################################# +crl: + # Specifies expiration for the generated CRL. The number of hours + # specified by this property is added to the UTC time, the resulting time + # is used to set the 'Next Update' date of the CRL. + expiry: 24h + +############################################################################# +# The registry section controls how the fabric-ca-server does two things: +# 1) authenticates enrollment requests which contain a username and password +# (also known as an enrollment ID and secret). +# 2) once authenticated, retrieves the identity's attribute names and +# values which the fabric-ca-server optionally puts into TCerts +# which it issues for transacting on the Hyperledger Fabric blockchain. +# These attributes are useful for making access control decisions in +# chaincode. +# There are two main configuration options: +# 1) The fabric-ca-server is the registry. +# This is true if "ldap.enabled" in the ldap section below is false. +# 2) An LDAP server is the registry, in which case the fabric-ca-server +# calls the LDAP server to perform these tasks. +# This is true if "ldap.enabled" in the ldap section below is true, +# which means this "registry" section is ignored. +############################################################################# +registry: + # Maximum number of times a password/secret can be reused for enrollment + # (default: -1, which means there is no limit) + maxenrollments: -1 + + # Contains identity information which is used when LDAP is disabled + identities: + - name: tlsadmin + pass: tlsadminpw + type: client + affiliation: "" + attrs: + hf.Registrar.Roles: "*" + hf.Registrar.DelegateRoles: "*" + hf.Revoker: true + hf.IntermediateCA: true + hf.GenCRL: true + hf.Registrar.Attributes: "*" + hf.AffiliationMgr: true + +############################################################################# +# Database section +# Supported types are: "sqlite3", "postgres", and "mysql". +# The datasource value depends on the type. +# If the type is "sqlite3", the datasource value is a file name to use +# as the database store. Since "sqlite3" is an embedded database, it +# may not be used if you want to run the fabric-ca-server in a cluster. +# To run the fabric-ca-server in a cluster, you must choose "postgres" +# or "mysql". +############################################################################# +db: + type: sqlite3 + datasource: fabric-ca-server.db + tls: + enabled: false + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# LDAP section +# If LDAP is enabled, the fabric-ca-server calls LDAP to: +# 1) authenticate enrollment ID and secret (i.e. username and password) +# for enrollment requests; +# 2) To retrieve identity attributes +############################################################################# +ldap: + # Enables or disables the LDAP client (default: false) + # If this is set to true, the "registry" section is ignored. + enabled: false + # The URL of the LDAP server + url: ldap://:@:/ + # TLS configuration for the client connection to the LDAP server + tls: + certfiles: + client: + certfile: + keyfile: + # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes + attribute: + # 'names' is an array of strings containing the LDAP attribute names which are + # requested from the LDAP server for an LDAP identity's entry + names: ['uid','member'] + # The 'converters' section is used to convert an LDAP entry to the value of + # a fabric CA attribute. + # For example, the following converts an LDAP 'uid' attribute + # whose value begins with 'revoker' to a fabric CA attribute + # named "hf.Revoker" with a value of "true" (because the boolean expression + # evaluates to true). + # converters: + # - name: hf.Revoker + # value: attr("uid") =~ "revoker*" + converters: + - name: + value: + # The 'maps' section contains named maps which may be referenced by the 'map' + # function in the 'converters' section to map LDAP responses to arbitrary values. + # For example, assume a user has an LDAP attribute named 'member' which has multiple + # values which are each a distinguished name (i.e. a DN). For simplicity, assume the + # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. + # Further assume the following configuration. + # converters: + # - name: hf.Registrar.Roles + # value: map(attr("member"),"groups") + # maps: + # groups: + # - name: dn1 + # value: peer + # - name: dn2 + # value: client + # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be + # "peer,client,dn3". This is because the value of 'attr("member")' is + # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of + # "group" replaces "dn1" with "peer" and "dn2" with "client". + maps: + groups: + - name: + value: + +############################################################################# +# Affiliations section. Fabric CA server can be bootstrapped with the +# affiliations specified in this section. Affiliations are specified as maps. +# For example: +# businessunit1: +# department1: +# - team1 +# businessunit2: +# - department2 +# - department3 +# +# Affiliations are hierarchical in nature. In the above example, +# department1 (used as businessunit1.department1) is the child of businessunit1. +# team1 (used as businessunit1.department1.team1) is the child of department1. +# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) +# are children of businessunit2. +# Note: Affiliations are case sensitive except for the non-leaf affiliations +# (like businessunit1, department1, businessunit2) that are specified in the configuration file, +# which are always stored in lower case. +############################################################################# +affiliations: + org1: + - department1 + - department2 + org2: + - department1 + +############################################################################# +# Signing section +# +# The "default" subsection is used to sign enrollment certificates; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +# +# The "ca" profile subsection is used to sign intermediate CA certificates; +# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. +# Note that "isca" is true, meaning that it issues a CA certificate. +# A maxpathlen of 0 means that the intermediate CA cannot issue other +# intermediate CA certificates, though it can still issue end entity certificates. +# (See RFC 5280, section 4.2.1.9) +# +# The "tls" profile subsection is used to sign TLS certificate requests; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +############################################################################# +signing: + default: + authremote: {} + caconstraint: {} + expiry: 8760h + usage: + - signing + - key encipherment + - server auth + - client auth + - key agreement + profiles: null + +########################################################################### +# Certificate Signing Request (CSR) section. +# This controls the creation of the root CA certificate. +# The expiration for the root CA certificate is configured with the +# "ca.expiry" field below, whose default value is "131400h" which is +# 15 years in hours. +# The pathlength field is used to limit CA certificate hierarchy as described +# in section 4.2.1.9 of RFC 5280. +# Examples: +# 1) No pathlength value means no limit is requested. +# 2) pathlength == 1 means a limit of 1 is requested which is the default for +# a root CA. This means the root CA can issue intermediate CA certificates, +# but these intermediate CAs may not in turn issue other CA certificates +# though they can still issue end entity certificates. +# 3) pathlength == 0 means a limit of 0 is requested; +# this is the default for an intermediate CA, which means it can not issue +# CA certificates though it can still issue end entity certificates. +########################################################################### +csr: + cn: fabric-ca-server + keyrequest: + algo: ecdsa + size: 256 + names: + - C: US + ST: "North Carolina" + L: + O: Hyperledger + OU: Fabric + hosts: + - localhost + - 127.0.0.1 + - org1-tls-ca + - org1-tls-ca.test-network.svc.cluster.local + ca: + expiry: 131400h + pathlength: 1 + +########################################################################### +# Each CA can issue both X509 enrollment certificate as well as Idemix +# Credential. This section specifies configuration for the issuer component +# that is responsible for issuing Idemix credentials. +########################################################################### +idemix: + # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an + # Idemix credential. The issuer will create a pool revocation handles of this specified size. When + # a credential is requested, issuer will get handle from the pool and assign it to the credential. + # Issuer will repopulate the pool with new handles when the last handle in the pool is used. + # A revocation handle and credential revocation information (CRI) are used to create non revocation proof + # by the prover to prove to the verifier that her credential is not revoked. + rhpoolsize: 1000 + + # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer + # and second step is send credential request that is constructed using the nonce to the isuser to + # request a credential. This configuration property specifies expiration for the nonces. By default is + # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). + nonceexpiration: 15s + + # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. + # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) + noncesweepinterval: 15m + +############################################################################# +# BCCSP (BlockChain Crypto Service Provider) section is used to select which +# crypto library implementation to use +############################################################################# +bccsp: + default: SW + sw: + hash: SHA2 + security: 256 + filekeystore: + # The directory used for the software file-based keystore + keystore: msp/keystore + +############################################################################# +# Multi CA section +# +# Each Fabric CA server contains one CA by default. This section is used +# to configure multiple CAs in a single server. +# +# 1) --cacount +# Automatically generate non-default CAs. The names of these +# additional CAs are "ca1", "ca2", ... "caN", where "N" is +# This is particularly useful in a development environment to quickly set up +# multiple CAs. Note that, this config option is not applicable to intermediate CA server +# i.e., Fabric CA server that is started with intermediate.parentserver.url config +# option (-u command line option) +# +# 2) --cafiles +# For each CA config file in the list, generate a separate signing CA. Each CA +# config file in this list MAY contain all of the same elements as are found in +# the server config file except port, debug, and tls sections. +# +# Examples: +# fabric-ca-server start -b admin:adminpw --cacount 2 +# +# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml +# --cafiles ca/ca2/fabric-ca-server-config.yaml +# +############################################################################# + +cacount: + +cafiles: + +############################################################################# +# Intermediate CA section +# +# The relationship between servers and CAs is as follows: +# 1) A single server process may contain or function as one or more CAs. +# This is configured by the "Multi CA section" above. +# 2) Each CA is either a root CA or an intermediate CA. +# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. +# +# This section pertains to configuration of #2 and #3. +# If the "intermediate.parentserver.url" property is set, +# then this is an intermediate CA with the specified parent +# CA. +# +# parentserver section +# url - The URL of the parent server +# caname - Name of the CA to enroll within the server +# +# enrollment section used to enroll intermediate CA with parent CA +# profile - Name of the signing profile to use in issuing the certificate +# label - Label to use in HSM operations +# +# tls section for secure socket connection +# certfiles - PEM-encoded list of trusted root certificate files +# client: +# certfile - PEM-encoded certificate file for when client authentication +# is enabled on server +# keyfile - PEM-encoded key file for when client authentication +# is enabled on server +############################################################################# +intermediate: + parentserver: + url: + caname: + + enrollment: + hosts: + profile: + label: + + tls: + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# CA configuration section +# +# Configure the number of incorrect password attempts are allowed for +# identities. By default, the value of 'passwordattempts' is 10, which +# means that 10 incorrect password attempts can be made before an identity get +# locked out. +############################################################################# +cfg: + identities: + passwordattempts: 10 + +############################################################################### +# +# Operations section +# +############################################################################### +operations: + # host and port for the operations server + listenAddress: 127.0.0.1:9444 + + # TLS configuration for the operations endpoint + tls: + # TLS enabled + enabled: false + + # path to PEM encoded server certificate for the operations server + cert: + file: + + # path to PEM encoded server key for the operations server + key: + file: + + # require client certificate authentication to access all resources + clientAuthRequired: false + + # paths to PEM encoded ca certificates to trust for client authentication + clientRootCAs: + files: [] + +############################################################################### +# +# Metrics section +# +############################################################################### +metrics: + # statsd, prometheus, or disabled + provider: disabled + + # statsd configuration + statsd: + # network type: tcp or udp + network: udp + + # statsd server address + address: 127.0.0.1:8125 + + # the interval at which locally cached counters and gauges are pushsed + # to statsd; timings are pushed immediately + writeInterval: 10s + + # prefix is prepended to all emitted statsd merics + prefix: server diff --git a/test-network-k8s/config/org2/core.yaml b/test-network-k8s/config/org2/core.yaml new file mode 100644 index 00000000..791af4c3 --- /dev/null +++ b/test-network-k8s/config/org2/core.yaml @@ -0,0 +1,759 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +############################################################################### +# +# Peer section +# +############################################################################### +peer: + + # The peer id provides a name for this peer instance and is used when + # naming docker resources. + id: jdoe + + # The networkId allows for logical separation of networks and is used when + # naming docker resources. + networkId: dev + + # The Address at local network interface this Peer will listen on. + # By default, it will listen on all network interfaces + listenAddress: 0.0.0.0:7051 + + # The endpoint this peer uses to listen for inbound chaincode connections. + # If this is commented-out, the listen address is selected to be + # the peer's address (see below) with port 7052 + # chaincodeListenAddress: 0.0.0.0:7052 + + # The endpoint the chaincode for this peer uses to connect to the peer. + # If this is not specified, the chaincodeListenAddress address is selected. + # And if chaincodeListenAddress is not specified, address is selected from + # peer address (see below). If specified peer address is invalid then it + # will fallback to the auto detected IP (local IP) regardless of the peer + # addressAutoDetect value. + # chaincodeAddress: 0.0.0.0:7052 + + # When used as peer config, this represents the endpoint to other peers + # in the same organization. For peers in other organization, see + # gossip.externalEndpoint for more info. + # When used as CLI config, this means the peer's endpoint to interact with + address: 0.0.0.0:7051 + + # Whether the Peer should programmatically determine its address + # This case is useful for docker containers. + # When set to true, will override peer address. + addressAutoDetect: false + + # Keepalive settings for peer server and clients + keepalive: + # Interval is the duration after which if the server does not see + # any activity from the client it pings the client to see if it's alive + interval: 7200s + # Timeout is the duration the server waits for a response + # from the client after sending a ping before closing the connection + timeout: 20s + # MinInterval is the minimum permitted time between client pings. + # If clients send pings more frequently, the peer server will + # disconnect them + minInterval: 60s + # Client keepalive settings for communicating with other peer nodes + client: + # Interval is the time between pings to peer nodes. This must + # greater than or equal to the minInterval specified by peer + # nodes + interval: 60s + # Timeout is the duration the client waits for a response from + # peer nodes before closing the connection + timeout: 20s + # DeliveryClient keepalive settings for communication with ordering + # nodes. + deliveryClient: + # Interval is the time between pings to ordering nodes. This must + # greater than or equal to the minInterval specified by ordering + # nodes. + interval: 60s + # Timeout is the duration the client waits for a response from + # ordering nodes before closing the connection + timeout: 20s + + + # Gossip related configuration + gossip: + # Bootstrap set to initialize gossip with. + # This is a list of other peers that this peer reaches out to at startup. + # Important: The endpoints here have to be endpoints of peers in the same + # organization, because the peer would refuse connecting to these endpoints + # unless they are in the same organization as the peer. + bootstrap: 127.0.0.1:7051 + + # NOTE: orgLeader and useLeaderElection parameters are mutual exclusive. + # Setting both to true would result in the termination of the peer + # since this is undefined state. If the peers are configured with + # useLeaderElection=false, make sure there is at least 1 peer in the + # organization that its orgLeader is set to true. + + # Defines whenever peer will initialize dynamic algorithm for + # "leader" selection, where leader is the peer to establish + # connection with ordering service and use delivery protocol + # to pull ledger blocks from ordering service. + useLeaderElection: false + # Statically defines peer to be an organization "leader", + # where this means that current peer will maintain connection + # with ordering service and disseminate block across peers in + # its own organization. Multiple peers or all peers in an organization + # may be configured as org leaders, so that they all pull + # blocks directly from ordering service. + orgLeader: true + + # Interval for membershipTracker polling + membershipTrackerInterval: 5s + + # Overrides the endpoint that the peer publishes to peers + # in its organization. For peers in foreign organizations + # see 'externalEndpoint' + endpoint: + # Maximum count of blocks stored in memory + maxBlockCountToStore: 10 + # Max time between consecutive message pushes(unit: millisecond) + maxPropagationBurstLatency: 10ms + # Max number of messages stored until a push is triggered to remote peers + maxPropagationBurstSize: 10 + # Number of times a message is pushed to remote peers + propagateIterations: 1 + # Number of peers selected to push messages to + propagatePeerNum: 3 + # Determines frequency of pull phases(unit: second) + # Must be greater than digestWaitTime + responseWaitTime + pullInterval: 4s + # Number of peers to pull from + pullPeerNum: 3 + # Determines frequency of pulling state info messages from peers(unit: second) + requestStateInfoInterval: 4s + # Determines frequency of pushing state info messages to peers(unit: second) + publishStateInfoInterval: 4s + # Maximum time a stateInfo message is kept until expired + stateInfoRetentionInterval: + # Time from startup certificates are included in Alive messages(unit: second) + publishCertPeriod: 10s + # Should we skip verifying block messages or not (currently not in use) + skipBlockVerification: false + # Dial timeout(unit: second) + dialTimeout: 3s + # Connection timeout(unit: second) + connTimeout: 2s + # Buffer size of received messages + recvBuffSize: 20 + # Buffer size of sending messages + sendBuffSize: 200 + # Time to wait before pull engine processes incoming digests (unit: second) + # Should be slightly smaller than requestWaitTime + digestWaitTime: 1s + # Time to wait before pull engine removes incoming nonce (unit: milliseconds) + # Should be slightly bigger than digestWaitTime + requestWaitTime: 1500ms + # Time to wait before pull engine ends pull (unit: second) + responseWaitTime: 2s + # Alive check interval(unit: second) + aliveTimeInterval: 5s + # Alive expiration timeout(unit: second) + aliveExpirationTimeout: 25s + # Reconnect interval(unit: second) + reconnectInterval: 25s + # Max number of attempts to connect to a peer + maxConnectionAttempts: 120 + # Message expiration factor for alive messages + msgExpirationFactor: 20 + # This is an endpoint that is published to peers outside of the organization. + # If this isn't set, the peer will not be known to other organizations. + externalEndpoint: + # Leader election service configuration + election: + # Longest time peer waits for stable membership during leader election startup (unit: second) + startupGracePeriod: 15s + # Interval gossip membership samples to check its stability (unit: second) + membershipSampleInterval: 1s + # Time passes since last declaration message before peer decides to perform leader election (unit: second) + leaderAliveThreshold: 10s + # Time between peer sends propose message and declares itself as a leader (sends declaration message) (unit: second) + leaderElectionDuration: 5s + + pvtData: + # pullRetryThreshold determines the maximum duration of time private data corresponding for a given block + # would be attempted to be pulled from peers until the block would be committed without the private data + pullRetryThreshold: 60s + # As private data enters the transient store, it is associated with the peer's ledger's height at that time. + # transientstoreMaxBlockRetention defines the maximum difference between the current ledger's height upon commit, + # and the private data residing inside the transient store that is guaranteed not to be purged. + # Private data is purged from the transient store when blocks with sequences that are multiples + # of transientstoreMaxBlockRetention are committed. + transientstoreMaxBlockRetention: 1000 + # pushAckTimeout is the maximum time to wait for an acknowledgement from each peer + # at private data push at endorsement time. + pushAckTimeout: 3s + # Block to live pulling margin, used as a buffer + # to prevent peer from trying to pull private data + # from peers that is soon to be purged in next N blocks. + # This helps a newly joined peer catch up to current + # blockchain height quicker. + btlPullMargin: 10 + # the process of reconciliation is done in an endless loop, while in each iteration reconciler tries to + # pull from the other peers the most recent missing blocks with a maximum batch size limitation. + # reconcileBatchSize determines the maximum batch size of missing private data that will be reconciled in a + # single iteration. + reconcileBatchSize: 10 + # reconcileSleepInterval determines the time reconciler sleeps from end of an iteration until the beginning + # of the next reconciliation iteration. + reconcileSleepInterval: 1m + # reconciliationEnabled is a flag that indicates whether private data reconciliation is enable or not. + reconciliationEnabled: true + # skipPullingInvalidTransactionsDuringCommit is a flag that indicates whether pulling of invalid + # transaction's private data from other peers need to be skipped during the commit time and pulled + # only through reconciler. + skipPullingInvalidTransactionsDuringCommit: false + # implicitCollectionDisseminationPolicy specifies the dissemination policy for the peer's own implicit collection. + # When a peer endorses a proposal that writes to its own implicit collection, below values override the default values + # for disseminating private data. + # Note that it is applicable to all channels the peer has joined. The implication is that requiredPeerCount has to + # be smaller than the number of peers in a channel that has the lowest numbers of peers from the organization. + implicitCollectionDisseminationPolicy: + # requiredPeerCount defines the minimum number of eligible peers to which the peer must successfully + # disseminate private data for its own implicit collection during endorsement. Default value is 0. + requiredPeerCount: 0 + # maxPeerCount defines the maximum number of eligible peers to which the peer will attempt to + # disseminate private data for its own implicit collection during endorsement. Default value is 1. + maxPeerCount: 1 + + # Gossip state transfer related configuration + state: + # indicates whenever state transfer is enabled or not + # default value is true, i.e. state transfer is active + # and takes care to sync up missing blocks allowing + # lagging peer to catch up to speed with rest network. + # Keep in mind that when peer.gossip.useLeaderElection is true + # and there are several peers in the organization, + # or peer.gossip.useLeaderElection is false alongside with + # peer.gossip.orgleader being false, the peer's ledger may lag behind + # the rest of the peers and will never catch up due to state transfer + # being disabled. + enabled: false + # checkInterval interval to check whether peer is lagging behind enough to + # request blocks via state transfer from another peer. + checkInterval: 10s + # responseTimeout amount of time to wait for state transfer response from + # other peers + responseTimeout: 3s + # batchSize the number of blocks to request via state transfer from another peer + batchSize: 10 + # blockBufferSize reflects the size of the re-ordering buffer + # which captures blocks and takes care to deliver them in order + # down to the ledger layer. The actual buffer size is bounded between + # 0 and 2*blockBufferSize, each channel maintains its own buffer + blockBufferSize: 20 + # maxRetries maximum number of re-tries to ask + # for single state transfer request + maxRetries: 3 + + # TLS Settings + tls: + # Require server-side TLS + enabled: true + # Require client certificates / mutual TLS for inbound connections. + # Note that clients that are not configured to use a certificate will + # fail to connect to the peer. + clientAuthRequired: false + # X.509 certificate used for TLS server + cert: + file: tls/server.crt + # Private key used for TLS server + key: + file: tls/server.key + # rootcert.file represents the trusted root certificate chain used for verifying certificates + # of other nodes during outbound connections. + # It is not required to be set, but can be used to augment the set of TLS CA certificates + # available from the MSPs of each channel’s configuration. + rootcert: + file: tls/ca.crt + # If mutual TLS is enabled, clientRootCAs.files contains a list of additional root certificates + # used for verifying certificates of client connections. + # It augments the set of TLS CA certificates available from the MSPs of each channel’s configuration. + # Minimally, set your organization's TLS CA root certificate so that the peer can receive join channel requests. + clientRootCAs: + files: + - tls/ca.crt + # Private key used for TLS when making client connections. + # If not set, peer.tls.key.file will be used instead + clientKey: + file: + # X.509 certificate used for TLS when making client connections. + # If not set, peer.tls.cert.file will be used instead + clientCert: + file: + + # Authentication contains configuration parameters related to authenticating + # client messages + authentication: + # the acceptable difference between the current server time and the + # client's time as specified in a client request message + timewindow: 15m + + # Path on the file system where peer will store data (eg ledger). This + # location must be access control protected to prevent unintended + # modification that might corrupt the peer operations. + fileSystemPath: /var/hyperledger/production + + # BCCSP (Blockchain crypto provider): Select which crypto implementation or + # library to use + BCCSP: + Default: SW + # Settings for the SW crypto provider (i.e. when DEFAULT: SW) + SW: + # TODO: The default Hash and Security level needs refactoring to be + # fully configurable. Changing these defaults requires coordination + # SHA2 is hardcoded in several places, not only BCCSP + Hash: SHA2 + Security: 256 + # Location of Key Store + FileKeyStore: + # If "", defaults to 'mspConfigPath'/keystore + KeyStore: + # Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11) + PKCS11: + # Location of the PKCS11 module library + Library: + # Token Label + Label: + # User PIN + Pin: + Hash: + Security: + + # Path on the file system where peer will find MSP local configurations + mspConfigPath: msp + + # Identifier of the local MSP + # ----!!!!IMPORTANT!!!-!!!IMPORTANT!!!-!!!IMPORTANT!!!!---- + # Deployers need to change the value of the localMspId string. + # In particular, the name of the local MSP ID of a peer needs + # to match the name of one of the MSPs in each of the channel + # that this peer is a member of. Otherwise this peer's messages + # will not be identified as valid by other nodes. + localMspId: Org2MSP + + # CLI common client config options + client: + # connection timeout + connTimeout: 3s + + # Delivery service related config + deliveryclient: + # It sets the total time the delivery service may spend in reconnection + # attempts until its retry logic gives up and returns an error + reconnectTotalTimeThreshold: 3600s + + # It sets the delivery service <-> ordering service node connection timeout + connTimeout: 3s + + # It sets the delivery service maximal delay between consecutive retries + reConnectBackoffThreshold: 3600s + + # A list of orderer endpoint addresses which should be overridden + # when found in channel configurations. + addressOverrides: + # - from: + # to: + # caCertsFile: + # - from: + # to: + # caCertsFile: + + # Type for the local MSP - by default it's of type bccsp + localMspType: bccsp + + # Used with Go profiling tools only in none production environment. In + # production, it should be disabled (eg enabled: false) + profile: + enabled: false + listenAddress: 0.0.0.0:6060 + + # Handlers defines custom handlers that can filter and mutate + # objects passing within the peer, such as: + # Auth filter - reject or forward proposals from clients + # Decorators - append or mutate the chaincode input passed to the chaincode + # Endorsers - Custom signing over proposal response payload and its mutation + # Valid handler definition contains: + # - A name which is a factory method name defined in + # core/handlers/library/library.go for statically compiled handlers + # - library path to shared object binary for pluggable filters + # Auth filters and decorators are chained and executed in the order that + # they are defined. For example: + # authFilters: + # - + # name: FilterOne + # library: /opt/lib/filter.so + # - + # name: FilterTwo + # decorators: + # - + # name: DecoratorOne + # - + # name: DecoratorTwo + # library: /opt/lib/decorator.so + # Endorsers are configured as a map that its keys are the endorsement system chaincodes that are being overridden. + # Below is an example that overrides the default ESCC and uses an endorsement plugin that has the same functionality + # as the default ESCC. + # If the 'library' property is missing, the name is used as the constructor method in the builtin library similar + # to auth filters and decorators. + # endorsers: + # escc: + # name: DefaultESCC + # library: /etc/hyperledger/fabric/plugin/escc.so + handlers: + authFilters: + - + name: DefaultAuth + - + name: ExpirationCheck # This filter checks identity x509 certificate expiration + decorators: + - + name: DefaultDecorator + endorsers: + escc: + name: DefaultEndorsement + library: + validators: + vscc: + name: DefaultValidation + library: + + # library: /etc/hyperledger/fabric/plugin/escc.so + # Number of goroutines that will execute transaction validation in parallel. + # By default, the peer chooses the number of CPUs on the machine. Set this + # variable to override that choice. + # NOTE: overriding this value might negatively influence the performance of + # the peer so please change this value only if you know what you're doing + validatorPoolSize: + + # The discovery service is used by clients to query information about peers, + # such as - which peers have joined a certain channel, what is the latest + # channel config, and most importantly - given a chaincode and a channel, + # what possible sets of peers satisfy the endorsement policy. + discovery: + enabled: true + # Whether the authentication cache is enabled or not. + authCacheEnabled: true + # The maximum size of the cache, after which a purge takes place + authCacheMaxSize: 1000 + # The proportion (0 to 1) of entries that remain in the cache after the cache is purged due to overpopulation + authCachePurgeRetentionRatio: 0.75 + # Whether to allow non-admins to perform non channel scoped queries. + # When this is false, it means that only peer admins can perform non channel scoped queries. + orgMembersAllowedAccess: false + + # Limits is used to configure some internal resource limits. + limits: + # Concurrency limits the number of concurrently running requests to a service on each peer. + # Currently this option is only applied to endorser service and deliver service. + # When the property is missing or the value is 0, the concurrency limit is disabled for the service. + concurrency: + # endorserService limits concurrent requests to endorser service that handles chaincode deployment, query and invocation, + # including both user chaincodes and system chaincodes. + endorserService: 2500 + # deliverService limits concurrent event listeners registered to deliver service for blocks and transaction events. + deliverService: 2500 + +############################################################################### +# +# VM section +# +############################################################################### +vm: + + # Endpoint of the vm management system. For docker can be one of the following in general + # unix:///var/run/docker.sock + # http://localhost:2375 + # https://localhost:2376 + endpoint: unix:///var/run/docker.sock + + # settings for docker vms + docker: + tls: + enabled: false + ca: + file: docker/ca.crt + cert: + file: docker/tls.crt + key: + file: docker/tls.key + + # Enables/disables the standard out/err from chaincode containers for + # debugging purposes + attachStdout: false + + # Parameters on creating docker container. + # Container may be efficiently created using ipam & dns-server for cluster + # NetworkMode - sets the networking mode for the container. Supported + # standard values are: `host`(default),`bridge`,`ipvlan`,`none`. + # Dns - a list of DNS servers for the container to use. + # Note: `Privileged` `Binds` `Links` and `PortBindings` properties of + # Docker Host Config are not supported and will not be used if set. + # LogConfig - sets the logging driver (Type) and related options + # (Config) for Docker. For more info, + # https://docs.docker.com/engine/admin/logging/overview/ + # Note: Set LogConfig using Environment Variables is not supported. + hostConfig: + NetworkMode: host + Dns: + # - 192.168.0.1 + LogConfig: + Type: json-file + Config: + max-size: "50m" + max-file: "5" + Memory: 2147483648 + +############################################################################### +# +# Chaincode section +# +############################################################################### +chaincode: + + # The id is used by the Chaincode stub to register the executing Chaincode + # ID with the Peer and is generally supplied through ENV variables + # the `path` form of ID is provided when installing the chaincode. + # The `name` is used for all other requests and can be any string. + id: + path: + name: + + # Generic builder environment, suitable for most chaincode types + builder: $(DOCKER_NS)/fabric-ccenv:$(TWO_DIGIT_VERSION) + + # Enables/disables force pulling of the base docker images (listed below) + # during user chaincode instantiation. + # Useful when using moving image tags (such as :latest) + pull: false + + golang: + # golang will never need more than baseos + runtime: $(DOCKER_NS)/fabric-baseos:$(TWO_DIGIT_VERSION) + + # whether or not golang chaincode should be linked dynamically + dynamicLink: false + + java: + # This is an image based on java:openjdk-8 with addition compiler + # tools added for java shim layer packaging. + # This image is packed with shim layer libraries that are necessary + # for Java chaincode runtime. + runtime: $(DOCKER_NS)/fabric-javaenv:$(TWO_DIGIT_VERSION) + + node: + # This is an image based on node:$(NODE_VER)-alpine + runtime: $(DOCKER_NS)/fabric-nodeenv:$(TWO_DIGIT_VERSION) + + # List of directories to treat as external builders and launchers for + # chaincode. The external builder detection processing will iterate over the + # builders in the order specified below. + externalBuilders: + - path: /var/hyperledger/fabric/chaincode/ccs-builder + name: ccs-builder + propagateEnvironment: + - HOME + - CORE_PEER_ID + - CORE_PEER_LOCALMSPID + + # The maximum duration to wait for the chaincode build and install process + # to complete. + installTimeout: 300s + + # Timeout duration for starting up a container and waiting for Register + # to come through. + startuptimeout: 300s + + # Timeout duration for Invoke and Init calls to prevent runaway. + # This timeout is used by all chaincodes in all the channels, including + # system chaincodes. + # Note that during Invoke, if the image is not available (e.g. being + # cleaned up when in development environment), the peer will automatically + # build the image, which might take more time. In production environment, + # the chaincode image is unlikely to be deleted, so the timeout could be + # reduced accordingly. + executetimeout: 30s + + # There are 2 modes: "dev" and "net". + # In dev mode, user runs the chaincode after starting peer from + # command line on local machine. + # In net mode, peer will run chaincode in a docker container. + mode: net + + # keepalive in seconds. In situations where the communication goes through a + # proxy that does not support keep-alive, this parameter will maintain connection + # between peer and chaincode. + # A value <= 0 turns keepalive off + keepalive: 0 + + # enabled system chaincodes + system: + _lifecycle: enable + cscc: enable + lscc: enable + qscc: enable + + # Logging section for the chaincode container + logging: + # Default level for all loggers within the chaincode container + level: info + # Override default level for the 'shim' logger + shim: warning + # Format for the chaincode container logs + format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}' + +############################################################################### +# +# Ledger section - ledger configuration encompasses both the blockchain +# and the state +# +############################################################################### +ledger: + + blockchain: + + state: + # stateDatabase - options are "goleveldb", "CouchDB" + # goleveldb - default state database stored in goleveldb. + # CouchDB - store state database in CouchDB + stateDatabase: goleveldb + # Limit on the number of records to return per query + totalQueryLimit: 100000 + couchDBConfig: + # It is recommended to run CouchDB on the same server as the peer, and + # not map the CouchDB container port to a server port in docker-compose. + # Otherwise proper security must be provided on the connection between + # CouchDB client (on the peer) and server. + couchDBAddress: 127.0.0.1:5984 + # This username must have read and write authority on CouchDB + username: + # The password is recommended to pass as an environment variable + # during start up (eg CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD). + # If it is stored here, the file must be access control protected + # to prevent unintended users from discovering the password. + password: + # Number of retries for CouchDB errors + maxRetries: 3 + # Number of retries for CouchDB errors during peer startup. + # The delay between retries doubles for each attempt. + # Default of 10 retries results in 11 attempts over 2 minutes. + maxRetriesOnStartup: 10 + # CouchDB request timeout (unit: duration, e.g. 20s) + requestTimeout: 35s + # Limit on the number of records per each CouchDB query + # Note that chaincode queries are only bound by totalQueryLimit. + # Internally the chaincode may execute multiple CouchDB queries, + # each of size internalQueryLimit. + internalQueryLimit: 1000 + # Limit on the number of records per CouchDB bulk update batch + maxBatchUpdateSize: 1000 + # Warm indexes after every N blocks. + # This option warms any indexes that have been + # deployed to CouchDB after every N blocks. + # A value of 1 will warm indexes after every block commit, + # to ensure fast selector queries. + # Increasing the value may improve write efficiency of peer and CouchDB, + # but may degrade query response time. + warmIndexesAfterNBlocks: 1 + # Create the _global_changes system database + # This is optional. Creating the global changes database will require + # additional system resources to track changes and maintain the database + createGlobalChangesDB: false + # CacheSize denotes the maximum mega bytes (MB) to be allocated for the in-memory state + # cache. Note that CacheSize needs to be a multiple of 32 MB. If it is not a multiple + # of 32 MB, the peer would round the size to the next multiple of 32 MB. + # To disable the cache, 0 MB needs to be assigned to the cacheSize. + cacheSize: 64 + + history: + # enableHistoryDatabase - options are true or false + # Indicates if the history of key updates should be stored. + # All history 'index' will be stored in goleveldb, regardless if using + # CouchDB or alternate database for the state. + enableHistoryDatabase: true + + pvtdataStore: + # the maximum db batch size for converting + # the ineligible missing data entries to eligible missing data entries + collElgProcMaxDbBatchSize: 5000 + # the minimum duration (in milliseconds) between writing + # two consecutive db batches for converting the ineligible missing data entries to eligible missing data entries + collElgProcDbBatchesInterval: 1000 + # The missing data entries are classified into two categories: + # (1) prioritized + # (2) deprioritized + # Initially, all missing data are in the prioritized list. When the + # reconciler is unable to fetch the missing data from other peers, + # the unreconciled missing data would be moved to the deprioritized list. + # The reconciler would retry deprioritized missing data after every + # deprioritizedDataReconcilerInterval (unit: minutes). Note that the + # interval needs to be greater than the reconcileSleepInterval + deprioritizedDataReconcilerInterval: 60m + + snapshots: + # Path on the file system where peer will store ledger snapshots + rootDir: /var/hyperledger/production/snapshots + +############################################################################### +# +# Operations section +# +############################################################################### +operations: + # host and port for the operations server + listenAddress: 127.0.0.1:9443 + + # TLS configuration for the operations endpoint + tls: + # TLS enabled + enabled: false + + # path to PEM encoded server certificate for the operations server + cert: + file: + + # path to PEM encoded server key for the operations server + key: + file: + + # most operations service endpoints require client authentication when TLS + # is enabled. clientAuthRequired requires client certificate authentication + # at the TLS layer to access all resources. + clientAuthRequired: false + + # paths to PEM encoded ca certificates to trust for client authentication + clientRootCAs: + files: [] + +############################################################################### +# +# Metrics section +# +############################################################################### +metrics: + # metrics provider is one of statsd, prometheus, or disabled + provider: disabled + + # statsd configuration + statsd: + # network type: tcp or udp + network: udp + + # statsd server address + address: 127.0.0.1:8125 + + # the interval at which locally cached counters and gauges are pushed + # to statsd; timings are pushed immediately + writeInterval: 10s + + # prefix is prepended to all emitted statsd metrics + prefix: diff --git a/test-network-k8s/config/org2/fabric-ecert-ca-server-config.yaml b/test-network-k8s/config/org2/fabric-ecert-ca-server-config.yaml new file mode 100644 index 00000000..23732ff8 --- /dev/null +++ b/test-network-k8s/config/org2/fabric-ecert-ca-server-config.yaml @@ -0,0 +1,506 @@ +############################################################################# +# This is a configuration file for the fabric-ca-server command. +# +# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES +# ------------------------------------------------ +# Each configuration element can be overridden via command line +# arguments or environment variables. The precedence for determining +# the value of each element is as follows: +# 1) command line argument +# Examples: +# a) --port 443 +# To set the listening port +# b) --ca.keyfile ../mykey.pem +# To set the "keyfile" element in the "ca" section below; +# note the '.' separator character. +# 2) environment variable +# Examples: +# a) FABRIC_CA_SERVER_PORT=443 +# To set the listening port +# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" +# To set the "keyfile" element in the "ca" section below; +# note the '_' separator character. +# 3) configuration file +# 4) default value (if there is one) +# All default values are shown beside each element below. +# +# FILE NAME ELEMENTS +# ------------------ +# The value of all fields whose name ends with "file" or "files" are +# name or names of other files. +# For example, see "tls.certfile" and "tls.clientauth.certfiles". +# The value of each of these fields can be a simple filename, a +# relative path, or an absolute path. If the value is not an +# absolute path, it is interpretted as being relative to the location +# of this configuration file. +# +############################################################################# + +# Version of config file +version: 1.5.2 + +# Server's listening port (default: 7054) +port: 443 + +# Cross-Origin Resource Sharing (CORS) +cors: + enabled: false + origins: + - "*" + +# Enables debug logging (default: false) +debug: false + +# Size limit of an acceptable CRL in bytes (default: 512000) +crlsizelimit: 512000 + +############################################################################# +# TLS section for the server's listening port +# +# The following types are supported for client authentication: NoClientCert, +# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, +# and RequireAndVerifyClientCert. +# +# Certfiles is a list of root certificate authorities that the server uses +# when verifying client certificates. +############################################################################# +tls: + # Enable TLS (default: false) + enabled: true + # TLS for the server's listening port + certfile: + keyfile: + clientauth: + type: noclientcert + certfiles: + +############################################################################# +# The CA section contains information related to the Certificate Authority +# including the name of the CA, which should be unique for all members +# of a blockchain network. It also includes the key and certificate files +# used when issuing enrollment certificates (ECerts) and transaction +# certificates (TCerts). +# The chainfile (if it exists) contains the certificate chain which +# should be trusted for this CA, where the 1st in the chain is always the +# root CA certificate. +############################################################################# +ca: + # Name of this CA + name: org2-ecert-ca + # Key file (is only used to import a private key into BCCSP) + keyfile: + # Certificate file (default: ca-cert.pem) + certfile: + # Chain file + chainfile: + +############################################################################# +# The gencrl REST endpoint is used to generate a CRL that contains revoked +# certificates. This section contains configuration options that are used +# during gencrl request processing. +############################################################################# +crl: + # Specifies expiration for the generated CRL. The number of hours + # specified by this property is added to the UTC time, the resulting time + # is used to set the 'Next Update' date of the CRL. + expiry: 24h + +############################################################################# +# The registry section controls how the fabric-ca-server does two things: +# 1) authenticates enrollment requests which contain a username and password +# (also known as an enrollment ID and secret). +# 2) once authenticated, retrieves the identity's attribute names and +# values which the fabric-ca-server optionally puts into TCerts +# which it issues for transacting on the Hyperledger Fabric blockchain. +# These attributes are useful for making access control decisions in +# chaincode. +# There are two main configuration options: +# 1) The fabric-ca-server is the registry. +# This is true if "ldap.enabled" in the ldap section below is false. +# 2) An LDAP server is the registry, in which case the fabric-ca-server +# calls the LDAP server to perform these tasks. +# This is true if "ldap.enabled" in the ldap section below is true, +# which means this "registry" section is ignored. +############################################################################# +registry: + # Maximum number of times a password/secret can be reused for enrollment + # (default: -1, which means there is no limit) + maxenrollments: -1 + + # Contains identity information which is used when LDAP is disabled + identities: + - name: rcaadmin + pass: rcaadminpw + type: client + affiliation: "" + attrs: + hf.Registrar.Roles: "*" + hf.Registrar.DelegateRoles: "*" + hf.Revoker: true + hf.IntermediateCA: true + hf.GenCRL: true + hf.Registrar.Attributes: "*" + hf.AffiliationMgr: true + +############################################################################# +# Database section +# Supported types are: "sqlite3", "postgres", and "mysql". +# The datasource value depends on the type. +# If the type is "sqlite3", the datasource value is a file name to use +# as the database store. Since "sqlite3" is an embedded database, it +# may not be used if you want to run the fabric-ca-server in a cluster. +# To run the fabric-ca-server in a cluster, you must choose "postgres" +# or "mysql". +############################################################################# +db: + type: sqlite3 + datasource: fabric-ca-server.db + tls: + enabled: false + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# LDAP section +# If LDAP is enabled, the fabric-ca-server calls LDAP to: +# 1) authenticate enrollment ID and secret (i.e. username and password) +# for enrollment requests; +# 2) To retrieve identity attributes +############################################################################# +ldap: + # Enables or disables the LDAP client (default: false) + # If this is set to true, the "registry" section is ignored. + enabled: false + # The URL of the LDAP server + url: ldap://:@:/ + # TLS configuration for the client connection to the LDAP server + tls: + certfiles: + client: + certfile: + keyfile: + # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes + attribute: + # 'names' is an array of strings containing the LDAP attribute names which are + # requested from the LDAP server for an LDAP identity's entry + names: ['uid','member'] + # The 'converters' section is used to convert an LDAP entry to the value of + # a fabric CA attribute. + # For example, the following converts an LDAP 'uid' attribute + # whose value begins with 'revoker' to a fabric CA attribute + # named "hf.Revoker" with a value of "true" (because the boolean expression + # evaluates to true). + # converters: + # - name: hf.Revoker + # value: attr("uid") =~ "revoker*" + converters: + - name: + value: + # The 'maps' section contains named maps which may be referenced by the 'map' + # function in the 'converters' section to map LDAP responses to arbitrary values. + # For example, assume a user has an LDAP attribute named 'member' which has multiple + # values which are each a distinguished name (i.e. a DN). For simplicity, assume the + # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. + # Further assume the following configuration. + # converters: + # - name: hf.Registrar.Roles + # value: map(attr("member"),"groups") + # maps: + # groups: + # - name: dn1 + # value: peer + # - name: dn2 + # value: client + # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be + # "peer,client,dn3". This is because the value of 'attr("member")' is + # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of + # "group" replaces "dn1" with "peer" and "dn2" with "client". + maps: + groups: + - name: + value: + +############################################################################# +# Affiliations section. Fabric CA server can be bootstrapped with the +# affiliations specified in this section. Affiliations are specified as maps. +# For example: +# businessunit1: +# department1: +# - team1 +# businessunit2: +# - department2 +# - department3 +# +# Affiliations are hierarchical in nature. In the above example, +# department1 (used as businessunit1.department1) is the child of businessunit1. +# team1 (used as businessunit1.department1.team1) is the child of department1. +# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) +# are children of businessunit2. +# Note: Affiliations are case sensitive except for the non-leaf affiliations +# (like businessunit1, department1, businessunit2) that are specified in the configuration file, +# which are always stored in lower case. +############################################################################# +affiliations: + org1: + - department1 + - department2 + org2: + - department1 + +############################################################################# +# Signing section +# +# The "default" subsection is used to sign enrollment certificates; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +# +# The "ca" profile subsection is used to sign intermediate CA certificates; +# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. +# Note that "isca" is true, meaning that it issues a CA certificate. +# A maxpathlen of 0 means that the intermediate CA cannot issue other +# intermediate CA certificates, though it can still issue end entity certificates. +# (See RFC 5280, section 4.2.1.9) +# +# The "tls" profile subsection is used to sign TLS certificate requests; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +############################################################################# +signing: + default: + usage: + - digital signature + expiry: 8760h + profiles: + ca: + usage: + - cert sign + - crl sign + expiry: 43800h + caconstraint: + isca: true + maxpathlen: 0 + tls: + usage: + - signing + - key encipherment + - server auth + - client auth + - key agreement + expiry: 8760h + +########################################################################### +# Certificate Signing Request (CSR) section. +# This controls the creation of the root CA certificate. +# The expiration for the root CA certificate is configured with the +# "ca.expiry" field below, whose default value is "131400h" which is +# 15 years in hours. +# The pathlength field is used to limit CA certificate hierarchy as described +# in section 4.2.1.9 of RFC 5280. +# Examples: +# 1) No pathlength value means no limit is requested. +# 2) pathlength == 1 means a limit of 1 is requested which is the default for +# a root CA. This means the root CA can issue intermediate CA certificates, +# but these intermediate CAs may not in turn issue other CA certificates +# though they can still issue end entity certificates. +# 3) pathlength == 0 means a limit of 0 is requested; +# this is the default for an intermediate CA, which means it can not issue +# CA certificates though it can still issue end entity certificates. +########################################################################### +csr: + cn: fabric-ca-server + keyrequest: + algo: ecdsa + size: 256 + names: + - C: US + ST: "North Carolina" + L: + O: Hyperledger + OU: Fabric + hosts: + - localhost + - 127.0.0.1 + - org2-ecert-ca + - org2-ecert-ca.test-network.svc.cluster.local + ca: + expiry: 131400h + pathlength: 1 + +########################################################################### +# Each CA can issue both X509 enrollment certificate as well as Idemix +# Credential. This section specifies configuration for the issuer component +# that is responsible for issuing Idemix credentials. +########################################################################### +idemix: + # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an + # Idemix credential. The issuer will create a pool revocation handles of this specified size. When + # a credential is requested, issuer will get handle from the pool and assign it to the credential. + # Issuer will repopulate the pool with new handles when the last handle in the pool is used. + # A revocation handle and credential revocation information (CRI) are used to create non revocation proof + # by the prover to prove to the verifier that her credential is not revoked. + rhpoolsize: 1000 + + # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer + # and second step is send credential request that is constructed using the nonce to the isuser to + # request a credential. This configuration property specifies expiration for the nonces. By default is + # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). + nonceexpiration: 15s + + # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. + # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) + noncesweepinterval: 15m + +############################################################################# +# BCCSP (BlockChain Crypto Service Provider) section is used to select which +# crypto library implementation to use +############################################################################# +bccsp: + default: SW + sw: + hash: SHA2 + security: 256 + filekeystore: + # The directory used for the software file-based keystore + keystore: msp/keystore + +############################################################################# +# Multi CA section +# +# Each Fabric CA server contains one CA by default. This section is used +# to configure multiple CAs in a single server. +# +# 1) --cacount +# Automatically generate non-default CAs. The names of these +# additional CAs are "ca1", "ca2", ... "caN", where "N" is +# This is particularly useful in a development environment to quickly set up +# multiple CAs. Note that, this config option is not applicable to intermediate CA server +# i.e., Fabric CA server that is started with intermediate.parentserver.url config +# option (-u command line option) +# +# 2) --cafiles +# For each CA config file in the list, generate a separate signing CA. Each CA +# config file in this list MAY contain all of the same elements as are found in +# the server config file except port, debug, and tls sections. +# +# Examples: +# fabric-ca-server start -b admin:adminpw --cacount 2 +# +# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml +# --cafiles ca/ca2/fabric-ca-server-config.yaml +# +############################################################################# + +cacount: + +cafiles: + +############################################################################# +# Intermediate CA section +# +# The relationship between servers and CAs is as follows: +# 1) A single server process may contain or function as one or more CAs. +# This is configured by the "Multi CA section" above. +# 2) Each CA is either a root CA or an intermediate CA. +# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. +# +# This section pertains to configuration of #2 and #3. +# If the "intermediate.parentserver.url" property is set, +# then this is an intermediate CA with the specified parent +# CA. +# +# parentserver section +# url - The URL of the parent server +# caname - Name of the CA to enroll within the server +# +# enrollment section used to enroll intermediate CA with parent CA +# profile - Name of the signing profile to use in issuing the certificate +# label - Label to use in HSM operations +# +# tls section for secure socket connection +# certfiles - PEM-encoded list of trusted root certificate files +# client: +# certfile - PEM-encoded certificate file for when client authentication +# is enabled on server +# keyfile - PEM-encoded key file for when client authentication +# is enabled on server +############################################################################# +intermediate: + parentserver: + url: + caname: + + enrollment: + hosts: + profile: + label: + + tls: + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# CA configuration section +# +# Configure the number of incorrect password attempts are allowed for +# identities. By default, the value of 'passwordattempts' is 10, which +# means that 10 incorrect password attempts can be made before an identity get +# locked out. +############################################################################# +cfg: + identities: + passwordattempts: 10 + +############################################################################### +# +# Operations section +# +############################################################################### +operations: + # host and port for the operations server + listenAddress: 127.0.0.1:9443 + + # TLS configuration for the operations endpoint + tls: + # TLS enabled + enabled: false + + # path to PEM encoded server certificate for the operations server + cert: + file: + + # path to PEM encoded server key for the operations server + key: + file: + + # require client certificate authentication to access all resources + clientAuthRequired: false + + # paths to PEM encoded ca certificates to trust for client authentication + clientRootCAs: + files: [] + +############################################################################### +# +# Metrics section +# +############################################################################### +metrics: + # statsd, prometheus, or disabled + provider: disabled + + # statsd configuration + statsd: + # network type: tcp or udp + network: udp + + # statsd server address + address: 127.0.0.1:8125 + + # the interval at which locally cached counters and gauges are pushsed + # to statsd; timings are pushed immediately + writeInterval: 10s + + # prefix is prepended to all emitted statsd merics + prefix: server diff --git a/test-network-k8s/config/org2/fabric-tls-ca-server-config.yaml b/test-network-k8s/config/org2/fabric-tls-ca-server-config.yaml new file mode 100644 index 00000000..74879302 --- /dev/null +++ b/test-network-k8s/config/org2/fabric-tls-ca-server-config.yaml @@ -0,0 +1,496 @@ +############################################################################# +# This is a configuration file for the fabric-ca-server command. +# +# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES +# ------------------------------------------------ +# Each configuration element can be overridden via command line +# arguments or environment variables. The precedence for determining +# the value of each element is as follows: +# 1) command line argument +# Examples: +# a) --port 443 +# To set the listening port +# b) --ca.keyfile ../mykey.pem +# To set the "keyfile" element in the "ca" section below; +# note the '.' separator character. +# 2) environment variable +# Examples: +# a) FABRIC_CA_SERVER_PORT=443 +# To set the listening port +# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" +# To set the "keyfile" element in the "ca" section below; +# note the '_' separator character. +# 3) configuration file +# 4) default value (if there is one) +# All default values are shown beside each element below. +# +# FILE NAME ELEMENTS +# ------------------ +# The value of all fields whose name ends with "file" or "files" are +# name or names of other files. +# For example, see "tls.certfile" and "tls.clientauth.certfiles". +# The value of each of these fields can be a simple filename, a +# relative path, or an absolute path. If the value is not an +# absolute path, it is interpretted as being relative to the location +# of this configuration file. +# +############################################################################# + +# Version of config file +version: 1.5.2 + +# Server's listening port (default: 7054) +port: 443 + +# Cross-Origin Resource Sharing (CORS) +cors: + enabled: false + origins: + - "*" + +# Enables debug logging (default: false) +debug: false + +# Size limit of an acceptable CRL in bytes (default: 512000) +crlsizelimit: 512000 + +############################################################################# +# TLS section for the server's listening port +# +# The following types are supported for client authentication: NoClientCert, +# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, +# and RequireAndVerifyClientCert. +# +# Certfiles is a list of root certificate authorities that the server uses +# when verifying client certificates. +############################################################################# +tls: + # Enable TLS (default: false) + enabled: true + # TLS for the server's listening port + certfile: + keyfile: + clientauth: + type: noclientcert + certfiles: + +############################################################################# +# The CA section contains information related to the Certificate Authority +# including the name of the CA, which should be unique for all members +# of a blockchain network. It also includes the key and certificate files +# used when issuing enrollment certificates (ECerts) and transaction +# certificates (TCerts). +# The chainfile (if it exists) contains the certificate chain which +# should be trusted for this CA, where the 1st in the chain is always the +# root CA certificate. +############################################################################# +ca: + # Name of this CA + name: org2-tls-ca + # Key file (is only used to import a private key into BCCSP) + keyfile: + # Certificate file (default: ca-cert.pem) + certfile: + # Chain file + chainfile: + +############################################################################# +# The gencrl REST endpoint is used to generate a CRL that contains revoked +# certificates. This section contains configuration options that are used +# during gencrl request processing. +############################################################################# +crl: + # Specifies expiration for the generated CRL. The number of hours + # specified by this property is added to the UTC time, the resulting time + # is used to set the 'Next Update' date of the CRL. + expiry: 24h + +############################################################################# +# The registry section controls how the fabric-ca-server does two things: +# 1) authenticates enrollment requests which contain a username and password +# (also known as an enrollment ID and secret). +# 2) once authenticated, retrieves the identity's attribute names and +# values which the fabric-ca-server optionally puts into TCerts +# which it issues for transacting on the Hyperledger Fabric blockchain. +# These attributes are useful for making access control decisions in +# chaincode. +# There are two main configuration options: +# 1) The fabric-ca-server is the registry. +# This is true if "ldap.enabled" in the ldap section below is false. +# 2) An LDAP server is the registry, in which case the fabric-ca-server +# calls the LDAP server to perform these tasks. +# This is true if "ldap.enabled" in the ldap section below is true, +# which means this "registry" section is ignored. +############################################################################# +registry: + # Maximum number of times a password/secret can be reused for enrollment + # (default: -1, which means there is no limit) + maxenrollments: -1 + + # Contains identity information which is used when LDAP is disabled + identities: + - name: tlsadmin + pass: tlsadminpw + type: client + affiliation: "" + attrs: + hf.Registrar.Roles: "*" + hf.Registrar.DelegateRoles: "*" + hf.Revoker: true + hf.IntermediateCA: true + hf.GenCRL: true + hf.Registrar.Attributes: "*" + hf.AffiliationMgr: true + +############################################################################# +# Database section +# Supported types are: "sqlite3", "postgres", and "mysql". +# The datasource value depends on the type. +# If the type is "sqlite3", the datasource value is a file name to use +# as the database store. Since "sqlite3" is an embedded database, it +# may not be used if you want to run the fabric-ca-server in a cluster. +# To run the fabric-ca-server in a cluster, you must choose "postgres" +# or "mysql". +############################################################################# +db: + type: sqlite3 + datasource: fabric-ca-server.db + tls: + enabled: false + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# LDAP section +# If LDAP is enabled, the fabric-ca-server calls LDAP to: +# 1) authenticate enrollment ID and secret (i.e. username and password) +# for enrollment requests; +# 2) To retrieve identity attributes +############################################################################# +ldap: + # Enables or disables the LDAP client (default: false) + # If this is set to true, the "registry" section is ignored. + enabled: false + # The URL of the LDAP server + url: ldap://:@:/ + # TLS configuration for the client connection to the LDAP server + tls: + certfiles: + client: + certfile: + keyfile: + # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes + attribute: + # 'names' is an array of strings containing the LDAP attribute names which are + # requested from the LDAP server for an LDAP identity's entry + names: ['uid','member'] + # The 'converters' section is used to convert an LDAP entry to the value of + # a fabric CA attribute. + # For example, the following converts an LDAP 'uid' attribute + # whose value begins with 'revoker' to a fabric CA attribute + # named "hf.Revoker" with a value of "true" (because the boolean expression + # evaluates to true). + # converters: + # - name: hf.Revoker + # value: attr("uid") =~ "revoker*" + converters: + - name: + value: + # The 'maps' section contains named maps which may be referenced by the 'map' + # function in the 'converters' section to map LDAP responses to arbitrary values. + # For example, assume a user has an LDAP attribute named 'member' which has multiple + # values which are each a distinguished name (i.e. a DN). For simplicity, assume the + # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. + # Further assume the following configuration. + # converters: + # - name: hf.Registrar.Roles + # value: map(attr("member"),"groups") + # maps: + # groups: + # - name: dn1 + # value: peer + # - name: dn2 + # value: client + # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be + # "peer,client,dn3". This is because the value of 'attr("member")' is + # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of + # "group" replaces "dn1" with "peer" and "dn2" with "client". + maps: + groups: + - name: + value: + +############################################################################# +# Affiliations section. Fabric CA server can be bootstrapped with the +# affiliations specified in this section. Affiliations are specified as maps. +# For example: +# businessunit1: +# department1: +# - team1 +# businessunit2: +# - department2 +# - department3 +# +# Affiliations are hierarchical in nature. In the above example, +# department1 (used as businessunit1.department1) is the child of businessunit1. +# team1 (used as businessunit1.department1.team1) is the child of department1. +# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) +# are children of businessunit2. +# Note: Affiliations are case sensitive except for the non-leaf affiliations +# (like businessunit1, department1, businessunit2) that are specified in the configuration file, +# which are always stored in lower case. +############################################################################# +affiliations: + org1: + - department1 + - department2 + org2: + - department1 + +############################################################################# +# Signing section +# +# The "default" subsection is used to sign enrollment certificates; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +# +# The "ca" profile subsection is used to sign intermediate CA certificates; +# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. +# Note that "isca" is true, meaning that it issues a CA certificate. +# A maxpathlen of 0 means that the intermediate CA cannot issue other +# intermediate CA certificates, though it can still issue end entity certificates. +# (See RFC 5280, section 4.2.1.9) +# +# The "tls" profile subsection is used to sign TLS certificate requests; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +############################################################################# +signing: + default: + authremote: {} + caconstraint: {} + expiry: 8760h + usage: + - signing + - key encipherment + - server auth + - client auth + - key agreement + profiles: null + +########################################################################### +# Certificate Signing Request (CSR) section. +# This controls the creation of the root CA certificate. +# The expiration for the root CA certificate is configured with the +# "ca.expiry" field below, whose default value is "131400h" which is +# 15 years in hours. +# The pathlength field is used to limit CA certificate hierarchy as described +# in section 4.2.1.9 of RFC 5280. +# Examples: +# 1) No pathlength value means no limit is requested. +# 2) pathlength == 1 means a limit of 1 is requested which is the default for +# a root CA. This means the root CA can issue intermediate CA certificates, +# but these intermediate CAs may not in turn issue other CA certificates +# though they can still issue end entity certificates. +# 3) pathlength == 0 means a limit of 0 is requested; +# this is the default for an intermediate CA, which means it can not issue +# CA certificates though it can still issue end entity certificates. +########################################################################### +csr: + cn: fabric-ca-server + keyrequest: + algo: ecdsa + size: 256 + names: + - C: US + ST: "North Carolina" + L: + O: Hyperledger + OU: Fabric + hosts: + - localhost + - 127.0.0.1 + - org2-tls-ca + - org2-tls-ca.test-network.svc.cluster.local + ca: + expiry: 131400h + pathlength: 1 + +########################################################################### +# Each CA can issue both X509 enrollment certificate as well as Idemix +# Credential. This section specifies configuration for the issuer component +# that is responsible for issuing Idemix credentials. +########################################################################### +idemix: + # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an + # Idemix credential. The issuer will create a pool revocation handles of this specified size. When + # a credential is requested, issuer will get handle from the pool and assign it to the credential. + # Issuer will repopulate the pool with new handles when the last handle in the pool is used. + # A revocation handle and credential revocation information (CRI) are used to create non revocation proof + # by the prover to prove to the verifier that her credential is not revoked. + rhpoolsize: 1000 + + # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer + # and second step is send credential request that is constructed using the nonce to the isuser to + # request a credential. This configuration property specifies expiration for the nonces. By default is + # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). + nonceexpiration: 15s + + # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. + # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) + noncesweepinterval: 15m + +############################################################################# +# BCCSP (BlockChain Crypto Service Provider) section is used to select which +# crypto library implementation to use +############################################################################# +bccsp: + default: SW + sw: + hash: SHA2 + security: 256 + filekeystore: + # The directory used for the software file-based keystore + keystore: msp/keystore + +############################################################################# +# Multi CA section +# +# Each Fabric CA server contains one CA by default. This section is used +# to configure multiple CAs in a single server. +# +# 1) --cacount +# Automatically generate non-default CAs. The names of these +# additional CAs are "ca1", "ca2", ... "caN", where "N" is +# This is particularly useful in a development environment to quickly set up +# multiple CAs. Note that, this config option is not applicable to intermediate CA server +# i.e., Fabric CA server that is started with intermediate.parentserver.url config +# option (-u command line option) +# +# 2) --cafiles +# For each CA config file in the list, generate a separate signing CA. Each CA +# config file in this list MAY contain all of the same elements as are found in +# the server config file except port, debug, and tls sections. +# +# Examples: +# fabric-ca-server start -b admin:adminpw --cacount 2 +# +# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml +# --cafiles ca/ca2/fabric-ca-server-config.yaml +# +############################################################################# + +cacount: + +cafiles: + +############################################################################# +# Intermediate CA section +# +# The relationship between servers and CAs is as follows: +# 1) A single server process may contain or function as one or more CAs. +# This is configured by the "Multi CA section" above. +# 2) Each CA is either a root CA or an intermediate CA. +# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. +# +# This section pertains to configuration of #2 and #3. +# If the "intermediate.parentserver.url" property is set, +# then this is an intermediate CA with the specified parent +# CA. +# +# parentserver section +# url - The URL of the parent server +# caname - Name of the CA to enroll within the server +# +# enrollment section used to enroll intermediate CA with parent CA +# profile - Name of the signing profile to use in issuing the certificate +# label - Label to use in HSM operations +# +# tls section for secure socket connection +# certfiles - PEM-encoded list of trusted root certificate files +# client: +# certfile - PEM-encoded certificate file for when client authentication +# is enabled on server +# keyfile - PEM-encoded key file for when client authentication +# is enabled on server +############################################################################# +intermediate: + parentserver: + url: + caname: + + enrollment: + hosts: + profile: + label: + + tls: + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# CA configuration section +# +# Configure the number of incorrect password attempts are allowed for +# identities. By default, the value of 'passwordattempts' is 10, which +# means that 10 incorrect password attempts can be made before an identity get +# locked out. +############################################################################# +cfg: + identities: + passwordattempts: 10 + +############################################################################### +# +# Operations section +# +############################################################################### +operations: + # host and port for the operations server + listenAddress: 127.0.0.1:9444 + + # TLS configuration for the operations endpoint + tls: + # TLS enabled + enabled: false + + # path to PEM encoded server certificate for the operations server + cert: + file: + + # path to PEM encoded server key for the operations server + key: + file: + + # require client certificate authentication to access all resources + clientAuthRequired: false + + # paths to PEM encoded ca certificates to trust for client authentication + clientRootCAs: + files: [] + +############################################################################### +# +# Metrics section +# +############################################################################### +metrics: + # statsd, prometheus, or disabled + provider: disabled + + # statsd configuration + statsd: + # network type: tcp or udp + network: udp + + # statsd server address + address: 127.0.0.1:8125 + + # the interval at which locally cached counters and gauges are pushsed + # to statsd; timings are pushed immediately + writeInterval: 10s + + # prefix is prepended to all emitted statsd merics + prefix: server diff --git a/test-network-k8s/docs/APPLICATIONS.md b/test-network-k8s/docs/APPLICATIONS.md new file mode 100644 index 00000000..2758f463 --- /dev/null +++ b/test-network-k8s/docs/APPLICATIONS.md @@ -0,0 +1,106 @@ +# Working with Applications + +## TL/DR: + +```shell +$ ./network rest-easy +Launching fabric-rest-sample application: +βœ… - Ensuring fabric-rest-sample image ... +βœ… - Constructing fabric-rest-sample connection profiles ... +βœ… - Starting fabric-rest-sample ... + +The fabric-rest-sample has started. See https://github.com/hyperledgendary/fabric-rest-sample/tree/main/asset-transfer-basic/rest-api-typescript#rest-api for additional usage. +To access the endpoint: + +export SAMPLE_APIKEY=97834158-3224-4CE7-95F9-A148C886653E +curl -s --header "X-Api-Key: ${SAMPLE_APIKEY}" http://localhost/api/assets + +🏁 - Fabric REST sample is ready. +``` + +```shell +$ export SAMPLE_APIKEY=97834158-3224-4CE7-95F9-A148C886653E + +$ ./network chaincode invoke '{"Args":["CreateAsset","1","blue","35","tom","1000"]}' + +$ curl -s --header "X-Api-Key: ${SAMPLE_APIKEY}" http://localhost/api/assets | jq +[ + { + "Key": "1", + "Record": { + "ID": "1", + "color": "blue", + "size": 35, + "owner": "tom", + "appraisedValue": 1000 + } + } +] + +$ open https://github.com/hyperledgendary/fabric-rest-sample/tree/main/asset-transfer-basic/rest-api-typescript#rest-api +``` + +## Guide for Gateway Client Applications + +TODO: this section is a work-in-progress. + +### EXTERNAL Gateway Client (localhost) + +For certain development scenarios, it is advantageous to run a Gateway Client externally, using a bridge +or port forward to access services running behind the veil of Kubernetes networking. For instance, during active +development we can run a Gateway Client under the microscope of an IDE / debugger, on a local system, connected +to a remote network as if it were running resident within the Kube. As the system is developed (bugs addressed, etc.), +the application author can transition the updated routines into Docker containers, verify locally, and push +into the container registry for validation within the Kubernetes network. + +Here is a brief overview of the steps necessary to run EXTERNAL gateway applications: + +1. Open a TCP port forward from the local host to a targeted peer: +```shell +kubectl -n test-network port-forward svc/org1-peer1 7051:7051 +``` + +2. Add "mock DNS" records to /etc/hosts for TLS host validation: +```shell +127.0.0.1 org1-peer1 +``` + +3. Configure the gateway client to connect to `org1-peer1:7051`, or the kube TCP port forward. + + +4. Launch the gateway client application locally, e.g. in a docker container or attached to an IDE. + + +5. Update this guide with feedback, recipes, and stories of successful client development on Kube/KIND. + + +### INTERNAL Gateway Client (In Kube) + +#### TODO: Deploy + +```shell +./network application ACTION +``` + + +#### Local Container Registry + +Docker images built locally can be uploaded to the `localhost:5000` container registry for +immediate access within the Kube/KIND cluster. In addition to providing fast turn-around to/from containers +running in Kube, the use of a private container registry allows us to quickly iterate on code without uploading +images to the Internet. Even when using _private_ container registries, the use of a local server saves valuable +time when loading images into the kind control plane. + +e.g.: +```shell +docker build -t localhost:5000/my-gateway-app . +docker push localhost:5000/my-gateway-app +``` + +Provided that the `imagePullPolicy` for the client deployment is not set to `IfNotPresent`, killing the current pod +running the gateway client will force a refresh with the latest image layer available at the local registry. + + +#### Aggregating MSP and Certificates + +#### Deploying to the Namespace \ No newline at end of file diff --git a/test-network-k8s/docs/CA.md b/test-network-k8s/docs/CA.md new file mode 100644 index 00000000..c8758b24 --- /dev/null +++ b/test-network-k8s/docs/CA.md @@ -0,0 +1,281 @@ +# Certificate Authorities + +This guide serves as a companion to the [Fabric CA Deployment Guide](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy.html), +the definitive reference for planning, configuring, and managing CAs within a production Hyperledger Fabric installation. + +For individual fabric nodes to communicate securely over a network, all interactions are performed over secure sockets +with (at a minimum) server side TLS certificate verification. In addition, for the individual participants of a Fabric +network to interact with the blockchain, the participant identities and activities are verified against an Enrollment +Certificate or 'ECert' authority. + +In this document we'll outline the key aspects of bootstrapping test network TLS and ECert CAs, registration and +enrollment of node identities, and address some effective strategies for storage and organization of channel and +node local MSP data structures. + + +### TL/DR : +```shell +$ ./network up + +Launching network "test-network": +... +βœ… - Launching TLS CAs ... +βœ… - Enrolling bootstrap TLS CA users ... + +βœ… - Registering and enrolling ECert CA bootstrap users ... +βœ… - Launching ECert CAs ... +βœ… - Enrolling bootstrap ECert CA users ... +... +🏁 - Network is ready. +``` + + +## [Planning for a CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy-topology.html#planning-for-a-ca) + +Setting up a CA framework is one of the more daunting aspects of a Fabric installation. There is an incredible amount +of flexibility possible with the Fabric CA architecture, so to keep things straightforward we have opted to aim for a +simplified, but realistic CA deployment illustrating the key touch points with Kubernetes: + +- Each organization maintains distinct, [independent volumes](../kube/pv-fabric-org0.yaml) for the storage of MSP and + TLS certificates. This forces the consortium organizer to plan for the distribution of _public_ certificates to + member organizations, while maintaining an independent, secret storage location for _private_ signing keys. + + +- Each organization maintains two distinct, separate CA instances : one dedicated to [TLS](../kube/org0/org0-tls-ca.yaml) + Certificate Signing Requests, and a second process dedicated to [ECert](../kube/org0/org0-ecert-ca.yaml) Enrollments + and identity MSPs. + + +- Certificate organization and [Folder Structure](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#folder-structure-for-your-org-and-node-admin-identities) + strictly adheres to the best practices and guidelines recommended by the CA Deployment Guide. + + +- The `cryptogen` anti-pattern is **strictly forbidden**. All TLS and MSP enrollments are constructed using the CA + registration and enrollment REST services, coordinated by calls to `fabric-ca-client` running directly on the + CA pods. When working with certificates, the fabric CA client ONLY has visibility to the organization's local volume + storage. + + +- TLS CA configuration and certificates are maintained in each org's persistent volume at `/var/hyperledger/fabric-tls-ca-server` + + +- ECert CA configuration and certificates are maintained in each org's persistent volume at `/var/hyperledger/fabric-ca-server` + + +- fabric-ca-client configuration and certificates are maintained in each org's persistent volume at `/var/hyperledger/fabric-ca-client` + + +- ECert and MSP data structures are maintained in each org's persistent volume at `/var/hyperledger/fabric/organizations` + + + +### Future Enhancements: + +- **_Bring your own Certificates_** : It would be nice to boostrap the network using a single, top-level signing authority, + rather than generating self-signed certificates when the system is bootstrapped. Ideally this will be realized by + introducing an [Intermediate CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy-topology.html#when-would-i-want-an-intermediate-ca) + and/or alternate signing chains backed by formal (e.g. letsencrypt, Thawte, Verisign, etc.) certificate authorities. + + +- **_Dual Headed CAs_** : In practice, juggling two distinct deployments between TLS and ECert servers adds little + functional value. It would be nice to simplify the configuration, deployment, and bootstrapping scripts such that + each org manages a single, dual-headed CA capable of responding to both TLS as well as ECert enrollmnent rerquests. + + +- **_Time-Bomb Certificates_** : By default the certificates issued by the test network are valid for 1 (one) year. For + lightweight or adhoc testing, this is fine. But when applied to production deployments, certificate expiry is a + real operational challenge. For instance, it is possible to soft-lock a Fabric network when all system certificates + expire _en-masse_ - it's impossible to re-establish a consensus and renew the certificates! + + +- **_Mutual TLS_** : Server-side TLS is a minimum, but the addition of client-side TLS certificates will help fully + secure all TCP channels within the Fabric network. + + +- **_Bugs_** : `./network up` currently goes through the process of bootstrapping a fabric network from scratch, but + does not handle "multiple runs" or the complete course of errors that can occur in the wild. For instance, If the + routine is run multiple times in succession, it will overwrite the network's certificate chains and soft-lock the + network. + + +## [Process Overview](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#) + +The [sequence of activities](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#what-order-should-i-deploy-the-cas) +necessary to bring up a CA infrastructure is well documented by the CA Deployment Guide: + +1. [Deploy the TLS CAs](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#deploy-the-tls-ca) + 1. [Configure the TLS CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-tls-ca-server-configuration) + 1. [Launch the TLS CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#start-the-tls-ca-server) + 1. [Enroll the TLS CA Bootstrap Admin Users](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-bootstrap-user-with-tls-ca) + +1. [Deploy the Organization CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#deploy-an-organization-ca) + 1. [Register and enroll the org CA bootstrap identity with the TLS CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#register-and-enroll-the-organization-ca-bootstrap-identity-with-the-tls-ca) + 1. [Configure the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-ca-server-configuration) + 1. [Launch the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#start-the-ca-server) + 1. [Enroll the ECert CA Bootstrap / Admin User](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-the-ca-admin) + + +## [Deploy the TLS CAs](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#deploy-the-tls-ca) + +### [Configure the TLS CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-tls-ca-server-configuration) + +While the CA guide suggests running the `fabric-ca-server` binary to generate a default configuration file, for the +test network we've skipped this step and have added a [config/fabric-tls-ca-server-config.yaml](../config/org0/fabric-tls-ca-server-config.yaml) +to the top level of this project. + +Changes have been made to reflect: + +- `port: 443` binds all traffic to the default HTTPS port +- `tls.enabled: true` enables TLS for registration and enrollment requests +- `ca.name: ` matches the Kubernetes `Service` host alias +- `csr.hosts:` includes host aliases for accessing the CA with Kube DNS + + +Prior to launching the CA, for each org we create a configmap including the TLS CA server yaml: + +```shell +kubectl -n test-network create configmap org0-config --from-file=config/org0 +kubectl -n test-network create configmap org1-config --from-file=config/org1 +kubectl -n test-network create configmap org2-config --from-file=config/org2 +``` + + +### [Launch the TLS CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#start-the-tls-ca-server) + +```shell +βœ… - Launching TLS CAs ... +``` + +For each org we create a Kube Deployment and Service, ensuring that the org config +map and persistent volume maps to the correct location on disk. + +```shell +kubectl -n test-network apply -f kube/org0/org0-tls-ca.yaml +kubectl -n test-network apply -f kube/org1/org1-tls-ca.yaml +kubectl -n test-network apply -f kube/org2/org2-tls-ca.yaml +``` + +As a side-effect of bootstrapping the TLS CA, each storage volume will include a self-signed certificate +pair to serve as the **Root TLS Certificate**. Pay special attention to this path, as it will be used extensively +to verify the TLS host name of all services within the organization: +```shell +${FABRIC_CA_CLIENT_HOME}/tls-root-cert/tls-ca-cert.pem +``` + + +### [Enroll the TLS CA Bootstrap Admin Users](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-bootstrap-user-with-tls-ca) +```shell +βœ… - Enrolling bootstrap TLS CA users ... +``` + +After the TLS server is running, we need to enroll the bootstrap admin user with the CA. This admin user will +then be employed to fulfill a Certificate Signing request for the ECert CA servers, allowing for full host +verification when connecting to the ECert CAs via https. + +To enroll the bootstrap TLS CA users, each org runs within the TLS CA pod: +```shell + fabric-ca-client enroll \ + --url https://'$auth'@'${tlsca}' \ + --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ + --csr.hosts '${tlsca}' \ + --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp +``` + +The --mspdir output of this command is a set of certificates for use with the ECert CA. This enrollment MSP +will be used to register and enroll the ECert bootstrap user. + + +## [Deploy the Organization CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#deploy-an-organization-ca) + +The organization (ECert) CA is used to issue MSP certificates for nodes, channels, and identities in the fabric network. +Before we can set up the peers, orderers, and channels, we will need to bootstrap an ECert CA administrator +for each org in the network. + + +### [Register and enroll the organization CA bootstrap identity with the TLS CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#register-and-enroll-the-organization-ca-bootstrap-identity-with-the-tls-ca) +```shell +βœ… - Registering and enrolling ECert CA bootstrap users ... +``` + +The TLS CA can be used to fulfill a Certificate Signing Request on behalf of each organization's ECert CA. + +```shell + fabric-ca-client register \ + --id.name rcaadmin \ + --id.secret rcaadminpw \ + --url https://'${tlsca}' \ + --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ + --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp + + fabric-ca-client enroll \ + --url https://'${tlsauth}'@'${tlsca}' \ + --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ + --csr.hosts '${ecertca}' \ + --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp +``` + +**Important**: The output from this enrollment includes the ECert CA's public certificate and private signing keys. +When the ECert CA pod is launched, the server configuration references the `tls.certfile` and `tls.keyfile` attributes +by specifying `FABRIC_CA_SERVER_TLS_CERTFILE` and `FABRIC_CA_SERVER_TLS_KEYFILE` environment in the pod's environment. + + +### [Configure the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-ca-server-configuration) + +When launching the ECert CA pods, both the org volume shares and org config maps are made available via volume shares. +The [fabric-ecert-ca-server.yaml](../config/org0/fabric-ecert-ca-server-config.yaml) includes overrides for: + +- `port: 443` binds all traffic to the default HTTPS port +- `tls.enabled: true` enables TLS for registration and enrollment requests +- `ca.name: ` matches the Kubernetes `Service` host alias +- `csr.hosts:` includes host aliases for accessing the CA with Kube DNS + +In addition, pay special attention to the location of the `FABRIC_CA_SERVER_TLS_CERTFILE` and `FABRIC_CA_SERVER_TLS_KEYFILE` +environment variables in the [ECert deployment descriptor](../kube/org0/org0-ecert-ca.yaml). These variables +reference the TLS certificate authority and signing keys as generated by the admin bootstrap enrollment. + + +### [Launch the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#start-the-ca-server) +```shell +βœ… - Launching ECert CAs ... +``` + +```shell +kubectl -n test-network apply -f kube/org0/org0-ecert-ca.yaml +kubectl -n test-network apply -f kube/org1/org1-ecert-ca.yaml +kubectl -n test-network apply -f kube/org2/org2-ecert-ca.yaml +``` +- [x] Note: The `rcaadmin` enrollment's `cert.pem` and `key.pem` locations are specified in the ecert CA's k8s deployment as environment variables. + + +### [Enroll the ECert CA Bootstrap / Admin User](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-the-ca-admin) +```shell +βœ… - Enrolling bootstrap ECert CA users ... +``` + +Finally, after the services are active, we can connect to each organization's ECert CA using TLS and +activate the `rcaadmin` (Root Certificate Authority) admin user. This user will be employed to generate the +local MSP certificate structure for all of the nodes in our test network. + +```shell + fabric-ca-client enroll \ + --url https://'${auth}'@'${ecert_ca}' \ + --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ + --mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp +``` + + +## Next Steps : + +After the CAs have been deployed, each org in the Kube namespace includes: + +- One TLS CA `Service`, forwarding internal traffic from https://orgN-tls-ca to the TLS CA +- One TLS CA `Deployment` +- One TLS CA `Pod` +- One ECert CA `Service`, forwarding internal traffic from https://orgN-ecert-ca to the ECert CA +- One ECert CA `Deployment` +- One ECert CA `Pod` +- One TLS CA admin bootstrap user `tlsadmin` enrollment and TLS root certificate. +- One ECert CA admin bootstrap user `rcaadmin` enrollment and MSP root certificate. + + +### [Launch the Test Network...](TEST_NETWORK.md) diff --git a/test-network-k8s/docs/CHAINCODE.md b/test-network-k8s/docs/CHAINCODE.md new file mode 100644 index 00000000..e967d882 --- /dev/null +++ b/test-network-k8s/docs/CHAINCODE.md @@ -0,0 +1,278 @@ +# Working with Chaincode + +In this guide we will launch the Asset Transfer Basic chaincode "as a service" on the Kubernetes test network. +In addition, we will demonstrate how to connect the test network to a chaincode process running on your local +machine as a local binary, attached in an IDE debugger, or in a Docker container. + +## TL/DR : +```shell +$ ./network chaincode deploy +βœ… - Packaging chaincode folder chaincode/asset-transfer-basic ... +βœ… - Transferring chaincode archive to org1 ... +βœ… - Installing chaincode for org org1 ... +βœ… - Launching chaincode container "ghcr.io/hyperledgendary/fabric-ccaas-asset-transfer-basic" ... +βœ… - Activating chaincode basic_1.0:5e0c4db62c1f91599f58dcbfe2c37566453b1e02933646c49ba46f196723cc30 ... +🏁 - Chaincode is ready. +``` + +```shell +$ ./network chaincode invoke '{"Args":["CreateAsset","1","blue","35","tom","1000"]}' +2021-10-03 17:23:43.508 UTC [chaincodeCmd] chaincodeInvokeOrQuery -> INFO 001 Chaincode invoke successful. result: status:200 + +$ ./network chaincode query '{"Args":["ReadAsset","1"]}' | jq +{ + "ID": "1", + "color": "blue", + "size": 35, + "owner": "tom", + "appraisedValue": 1000 +} +``` + +## Running Smart Contracts on Kubernetes + +In the Kubernetes Test Network, smart contracts are developed with the [Chaincode as a Service](link) +pattern, relying on an embedded [External Builder](link) to avoid the use of a Docker daemon. With +Chaincode-as-a-Service, smart contracts are deployed to Kubernetes as `Services`, +`Deployments`, and `Pods`. When invoking smart contracts, the Peer network connects to the grpc receiver +through the port exposed by the chaincode's Kube `Service` as described in the chaincode +connection.json. + +Before installing chaincode to the network, a smart contract must: + +- Utilize the `ChaincodeServer` grpc receiver, as described in the [Fabric Operations + Guide](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html#writing-chaincode-to-run-as-an-external-service). + +- Run as a Docker image published to a container registry. + +- Maintain a connection.json and metadata.json files in the `chaincode/$CHAINCODE_NAME` folder. + +- Accept the `CHAINCODE_ID` environment variable: _CHAINCODE_LABEL:sha_256(chaincode.tar.gz)_. + + +## Deploying Chaincode to the Network +```shell +βœ… - Packaging chaincode "asset-transfer-basic" archive ... +βœ… - Deploying chaincode "asset-transfer-basic" for org org1 ... +``` + +When working with chaincode, the `./network` script includes two parameters that define the Docker image +launched in the cluster and the chaincode metadata: + +- `${TEST_NETWORK_CHAINCODE_NAME:-asset-transfer-basic}` refers to the _name_ associated with the chaincode. + While packaging and deploying to the network, the `scripts/chaincode.sh` script uses this string to search + the local `/chaincode` folder for associated metadata and connection json descriptor files. + + +- `${TEST_NETWORK_CHAINCODE_IMAGE:-ghcr.io/hyperledgendary/fabric-ccaas-asset-transfer-basic}` defines the + container image that will be used when running the chaincode in Kubernetes. + + +To deploy the chaincode, the network script will: + +1. Read the `connection.json` and `metadata.json` files from the `/chaincode/${TEST_NETWORK_CHAINCODE_NAME` + folder, bundling the files into a chaincode tar.gz archive. + + +2. `kubectl cp` the chaincode archive from the local file system to the organization's persistent volume storage. + + +3. Install the chaincode archive on a peer in the organization: +```shell + export CORE_PEER_ADDRESS='${org}'-peer1:7051 + peer lifecycle chaincode install chaincode/asset-transfer-basic.tgz +``` + + +4. In typical Fabric operations, the output of the `chaincode install` command includes a generated ID of the + chaincode archive printed to standard out. This ID is manually inspected and transcribed by the + network operator when executing subsequent commands with the network peers. To avoid scraping the + output of the installation command, the test network scripts precompute the chaincode ID + as the `sha256` checksum of the tar.gz archive. + + +5. The chaincode docker [image is launched](../kube/org1/org1-cc-asset-transfer-basic.yaml) as a Kubernetes + `Deployment` specifying _CHAINCODE_ID=sha-256(archive)_ in the environment and binding a `Service` port 9999 + within the namespace. When the network sends messages to the chaincode process, it will use the host URL as + defined in the `connection.json`, connecting to the kubernetes `Service` URL and `Deployment`. + + +6. Finally, the Admin CLI issues a series of peer commands to approve and commit the chaincode for the org: + +```shell + export CORE_PEER_ADDRESS='${org}'-peer1:7051 + + peer lifecycle \ + chaincode approveformyorg \ + --channelID '${CHANNEL_NAME}' \ + --name '${CHAINCODE_NAME}' \ + --version 1 \ + --package-id '${cc_id}' \ + --sequence 1 \ + -o org0-orderer1:6050 \ + --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem + + peer lifecycle \ + chaincode commit \ + --channelID '${CHANNEL_NAME}' \ + --name '${CHAINCODE_NAME}' \ + --version 1 \ + --sequence 1 \ + -o org0-orderer1:6050 \ + --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem +``` + +## Invoking and Querying the Chaincode + +Once the chaincode service has been deployed to the cluster, and the peers have approved the chaincode, +the test scripts can issue adhoc invoke, query, and metadata requests to the network: + +### Invoke +```shell +$ ./network chaincode invoke '{"Args":["CreateAsset","1","blue","35","tom","1000"]}' +2021-10-03 17:23:43.508 UTC [chaincodeCmd] chaincodeInvokeOrQuery -> INFO 001 Chaincode invoke successful. result: status:200 +``` + +### Query +```shell +$ ./network chaincode query '{"Args":["ReadAsset","1"]}' | jq +{ + "ID": "1", + "color": "blue", + "size": 35, + "owner": "tom", + "appraisedValue": 1000 +} +``` + +### Describe +```shell +$ ./network chaincode metadata | jq | head +{ + "info": { + "title": "undefined", + "version": "latest" + }, + "contracts": { + "SmartContract": { + "info": { + "title": "SmartContract", + "version": "latest" +``` + + +## Build a Chaincode Docker Image + +Before chaincode can be started in the network, it must be compiled, linked with the grpc `ChaincodeServer`, +embedded into a Docker image, and pushed to a container registry visible to the Kubernetes cluster. + +By default, the `./network` script will launch the [asset-transfer-basic](../../asset-transfer-basic/chaincode-external) +chaincode. When the test network installs this chaincode, there is no need to build a custom Docker image as it +has previously been uploaded to a public container registry. + +As an exercise, we recommend making some updates to the asset transfer basic chaincode and then running the +modified smart contract on your local Kubernetes cluster. For instance, the current version of the +[assetTransfer.go](../../asset-transfer-basic/chaincode-external/assetTransfer.go) code is completely +silent, printing nothing to the log when functions are invoked in the container. Try adding some debugging +information to the stdout of this process, bundling into a Docker image, and pushing the docker +image to the local development container registry. + +1. Add some print statements to assetTransfer.go. E.g.: +```java + fmt.Printf("reading asset %s\n", id) +``` + +2. Build the docker image locally with: +```shell +docker build -t asset-transfer-basic ../asset-transfer-basic/chaincode-external +``` + +3. Override the test network's default chaincode image, pointing to our local container registry: +```shell +export TEST_NETWORK_CHAINCODE_IMAGE=localhost:5000/asset-transfer-basic +``` + +3. Publish the custom image to the local registry: + +```shell +docker tag asset-transfer-basic $TEST_NETWORK_CHAINCODE_IMAGE +docker push $TEST_NETWORK_CHAINCODE_IMAGE +``` + + +## Debugging Chaincode + +One of the most compelling features of Fabric's _Chaincode-as-a-Service_ pattern is that when the peer connects to a +chaincode URL, it can connect back to a port on the local host. Instead of connecting to a pod running in a +container within Kubernetes, we can simply connect to a native binary running in a debugger, an IDE, or docker image +running locally! + +Using a singular framework, we can employ this method to enable _rapid_ **edit/test/debug cycles** when authoring +code, **verify** docker images generated by a CI/CD pipeline, and run integration tests on a local Kubernetes. + +For example, we can deploy the basic asset transfer smart contract with a [connection.json](../chaincode/asset-transfer-basic-debug/connection.json) +referencing a service bound to the Docker network's IP address for the local host: +```json +{ + "address": "host.docker.internal:9999", +} +``` +When the test network opens a TCP socket to the chaincode process, the connection will be made from containers +running within Kubernetes to the port opened on the local system. Let's employ this to technique by running a +chaincode endpoint in a local Docker container, native binary, or IDE debugger: + + +0. Edit assetTransfer.go and [Build the Chaincode Image](#build-a-chaincode-docker-image) + + +1. Bring up the test network with: +```shell +$ ./network up +$ ./network channel create +``` + +2. Install the debug chaincode archive, using a connection to localhost:9999 : +```shell +$ export TEST_NETWORK_CHAINCODE_NAME=asset-transfer-basic-debug +$ export TEST_NETWORK_CHAINCODE_IMAGE=localhost:5000/asset-transfer-basic + +$ ./network chaincode install +Installing chaincode "asset-transfer-basic-debug": +βœ… - Packaging chaincode folder chaincode/asset-transfer-basic-debug ... +βœ… - Transferring chaincode archive to org1 ... +βœ… - Installing chaincode for org org1 ... +🏁 - Chaincode is installed with CHAINCODE_ID=basic_1.0:159ed2f227586f40c5804e157919903fda2b861488f35eefb365eb9d85a73da3 +``` + +3. Set the `CHAINCODE_ID` and launch the chaincode binding to localhost:9999: +```shell +$ export CHAINCODE_ID=basic_1.0:159ed2f227586f40c5804e157919903fda2b861488f35eefb365eb9d85a73da3 + +$ docker run \ + --rm \ + --name asset-transfer-basic-debug \ + -e CHAINCODE_ID \ + -e CHAINCODE_SERVER_ADDRESS=0.0.0.0:9999 \ + -p 9999:9999 \ + localhost:5000/asset-transfer-basic +``` + +4. Activate the chaincode (commit and approve on the peer): +```shell +$ ./network chaincode activate +``` + +When the peer communicates with chaincode in this fashion, the network will reach out to the grpc server +bound to the localhost:9999, rather than connecting to services locked up behind the wall of Kubernetes +networking. + +As an exercise, try using this approach to: + +- introduce some `fmt.Printf` logging output to the chaincode, attaching to a process running locally in an IDE / debugger. +- build your local modifications into a docker container, publishing locally to localhost:5000/asset-transfer-basic +- test your local modifications by running a chaincode referencing the image hosted in the local container registry. + + +## Next Steps: + +[Writing a Blockchain Application](APPLICATIONS.md) \ No newline at end of file diff --git a/test-network-k8s/docs/CHANNELS.md b/test-network-k8s/docs/CHANNELS.md new file mode 100644 index 00000000..23fa33f6 --- /dev/null +++ b/test-network-k8s/docs/CHANNELS.md @@ -0,0 +1,206 @@ +# Channels + +Once the test network peers and orderers have been started, and the network identities have been registered +and enrolled with the ECert CA, we can construct a channel linking the participants of the test network +blockchain. + +## TL/DR : + +```shell +$ export TEST_NETWORK_CHANNEL_NAME="mychannel" + +$ ./network channel create +Creating channel "mychannel": +βœ… - Creating channel MSP ... +βœ… - Aggregating channel MSP ... +βœ… - Launching admin CLIs ... +βœ… - Creating channel "mychannel" ... +βœ… - Joining org1 peers to channel "mychannel" ... +βœ… - Joining org2 peers to channel "mychannel" ... +🏁 - Channel is ready. +``` + +## Process Overview + +In order to construct a communication channel, the following steps must be performed: + +1. TLS and MSP public certificates must be aggregated and distributed to all participants in the network. + +2. Each organization will launch a command-line pod with the MSP environment such that all fabric binaries are + executed as the Admin user. + +3. The channel genesis block is constructed from `configtx.yaml`, and `osnadmin` is used to distribute the new + channel configuration block to all orderers in the network. + +4. The network peers fetch the genesis block from the orderers, and use the configuration to join the channel. + + +## Distributing Channel MSP +```shell +βœ… - Creating channel MSP ... +βœ… - Aggregating channel MSP ... +``` + +One of the responsibilities of a Hyperledger Fabric _Consortium Organizer_ is to distribute the public MSP and +TLS certificates to organizations participating in a blockchain. In the Docker composed based test network, or +systems bootstrapped with the `cryptogen` command, all of the public certificates will be available on a common +file system or volume share. In our Kubernetes test network, each organization maintains the cryptographic +assets on a distinct persistent volume, invisible to other the other participants in the network. + +To distribute the TLS and MSP _public_ certificates, the test network emulates the responsibilities of the +consortium organizer by constructing a [Channel MSP](https://hyperledger-fabric.readthedocs.io/en/latest/membership/membership.html#channel-msps) +structure, extracting the relevant certificate files into a single `msp-{org}.tar.gz` archive. This MSP +archive is then relayed to network participants, where it can be extracted and used to set the MSP context +in which the peer executes administrative commands. + +The kube-specific techniques employed in MSP [construction](link) and [distribution](link) are: + +- Channel MSP is generated by piping shell commands into each org's ECert CA pod. +- Channel MSP is extracted to the local system by piping the output of `tar` through `kubectl` (equivalent + to the [kubectl cp command](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#cp)). + MSP archives are saved locally in `/build/msp-{org}.tar.gz` archives. +- Channel MSP is distributed across network participants by transferring the MSP archive files from + `build/msp/msp-{org}.tgz` into the cluster as a config map. +- An `initContainer` is launched in each organization's Admin CLI pod, unfurling the MSP context from the + `msp-config` config map into the local volume. + +Despite this additional complexity, this technique allows us to carefully target the MSP context in which +remote peer commands execute. The construct of an _MSP Archive_ may be extended to other circumstances +in which a consortium organizer transfers the _public_ certificates in an out-of-band fashion to +participants of a blockchain network. + +Aggregating the certificates as a local MSP archive is accomplished by piping a `tar` archive from the output +of a remote `kubectl` into a local archive files. These files are then mounted into the Kube namespace by +constructing the `msp-config` config map: + +```shell +kubectl -n $NS exec deploy/org0-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/ordererOrganizations/org0.example.com/msp > msp/msp-org0.example.com.tgz +kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp > msp/msp-org1.example.com.tgz +kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp > msp/msp-org2.example.com.tgz + +kubectl -n $NS delete configmap msp-config || true +kubectl -n $NS create configmap msp-config --from-file=msp/``` +``` + + +## `Admin` Commands +```shell +βœ… - Launching admin CLIs ... +``` + +After the channel MSP archives have been constructed and loaded into the `msp-config` ConfigMap, a series +of kubernetes pods are launched in the namespace with an environment suitable for running the Fabric +`peer` commands as the organization Administrator. Before starting the CLI admin container, an `initContainer` +reads the MSP archives and unfurls them into a location on the org's persistent volume: + +```yaml +# This init container will unfurl all of the MSP archives listed in the msp-config config map. +initContainers: +- name: msp-unfurl + image: busybox + command: + - sh + - -c + - "for msp in $(ls /msp/msp-*.tgz); do echo $msp && tar zxvf $msp -C /var/hyperledger/fabric; done" + volumeMounts: + - name: msp-config + mountPath: /msp + - name: fabric-volume + mountPath: /var/hyperledger +``` + +Once the MSP archives are extracted, the CLI is launched and the environment set such that `peer` commands +will be executed with the organization's Administrative role. + +```shell +cat kube/org0/org0-admin-cli.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS apply -f - +cat kube/org1/org1-admin-cli.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS apply -f - +cat kube/org2/org2-admin-cli.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS apply -f - +``` + +## Create the Channel +```shell +βœ… - Creating channel "mychannel" ... +``` + +As the _consortium leader_ org0, we create the channel's genesis block and use the orderer admin REST +services to register the channel genesis block configuration on the ordering nodes: + +```shell +configtxgen -profile TwoOrgsApplicationGenesis -channelID '${CHANNEL_NAME}' -outputBlock genesis_block.pb + +osnadmin channel join --orderer-address org0-orderer1:9443 --channelID '${CHANNEL_NAME}' --config-block genesis_block.pb +osnadmin channel join --orderer-address org0-orderer2:9443 --channelID '${CHANNEL_NAME}' --config-block genesis_block.pb +osnadmin channel join --orderer-address org0-orderer3:9443 --channelID '${CHANNEL_NAME}' --config-block genesis_block.pb +``` + + +## Join Peers + +```shell +βœ… - Joining org1 peers to channel "mychannel" ... +βœ… - Joining org2 peers to channel "mychannel" ... +``` + +After the channel configurations have been registered with the network orderers, we will join the peers to the channel +by retrieving the genesis block from the orderers and then joining the channel: + +```shell + # Fetch the genesis block from an orderer + peer channel \ + fetch oldest \ + genesis_block.pb \ + -c '${CHANNEL_NAME}' \ + -o org0-orderer1:6050 \ + --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem + + # Join peer1 to the channel. + CORE_PEER_ADDRESS='${org}'-peer1:7051 \ + peer channel \ + join \ + -b genesis_block.pb \ + -o org0-orderer1:6050 \ + --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem + + # Join peer2 to the channel. + CORE_PEER_ADDRESS='${org}'-peer2:7051 \ + peer channel \ + join \ + -b genesis_block.pb \ + -o org0-orderer1:6050 \ + --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem +``` + + +## Set Anchor Peers (Optional) +```shell +$ ./network anchor peer2 +βœ… - Updating anchor peers to "peer2" ... +``` + +In the test network, the configtx.yaml sets the organization [Anchor Peers](https://hyperledger-fabric.readthedocs.io/en/latest/glossary.html?highlight=anchor#anchor-peer) +to "peer1" in the genesis block. As such, no additional configuration is necessary for neighboring +organizations to discover additional peers in the network. + +However, the process of setting the anchor peers on a channel requires a more complicated scripting process, so we +have included in the test network a mechanism to illustrate how anchor peers may be set on a network after a +channel has been constructed. + +Up to this point in the network configuration, the shell scripts orchestrating the remote volumes, peers, and +admin commands have all been executed by piping a sequence of commands into an existing pod directly +into the input of a `kubectl` command. For small command sets this is adequate, but for the more complicated +process of registering a channel anchor peer, we have elected to use a different approach to launch the peer +update scripts on the kubernetes cluster. + +When updating anchor peers, the `./network` script will: + +1. Transfer the shell scripts from `/scripts/*.sh` into the remote organization's persistent volume. +2. Issue a `kubectl exec -c "script-name.sh {args}"` on the org's admin CLI pod. + +For non-trivial Fabric administative tasks, this approach of uploading a script into the cluster and then +executing in an admin pod works well. + + +## Next Steps + +### [Working with Chaincode](CHAINCODE.md) \ No newline at end of file diff --git a/test-network-k8s/docs/KUBERNETES.md b/test-network-k8s/docs/KUBERNETES.md new file mode 100644 index 00000000..6472e1cf --- /dev/null +++ b/test-network-k8s/docs/KUBERNETES.md @@ -0,0 +1,161 @@ +# Kubernetes + +To get started with the Kube test network, you will need access to a Kubernetes cluster. + +## TL/DR : + +```shell +$ ./network kind +Initializing KIND cluster "kind": +βœ… - Pulling docker images for Fabric 2.3.2 ... +βœ… - Creating cluster "kind" ... +βœ… - Launching Nginx ingress controller ... +βœ… - Launching container registry "kind-registry" at localhost:5000 ... +🏁 - Cluster is ready. +``` + +and : +```shell +$ ./network unkind +Deleting cluster "kind": +☠️ - Deleting KIND cluster kind ... +🏁 - Cluster is gone. +``` + + +## Kube Context: + +For illustration purposes, this project attempts in all cases to _keep it simple_ as the +general rule. By default, we will rely on `kind` ([Kubernetes IN Docker](https://kind.sigs.k8s.io)) +as a mechanism to quickly spin up ephemeral, short-lived clusters for development and +illustration. + +To maximize portability across revisions, vendor distributions, hardware profiles, and +network topologies, this project relies _exclusively_ on scripted interaction with the +Kube API controller to reflect updates in a remote cluster. While this may not be the +ideal technique for managing production workloads, the objective of this guide is to provide +clarity on the nuances of Fabric / Kubernetes deployments, rather than an opinionated +perspective on state of the art techniques for cloud Dev/Ops. Targeting +the core Kube APIs means that there is a good chance that the systems will work "as-is" +simply by setting the kubectl context to reference a cloud-native cluster (e.g. OCP, IKS, +AWS, etc.) + +If you don't have access to an existing cluster, or want to set up a short-lived cluster +for development, testing, or CI, you can create a new cluster with: + +```shell +$ ./network kind +``` +or: +```shell +$ kind create cluster +``` + +By default, `kind` will set the current Kube context to reference the new cluster. Any +interaction with `kubectl` (or kube-context aware SDKs) will inherit the current context. + +```shell +$ kubectl cluster-info +Kubernetes control plane is running at https://127.0.0.1:55346 +CoreDNS is running at https://127.0.0.1:55346/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy + +To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. +``` + +When you are done with the cluster, tear it down with: +```shell +$ ./network unkind +``` +or: +```shell +$ kind delete cluster +``` + +## Test Network Structure + +To emulate a more realistic example of multi-party collaboration, the test network +forms a blockchain consensus group spanning three virtual organizations. Access to the +blockchain is entirely constrained to Kubernetes private networks, and consuming applications +make use of a Kube ingress controller for external visibility. + +In k8s terms: + +- The blockchain is contained within a single Kubernetes `Cluster`. +- Blockchain services (nodes, orderers, chaincode, etc.) reside within a single `Namespace`. +- Each organization maintains a distinct, independent `PersistentVolumeClaim` for TLS certificates, + local MSP, private data, and transaction ledgers. +- Smart Contracts rely exclusively on the [Chaincode-as-a-Service](link) and [External Builder](link) + patterns, running in the cluster as Kube `Deployments` with companion `Services`. +- An HTTP(s) `Ingress` and companion gateway application is required for external access to the blockchain. + +When running the test network locally, the `./network kind` bootstrap will configure the system with +an [Nginx ingress controller](link), a private [Container Registry](link), and persistent volumes / claims for +host-local organization storage. + +Behind the scenes, `./network kind` is running: + +```shell +# Create the KIND cluster and nginx ingress controller bound to :80 and :443 +kind create cluster --name ${TEST_NETWORK_CLUSTER_NAME:-kind} --config scripts/kind-config.yaml + +# Create the Kube namespace +kubectl create namespace ${TEST_NETWORK_NAMESPACE:-test-network} + +# Create host persistent volumes (tied the kind-control-plane docker image lifetime) +kubectl create -f kube/pv-fabric-org0.yaml +kubectl create -f kube/pv-fabric-org1.yaml +kubectl create -f kube/pv-fabric-org2.yaml + +# Create persistent volume claims binding to the host (docker) volumes +kubectl -n $NS create -f kube/pvc-fabric-org0.yaml +kubectl -n $NS create -f kube/pvc-fabric-org1.yaml +kubectl -n $NS create -f kube/pvc-fabric-org2.yaml +``` + +## Container Registry + +The [kube yaml descriptors](../kube) generally rely on the public Fabric images maintained at the public +Docker and GitHub container registries. For casual usage, the test network will bootstrap and launch CAs, +peers, orderers, chaincode, and sample applications without any additional configuration. + +While public images are made available for pre-canned samples, there will undoubtedly be cases +where you would like to build custom chaincode, gateway client applications, or custom builds of core +Fabric binaries without uploading your code to a public registry. For this purpose, the Kube test +network includes a [Local Registry](https://kind.sigs.k8s.io/docs/user/local-registry/) available for +you to _quickly_ deploy custom images directly into the cluster without uploading your code to the +Internet. + +By default, the [kind.sh](../scripts/kind.sh) bootstrap will configure and link up a local container +registry running at `localhost:5000/`. Images pushed to this registry will be immediately available +to Pods deployed to the local cluster. + +For dev/test/CI based flows using an external registry, the traditional Kubernetes practice of +[Adding ImagePullSecrets to a service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account) +still applies. + + +## Cloud Vendors + +While the test network primarily targets KIND clusters, the singular reliance on the Kube API plane +means that it should also work without modification on any modern cloud-based or bare metal +Kubernetes distribution. While supporting the entire ecosystem of cloud vendors is not in scope +for this sample project, we'd love to hear feedback, success stories, or bugs related to applying the +test network to additional platforms. + +In general, at a high-level the steps required to port the test network to ANY kube vendor are: + +- Configure an HTTP `Ingress` for access to any gateway, REST, or companion blockchain applications. +- Register `PersistentVolumeClaims` for each of the organizations in the test network. +- Create a `Namespace` for each instance of the test network. +- Upload your chaincode, gateway clients, and application logic to an external Container Registry. +- Run with a `ServiceAccount` and role bindings suitable for creating `Pods`, `Deployments`, and `Services`. + +Example configurations for common cloud vendors: + +### IKS +### OCP +### AWS +### Azure + +## Next : [Fabric Certificate Authorities](CA.md) + diff --git a/test-network-k8s/docs/README.md b/test-network-k8s/docs/README.md new file mode 100644 index 00000000..9319e8f8 --- /dev/null +++ b/test-network-k8s/docs/README.md @@ -0,0 +1,49 @@ +# Kubernetes Test Network + +Starting in release 2.0, Hyperledger introduced the [test-network](https://hyperledger-fabric.readthedocs.io/en/latest/test_network.html) +to serve as both an accelerator and learning resource for running Fabric networks. In addition to +providing a study guide for operational patterns, the test-network provided a baseline environment for members of +the Fabric community to quickly get up to speed with a working, local system, author smart contracts, and develop +simple blockchain applications. + +While test-network provided a solid foundation for casual Fabric development, the over-reliance on +[Docker Compose](https://docs.docker.com/compose/) introduced tremendous, non-trivial complexity when transitioning +applications to production. Without belaboring the many issues and anti-patterns present in the Compose-based +test network, we'll submit that the best path forward is to _align_ the development and production patterns around a +common orchestration framework - Kubernetes. + +Similar to Fabric, Kubernetes introduces a steep learning curve and presents a dizzying array of operational +flexibility. In this guide, we'll outline the design considerations in the [`./network`](../network) +scripts, provide a supplement to the [Fabric CA Deployment Guide](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy.html), +and build up to a reference model for realistic production deployments on Kubernetes. + +_Ahoy!_ + + +## Network Topology + +The Kube test network establishes as consortium among a dedicated ordering organization and two peer organizations. +Participation in the network is managed over a channel, and transactions are committed to the blockchain ledgers by +invoking the [asset-transfer-basic](https://github.com/hyperledgendary/fabric-ccaas-asset-transfer-basic) +_Chaincode-as-a-Service_ running in a shared Kubernetes namespace. Each organization maintains indepedendent TLS +and ECert CAs for management of local, channel, and user MSP contexts. + +![Test Network](images/test-network.png) + + +## Detailed Guides + +- [`./network`](NETWORK.md) +- [Working with Kubernetes](KUBERNETES.md) +- [Certificate Authorities](CA.md) + - [Planning for a CA](CA.md#planning-for-a-ca) + - [Deploy the TLS CAs](CA.md#deploy-the-tls-cas) + - [Deploy the ECert CAs](CA.md#deploy-the-organization-ca) +- [Launching the Test Network](TEST_NETWORK.md) + - [Registering and Enrolling Identities](CA.md#registering-and-enrolling-identities) + - [Assembling Node MSPs](link) + - [Deploy Orderers and Peers](link) +- [Working with Channels](CHANNELS.md) +- [Working with Chaincode](CHAINCODE.md) +- [Working with Applications](APPLICATIONS.md) + diff --git a/test-network-k8s/docs/TEST_NETWORK.md b/test-network-k8s/docs/TEST_NETWORK.md new file mode 100644 index 00000000..2a97728e --- /dev/null +++ b/test-network-k8s/docs/TEST_NETWORK.md @@ -0,0 +1,221 @@ + +## Network Overview + +After we have set up a series of TLS and ECert CA services, we'll use the CAs to generate +[Local MSP](https://hyperledger-fabric.readthedocs.io/en/latest/membership/membership.html#local-msps) structures for +all of the nodes, using the local MSPs to launch our network peers and orderers. + + +### TL/DR : + +```shell +./network up +... +βœ… - Creating local node MSP ... +βœ… - Launching orderers ... +βœ… - Launching peers ... +🏁 - Network is ready. +``` + +## Fabric MSP Context + +Before we launch the network peers and orderers, each node in the network needs to have available: + +- TLS Root Certificates for all organizations in the network +- TLS Certificates and Signing Keys for SSL server/hostname verification of the network node +- Enrollment Certificates validating the network node identity (local MSP) +- Enrollment Certificates for an `Admin` identity / role for the organization. + +In order to create the local node MSP, we must first register and enroll the node identities with the ECert CAs, and +then organize the TLS and MSP certificates into a location suitable for launching the network services. + +The key steps in this process are: + +- [Registering and enrolling identities with a CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#registering-and-enrolling-identities-with-a-ca) +- [Create the local MSP of a node](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#create-the-local-msp-of-a-node) + +In the test network, each organization includes a function that wraps the registration, enrollment, and MSP aggregation +into a series of fabric-ca-client calls. [The script](../scripts/test_network.sh) will be executed directly on the +org's ECert CA pod, with access to the persistent volume for storage of the MSP and TLS certificates. While this is +largely boilerplate scripting, the process is straightforward: For each node in the network, we'll use the CAs to +generate TLS+MSP certificates, bundling into an MSP with a `config.yaml` specifying the fabric roles associated with +the target usage in the network. + +For example, the ordering organization sets up the node local MSP with: +```shell +# Each identity in the network needs a registration and enrollment. +fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp +fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp +fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp +fabric-ca-client register --id.name org0-admin --id.secret org0adminpw --id.type admin --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" + +fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-ecert-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp +fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-ecert-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp +fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ecert-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp +fabric-ca-client enroll --url https://org0-admin:org0adminpw@org0-ecert-ca --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/users/Admin@org0.example.com/msp + +# Each node in the network needs a TLS registration and enrollment. +fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp +fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp +fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp + +fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-tls-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls +fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-tls-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls +fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-tls-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls + +# Copy the TLS signing keys to a fixed path for convenience when starting the orderers. +cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/server.key +cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/server.key +cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/server.key + +# Create an MSP config.yaml (why is this not generated by the enrollment by fabric-ca-client?) +echo "NodeOUs: + Enable: true + ClientOUIdentifier: + Certificate: cacerts/org0-ecert-ca.pem + OrganizationalUnitIdentifier: client + PeerOUIdentifier: + Certificate: cacerts/org0-ecert-ca.pem + OrganizationalUnitIdentifier: peer + AdminOUIdentifier: + Certificate: cacerts/org0-ecert-ca.pem + OrganizationalUnitIdentifier: admin + OrdererOUIdentifier: + Certificate: cacerts/org0-ecert-ca.pem + OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml + +cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp/config.yaml +cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp/config.yaml +``` + + +## External Chaincode Builders + +Running Fabric in Kubernetes places some unique constraints on the Chaincode lifecycle: + +- Many cloud-native vendors rely on [containerd.io](https://containerd.io) to manage the lifecycle of containers + within a cluster. By contrast, Fabric assumes the presence of a Docker daemon to compile and launch chaincode + containers. Without a local Docker daemon, Fabric's default chaincode pipeline is doomed! + + +- For security and operational concerns, it is a "non-starter" to run a docker daemon on Kubernetes worker nodes. + + +- For cloud-ready development, test, validation, CI/CD, and production practices, the use of the + [Chaincode as a Service](https://hyperledger-fabric.readthedocs.io/en/latest/cc_service.html) pattern provides a + _vastly superior user experience_. However, with the current (2.3) Fabric builds, the configuration of [External + Chaincode Builders](https://hyperledger-fabric.readthedocs.io/en/latest/cc_launcher.html) is non-trivial and + includes some real complexity for deployment to Kubernetes. + + +- Running Chaincode builds in Docker in Docker, running in Kubernetes in Docker is ... interesting. Let's + step back and _keep it simple_. + + + +For the Kube Test Network, we've configured the peer nodes to launch with the [fabric-ccs-builder](https://github.com/hyperledgendary/fabric-ccs-builder) +External Chaincode Builders pre-bundled into the network. When chaincode is installed on the peers, the external +builder binaries will be invoked, bypassing the reliance on a local Docker daemon running in Kubernetes. + +This configuration is accomplished by registering an external builder in the peer core.yaml: + +```yaml + externalBuilders: + - path: /var/hyperledger/fabric/chaincode/ccs-builder + name: ccs-builder + propagateEnvironment: + - HOME + - CORE_PEER_ID + - CORE_PEER_LOCALMSPID +``` + +At launch time, the Kubernetes deployment includes an init container that will load the fabric-ccs-builder binaries +from a public container registry, copying the external builders into the target volume in the peer: + +```yaml + initContainers: + - name: fabric-ccs-builder + image: ghcr.io/hyperledgendary/fabric-ccs-builder + command: [sh, -c] + args: ["cp /go/bin/* /var/hyperledger/fabric/chaincode/ccs-builder/bin/"] + volumeMounts: + - name: ccs-builder + mountPath: /var/hyperledger/fabric/chaincode/ccs-builder/bin +``` + +With this configuration we eliminate the reliance on Docker daemon, fully supporting the _Chaincode-as-a-Service_ +pattern for building smart contracts in a cloud-native environment. + +- [x] Pro tip: Use the companion container registry at `localhost:5000` to deploy custom chaincode into the test network. +- [x] Pro tip: Deploy a chaincode with `address: host.docker.internal:9999` and run your chaincode in a debugger. +- [ ] Note: An external chaincode builder will be included in future releases of Fabric. + + +## Starting Peers and Orderers + +```shell +βœ… - Launching orderers ... +βœ… - Launching peers ... +``` + +Once the local MSP structures for the network nodes have been created, the orderers and peers may be launched in the +namespace. System nodes will read base configuration files (orderer.yaml and core.yaml) from the organization +config folder, made available in Kubernetes as the `fabric-config${org}` config map. + +Each orderer and peer creates one `Deployment`, `Pod`, and `Service` in the namespace. In addition, each org +defines an `orgN-peerM-config` `ConfigMap` with environment variable overrides replacing the default settings +in the core.yaml file. Note that each node's [environment](../kube/org1/org1-peer1.yaml) includes pointers to the +node local MSP folders, certificates, and TLS signing keys that we generated above. + +Note that the deployment yaml files include some basic template substitution and parameters. For simplicity and +clarity, we elected to use basic string substitution with sed/awk/bash/etc., rather than introduce a Kube template +binding system (e.g. Helm, Kustomize, Kapitan, Ansible, etc.) for manipulating yaml templates: + +```shell +cat kube/org0/org0-orderer1.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS -f - +cat kube/org0/org0-orderer2.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS -f - +cat kube/org0/org0-orderer3.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS -f - + +# Wait for the orderers to completely start before launching the network peer nodes. +kubectl -n $NS rollout status deploy/org0-orderer1 +kubectl -n $NS rollout status deploy/org0-orderer2 +kubectl -n $NS rollout status deploy/org0-orderer3 + +cat kube/org1/org1-peer1.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS -f - +cat kube/org1/org1-peer2.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS -f - +cat kube/org2/org2-peer1.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS -f - +cat kube/org2/org2-peer2.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS -f - +``` + +- [x] Pro tip: Run an early-release Fabric build by setting `TEST_NETWORK_FABRIC_VERSION=2.4.0-beta` + + +## Next Steps : + +After the peers and orderers have started, the Kube namespace includes pods, deployments, and service bindings for: + +- Org0 (org0.example.com): + - TLS Certificate Authority : https://org0-tls-ca + - ECert Certificate Authority : https://org0-ecert-ca + - Orderer1 : grpcs://org0-orderer1 + - Orderer2 : grpcs://org0-orderer2 + - Orderer3 : grpcs://org0-orderer3 + + +- Org1 (org1.example.com): + - TLS Certificate Authority : https://org1-tls-ca + - ECert Certificate Authority : https://org1-ecert-ca + - Peer Node 1 : grpcs://org1-peer1 + - Peer Node 2 : grpcs://org1-peer2 + + +- Org2 (org2.example.com): + - TLS Certificate Authority : https://org2-tls-ca + - ECert Certificate Authority : https://org2-ecert-ca + - Peer Node 1 : grpcs://org2-peer1 + - Peer Node 2 : grpcs://org2-peer2 + + + +### Next : [Working With Channels](CHANNELS.md) + diff --git a/test-network-k8s/docs/images/test-network.png b/test-network-k8s/docs/images/test-network.png new file mode 100644 index 00000000..b993135c Binary files /dev/null and b/test-network-k8s/docs/images/test-network.png differ diff --git a/test-network-k8s/kube/application-deployment.yaml b/test-network-k8s/kube/application-deployment.yaml new file mode 100644 index 00000000..4e02f706 --- /dev/null +++ b/test-network-k8s/kube/application-deployment.yaml @@ -0,0 +1,48 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: application-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: application-deployment + template: + metadata: + labels: + app: application-deployment + spec: + containers: + - name: main + image: + imagePullPolicy: Always + envFrom: + - configMapRef: + name: app-fabric-org1-v1-map + resources: + requests: + memory: "50Mi" + cpu: "0.1" + volumeMounts: + - name: fabricids + mountPath: /fabric/application/wallet + - name: fabric-ccp + mountPath: /fabric/application/gateways + - name: tlscerts + mountPath: /fabric/tlscacerts + volumes: + - name: fabric-ccp + configMap: + name: app-fabric-ccp-v1-map + - name: fabricids + configMap: + name: app-fabric-ids-v1-map + - name: tlscerts + configMap: + name: app-fabric-tls-v1-map diff --git a/test-network-k8s/kube/fabric-rest-sample.yaml b/test-network-k8s/kube/fabric-rest-sample.yaml new file mode 100644 index 00000000..2bf99d7f --- /dev/null +++ b/test-network-k8s/kube/fabric-rest-sample.yaml @@ -0,0 +1,258 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: fabric-rest-sample-config-example +data: + HLF_CONNECTION_PROFILE_ORG1: | + { + "name": "test-network-org1", + "version": "1.0.0", + "client": { + "organization": "Org1", + "connection": { + "timeout": { + "peer": { + "endorser": "500" + } + } + } + }, + "organizations": { + "Org1": { + "mspid": "Org1MSP", + "peers": [ + "org1-peer1" + ], + "certificateAuthorities": [ + "org1-ecert" + ] + } + }, + "peers": { + "org1-peer1": { + "url": "grpcs://org1-peer1:7051", + "tlsCACerts": { + "pem": "-----BEGIN CERTIFICATE-----\\nMIICvzCCAmWgAwIBAgIULJGws7jbEY6ruSgDuvi9L7VphvIwCgYIKoZIzj0EAwIw\\naDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt\\nY2Etc2VydmVyMB4XDTIxMDkyMDE2MDkwMFoXDTIyMDkyMDE2MTQwMFowYDELMAkG\\nA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl\\ncmxlZGdlcjENMAsGA1UECxMEcGVlcjETMBEGA1UEAxMKb3JnMS1wZWVyMTBZMBMG\\nByqGSM49AgEGCCqGSM49AwEHA0IABL9e3GZBf1MeoObGxwSHkcgDEjMo+/13Qc4u\\nfSG2MKrveHBIEA4MRkHNqd+sTjoz0/1B15y2n+RiPo8uJvlyC/CjgfQwgfEwDgYD\\nVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV\\nHRMBAf8EAjAAMB0GA1UdDgQWBBSeytspiXlEzMAsnF9/wxqc9fydETAfBgNVHSME\\nGDAWgBQwru1VH0OwH3dxfPdD8w74ZIlLRzAVBgNVHREEDjAMggpvcmcxLXBlZXIx\\nMFsGCCoDBAUGBwgBBE97ImF0dHJzIjp7ImhmLkFmZmlsaWF0aW9uIjoiIiwiaGYu\\nRW5yb2xsbWVudElEIjoib3JnMS1wZWVyMSIsImhmLlR5cGUiOiJwZWVyIn19MAoG\\nCCqGSM49BAMCA0gAMEUCIQDJEjPxceCfXU5B/emrHE4JbEzrZKxLVViBWCNMsHiR\\nFgIgY+8jsvr3rlBPkpRhl8CtT2DgaP7iWvovtMYsPKhLAqk=\\n-----END CERTIFICATE-----\\n" + }, + "grpcOptions": { + "grpc-wait-for-ready-timeout": 100000, + "ssl-target-name-override": "org1-peer1", + "hostnameOverride": "org1-peer1" + } + } + }, + "certificateAuthorities": { + "org1-ecert-ca": { + "url": "https://org1-ecert-ca", + "caName": "org1-ecert-ca", + "tlsCACerts": { + "pem": "TODO" + }, + "httpOptions": { + "verify": "false" + } + } + } + } + HLF_CERTIFICATE_ORG1: | + -----BEGIN CERTIFICATE----- + MIIC2DCCAn6gAwIBAgIUTfcXDyxCS+2EQnznfjERUo4Vri8wCgYIKoZIzj0EAwIw + aDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK + EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt + Y2Etc2VydmVyMB4XDTIxMDkyMDExNDEwMFoXDTIyMDkyMDExNDYwMFowYTELMAkG + A1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl + cmxlZGdlcjEOMAwGA1UECxMFYWRtaW4xEzARBgNVBAMTCm9yZzEtYWRtaW4wWTAT + BgcqhkjOPQIBBggqhkjOPQMBBwNCAAT8zvJEg3FgJ5iUA5GO+n/j48bL83STpz7N + TqejWIZNVTraxE4fjT6traKiswme7gT2NY9Jl0Dj4tbif9l2I9+Oo4IBCzCCAQcw + DgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFO1zWPynvyER + n9ml6XV5VvC9tIjTMB8GA1UdIwQYMBaAFPbIrI+lh8KayoRpW1YStWMhzJZSMCcG + A1UdEQQgMB6CHG9yZzEtdGxzLWNhLTg1NjdiOTg5OWYtdzU3amYwfgYIKgMEBQYH + CAEEcnsiYXR0cnMiOnsiYWJhYy5pbml0IjoidHJ1ZSIsImFkbWluIjoidHJ1ZSIs + ImhmLkFmZmlsaWF0aW9uIjoiIiwiaGYuRW5yb2xsbWVudElEIjoib3JnMS1hZG1p + biIsImhmLlR5cGUiOiJhZG1pbiJ9fTAKBggqhkjOPQQDAgNIADBFAiEAv99I2J9t + WtOmIzpYix8OFl4Z+ZGRHtay83ux//sZP+MCID02hFqnNpOL/ggGFaDVpVQ/eu0t + KTfVxZEMyZnJtAhp + -----END CERTIFICATE----- + HLF_PRIVATE_KEY_ORG1: | + -----BEGIN PRIVATE KEY----- + MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg7Lb+jwZqhxT3x0lT + FpU0QSmioptgfv8TI2RP5Mjp9UKhRANCAAT8zvJEg3FgJ5iUA5GO+n/j48bL83ST + pz7NTqejWIZNVTraxE4fjT6traKiswme7gT2NY9Jl0Dj4tbif9l2I9+O + -----END PRIVATE KEY----- + HLF_CONNECTION_PROFILE_ORG2: | + { + "name": "test-network-org2", + "version": "1.0.0", + "client": { + "organization": "Org2", + "connection": { + "timeout": { + "peer": { + "endorser": "300" + } + } + } + }, + "organizations": { + "Org2": { + "mspid": "Org2MSP", + "peers": [ + "org2-peer1" + ], + "certificateAuthorities": [ + "org2-ecert-ca" + ] + } + }, + "peers": { + "org2-peer1": { + "url": "grpcs://org2-peer1:7051", + "tlsCACerts": { + "pem": "-----BEGIN CERTIFICATE-----\\nMIICKDCCAc6gAwIBAgIUJJ4wGOSCfw8XOOIx29o67wBpFB4wCgYIKoZIzj0EAwIw\\naDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt\\nY2Etc2VydmVyMB4XDTIxMDkyMDExNDEwMFoXDTM2MDkxNjExNDEwMFowaDELMAkG\\nA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl\\ncmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2Vy\\ndmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyzGJLZX6pe59QAIBacjfzU4I\\nHezBYLyEu4ySpFx4xwxNLE4BWqLhB1VaOuenSQATM8pmSAy7i1830oM9elKWK6NW\\nMFQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\\nFEoAAhmjq/3M8CFPc7N8SL53erL5MA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E\\nAwIDSAAwRQIhAJQ5PJOT4Gg8oiBU2KthMPkZqOLeu3Li4S3yBpLFgbsgAiB960P2\\nXPMu3HLoNXrktYOL9JzWlGyYRSPAnkap5Bsj0w==\\n-----END CERTIFICATE-----\\n" + }, + "grpcOptions": { + "ssl-target-name-override": "org2-peer1", + "hostnameOverride": "org2-peer1" + } + } + }, + "certificateAuthorities": { + "org2-ecert-ca": { + "url": "https://org2-ecert-ca", + "caName": "org2-ecert-ca", + "tlsCACerts": { + "pem": ["-----BEGIN CERTIFICATE-----\\nMIICKDCCAc6gAwIBAgIUJAF4fQK1KsnvdaUjau462D/5HPYwCgYIKoZIzj0EAwIw\\naDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt\\nY2Etc2VydmVyMB4XDTIxMDkxOTExMTcwMFoXDTM2MDkxNTExMTcwMFowaDELMAkG\\nA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl\\ncmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2Vy\\ndmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8bLvzagP3YANMGHVomZoGCQD\\nRgM3SenagZQ4IWqNQJSV3yTxzdgAWnPhwc+B/HdAOvAq2Oz54FmiSL9dAJoivqNW\\nMFQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\\nFDdBAwT47jtbj48aXdMfRvMPbD5tMA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E\\nAwIDSAAwRQIhAITSk4lYWqu12jZkR94aNoKT36ctaeKHuRvXs7m2qaHSAiAtUPO7\\nXlHtI9SDTRvI4DNSb2O7y7+B3WxVeCx50fivDw==\\n-----END CERTIFICATE-----\\n"] + }, + "httpOptions": { + "verify": "false" + } + } + } + } + HLF_CERTIFICATE_ORG2: | + -----BEGIN CERTIFICATE----- + MIIC2DCCAn6gAwIBAgIUY/B19uAV6H5zK4bgqF/BcYC79eEwCgYIKoZIzj0EAwIw + aDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK + EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt + Y2Etc2VydmVyMB4XDTIxMDkyMDExNDEwMFoXDTIyMDkyMDExNDYwMFowYTELMAkG + A1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl + cmxlZGdlcjEOMAwGA1UECxMFYWRtaW4xEzARBgNVBAMTCm9yZzItYWRtaW4wWTAT + BgcqhkjOPQIBBggqhkjOPQMBBwNCAARKTC+25gFIgbLQgSQSec3DaUJOZS6aHBAi + 0bmArVbMOxLUBT/W42ycXzfFJ9c0UAEZecDu8jxgBfEGWcbeWWMXo4IBCzCCAQcw + DgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGIXcrVhcyJ9 + WTH2zgc9/RdE1hJsMB8GA1UdIwQYMBaAFFS96ExY5RWOcsODBAfXZe+FQIq0MCcG + A1UdEQQgMB6CHG9yZzItdGxzLWNhLTY5Yzg1Zjg5YmMtNzIyZ2cwfgYIKgMEBQYH + CAEEcnsiYXR0cnMiOnsiYWJhYy5pbml0IjoidHJ1ZSIsImFkbWluIjoidHJ1ZSIs + ImhmLkFmZmlsaWF0aW9uIjoiIiwiaGYuRW5yb2xsbWVudElEIjoib3JnMi1hZG1p + biIsImhmLlR5cGUiOiJhZG1pbiJ9fTAKBggqhkjOPQQDAgNIADBFAiEAhrXwM7Ng + IGxgF8irY7NbkQp1xqphy3tv6JbK6HPF+O8CIELMkzOclVK2rRC1K5PF99G7Cmmm + KsVw31cJcV4NTDI7 + -----END CERTIFICATE----- + HLF_PRIVATE_KEY_ORG2: | + -----BEGIN PRIVATE KEY----- + MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPJgLniT9EqcaUNbi + F3EqGyBP9LDg1baXR/5dV6xedt+hRANCAARKTC+25gFIgbLQgSQSec3DaUJOZS6a + HBAi0bmArVbMOxLUBT/W42ycXzfFJ9c0UAEZecDu8jxgBfEGWcbeWWMX + -----END PRIVATE KEY----- + + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: fabric-rest-sample +spec: + replicas: 1 + selector: + matchLabels: + app: fabric-rest-sample + template: + metadata: + labels: + app: fabric-rest-sample + spec: + containers: + - name: main + image: ghcr.io/hyperledgendary/fabric-rest-sample + imagePullPolicy: IfNotPresent + env: + - name: LOG_LEVEL + value: debug + - name: HFC_LOGGING + value: '{ "debug": "console" }' + - name: PORT + value: "3000" + - name: RETRY_DELAY + value: "3000" + - name: MAX_RETRY_COUNT + value: "5" + - name: HLF_COMMIT_TIMEOUT + value: "3000" + - name: HLF_ENDORSE_TIMEOUT + value: "30" + - name: REDIS_HOST + value: "localhost" + - name: REDIS_PORT + value: "6379" + - name: ORG1_APIKEY + value: "97834158-3224-4CE7-95F9-A148C886653E" + - name: ORG2_APIKEY + value: "BC42E734-062D-4AEE-A591-5973CB763430" + - name: AS_LOCAL_HOST + value: "false" + - name: HLF_CHAINCODE_NAME + value: "asset-transfer-basic" +# - name: REDIS_USERNAME +# value: redisuser +# - name: REDIS_PASSWORD +# value: redispasword + + envFrom: + - configMapRef: + name: fabric-rest-sample-config + ports: + - containerPort: 3000 + - name: redis + image: redis:6.2.5 + ports: + - containerPort: 6379 + +--- +apiVersion: v1 +kind: Service +metadata: + name: fabric-rest-sample +spec: + ports: + - name: http + port: 3000 + protocol: TCP + selector: + app: fabric-rest-sample + + +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: fabric-rest-sample +# annotations: +# nginx.ingress.kubernetes.io/rewrite-target: /$1 +spec: + rules: + - http: + paths: +# - path: "/fabric-rest-sample/(.*)" + - path: "/" + pathType: Prefix + backend: + service: + name: fabric-rest-sample + port: + number: 3000 diff --git a/test-network-k8s/kube/ingress-nginx.yaml b/test-network-k8s/kube/ingress-nginx.yaml new file mode 100644 index 00000000..90f5de31 --- /dev/null +++ b/test-network-k8s/kube/ingress-nginx.yaml @@ -0,0 +1,687 @@ + +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + +--- +# Source: ingress-nginx/templates/controller-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: ingress-nginx +automountServiceAccountToken: true +--- +# Source: ingress-nginx/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller + namespace: ingress-nginx +data: +--- +# Source: ingress-nginx/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + name: ingress-nginx +rules: + - apiGroups: + - '' + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - '' + resources: + - nodes + verbs: + - get + - apiGroups: + - '' + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +# Source: ingress-nginx/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: + - kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/controller-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: ingress-nginx +rules: + - apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - apiGroups: + - '' + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - configmaps + resourceNames: + - ingress-controller-leader + verbs: + - get + - update + - apiGroups: + - '' + resources: + - configmaps + verbs: + - create + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch +--- +# Source: ingress-nginx/templates/controller-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: + - kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/controller-service-webhook.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + type: ClusterIP + ports: + - name: https-webhook + port: 443 + targetPort: webhook + appProtocol: https + selector: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller +--- +# Source: ingress-nginx/templates/controller-service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + type: NodePort + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + appProtocol: http + - name: https + port: 443 + protocol: TCP + targetPort: https + appProtocol: https + selector: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller +--- +# Source: ingress-nginx/templates/controller-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + selector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller + revisionHistoryLimit: 10 + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + minReadySeconds: 0 + template: + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller + spec: + dnsPolicy: ClusterFirst + containers: + - name: controller + image: k8s.gcr.io/ingress-nginx/controller:v1.0.1@sha256:26bbd57f32bac3b30f90373005ef669aae324a4de4c19588a13ddba399c6664e + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + args: + - /nginx-ingress-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + - --publish-status-address=localhost + - --watch-ingress-without-class + - --enable-ssl-passthrough + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 101 + allowPrivilegeEscalation: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ports: + - name: http + containerPort: 80 + protocol: TCP + hostPort: 80 + - name: https + containerPort: 443 + protocol: TCP + hostPort: 443 + - name: webhook + containerPort: 8443 + protocol: TCP + volumeMounts: + - name: webhook-cert + mountPath: /usr/local/certificates/ + readOnly: true + resources: + requests: + cpu: 100m + memory: 90Mi + nodeSelector: + ingress-ready: 'true' + kubernetes.io/os: linux + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Equal + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 0 + volumes: + - name: webhook-cert + secret: + secretName: ingress-nginx-admission +--- +# Source: ingress-nginx/templates/controller-ingressclass.yaml +# We don't support namespaced ingressClass yet +# So a ClusterRole and a ClusterRoleBinding is required +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: nginx + namespace: ingress-nginx +spec: + controller: k8s.io/ingress-nginx +--- +# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml +# before changing this value, check the required kubernetes version +# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + name: ingress-nginx-admission +webhooks: + - name: validate.nginx.ingress.kubernetes.io + matchPolicy: Equivalent + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + namespace: ingress-nginx + name: ingress-nginx-controller-admission + path: /networking/v1/ingresses +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ingress-nginx-admission + namespace: ingress-nginx + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ingress-nginx-admission + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ingress-nginx-admission + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: + - kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ingress-nginx-admission + namespace: ingress-nginx + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - create +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ingress-nginx-admission + namespace: ingress-nginx + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: + - kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: ingress-nginx-admission-create + namespace: ingress-nginx + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +spec: + template: + metadata: + name: ingress-nginx-admission-create + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + containers: + - name: create + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068 + imagePullPolicy: IfNotPresent + args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + runAsUser: 2000 +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: ingress-nginx-admission-patch + namespace: ingress-nginx + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +spec: + template: + metadata: + name: ingress-nginx-admission-patch + labels: + helm.sh/chart: ingress-nginx-4.0.2 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 1.0.1 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + containers: + - name: patch + image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068 + imagePullPolicy: IfNotPresent + args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + runAsUser: 2000 diff --git a/test-network-k8s/kube/job-scrub-fabric-volumes.yaml b/test-network-k8s/kube/job-scrub-fabric-volumes.yaml new file mode 100644 index 00000000..2acddc92 --- /dev/null +++ b/test-network-k8s/kube/job-scrub-fabric-volumes.yaml @@ -0,0 +1,43 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: job-scrub-fabric-volumes +spec: + backoffLimit: 0 + completions: 1 + template: + metadata: + name: job-scrub-fabric-volumes + spec: + restartPolicy: "Never" + containers: + - name: main + image: busybox + command: + - sh + - -c + - "rm -rvf /mnt/fabric-*/*" + volumeMounts: + - name: fabric-org0-volume + mountPath: /mnt/fabric-org0 + - name: fabric-org1-volume + mountPath: /mnt/fabric-org1 + - name: fabric-org2-volume + mountPath: /mnt/fabric-org2 + volumes: + - name: fabric-org0-volume + persistentVolumeClaim: + claimName: fabric-org0 + - name: fabric-org1-volume + persistentVolumeClaim: + claimName: fabric-org1 + - name: fabric-org2-volume + persistentVolumeClaim: + claimName: fabric-org2 + diff --git a/test-network-k8s/kube/ns-test-network.yaml b/test-network-k8s/kube/ns-test-network.yaml new file mode 100644 index 00000000..f9ef39e0 --- /dev/null +++ b/test-network-k8s/kube/ns-test-network.yaml @@ -0,0 +1,10 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: Namespace +metadata: + name: test-network diff --git a/test-network-k8s/kube/org0/org0-admin-cli.yaml b/test-network-k8s/kube/org0/org0-admin-cli.yaml new file mode 100644 index 00000000..c7bf84bb --- /dev/null +++ b/test-network-k8s/kube/org0/org0-admin-cli.yaml @@ -0,0 +1,61 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org0-admin-cli +spec: + replicas: 1 + selector: + matchLabels: + app: org0-admin-cli + template: + metadata: + labels: + app: org0-admin-cli + spec: + containers: + - name: main + image: hyperledger/fabric-tools:{{FABRIC_VERSION}} + imagePullPolicy: IfNotPresent + env: + - name: FABRIC_CFG_PATH + value: /var/hyperledger/fabric/config + args: + - sleep + - "2147483647" + workingDir: /root + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric/config + + # This init container will unfurl all of the MSP archives listed in the msp-config config map. + initContainers: + - name: msp-unfurl + image: busybox + command: + - sh + - -c + - "for msp in $(ls /msp/msp-*.tgz); do echo $msp && tar zxvf $msp -C /var/hyperledger/fabric; done" + volumeMounts: + - name: msp-config + mountPath: /msp + - name: fabric-volume + mountPath: /var/hyperledger + + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org0 + - name: fabric-config + configMap: + name: org0-config + - name: msp-config + configMap: + name: msp-config diff --git a/test-network-k8s/kube/org0/org0-ecert-ca.yaml b/test-network-k8s/kube/org0/org0-ecert-ca.yaml new file mode 100644 index 00000000..40c2edeb --- /dev/null +++ b/test-network-k8s/kube/org0/org0-ecert-ca.yaml @@ -0,0 +1,69 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org0-ecert-ca +spec: + replicas: 1 + selector: + matchLabels: + app: org0-ecert-ca + template: + metadata: + labels: + app: org0-ecert-ca + spec: + containers: + - name: main + image: hyperledger/fabric-ca:1.5.2 + env: + - name: FABRIC_CA_SERVER_CA_NAME + value: "org0-ecert-ca" + - name: FABRIC_CA_SERVER_DEBUG + value: "false" + - name: FABRIC_CA_SERVER_HOME + value: "/var/hyperledger/fabric-ca-server" + - name: FABRIC_CA_SERVER_TLS_CERTFILE + value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem" + - name: FABRIC_CA_SERVER_TLS_KEYFILE + value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem" + - name: FABRIC_CA_CLIENT_HOME + value: "/var/hyperledger/fabric-ca-client" + ports: + - containerPort: 443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml + subPath: fabric-ecert-ca-server-config.yaml + readinessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 2 + periodSeconds: 5 + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org0 + - name: fabric-config + configMap: + name: org0-config + +--- +apiVersion: v1 +kind: Service +metadata: + name: org0-ecert-ca +spec: + ports: + - name: tls + port: 443 + protocol: TCP + selector: + app: org0-ecert-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org0/org0-orderer1.yaml b/test-network-k8s/kube/org0/org0-orderer1.yaml new file mode 100644 index 00000000..a37b274d --- /dev/null +++ b/test-network-k8s/kube/org0/org0-orderer1.yaml @@ -0,0 +1,85 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: org0-orderer1-env +data: + FABRIC_CFG_PATH: /var/hyperledger/fabric/config + FABRIC_LOGGING_SPEC: INFO # debug:cauthdsl,policies,msp,common.configtx,common.channelconfig=info + ORDERER_GENERAL_LISTENADDRESS: 0.0.0.0 + ORDERER_GENERAL_LISTENPORT: "6050" + ORDERER_GENERAL_LOCALMSPID: OrdererMSP + ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp + ORDERER_GENERAL_TLS_ENABLED: "true" + ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/signcerts/cert.pem + ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/cacerts/org0-tls-ca.pem + ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/server.key + ORDERER_GENERAL_BOOTSTRAPMETHOD: none + ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer1 + ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer1/etcdraft/wal + ORDERER_CONSENSUS_SNAPDIR: /var/hyperledger/fabric/data/orderer1/etcdraft/wal + ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:8443 + ORDERER_ADMIN_LISTENADDRESS: 0.0.0.0:9443 + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org0-orderer1 +spec: + replicas: 1 + selector: + matchLabels: + app: org0-orderer1 + template: + metadata: + labels: + app: org0-orderer1 + spec: + containers: + - name: main + image: hyperledger/fabric-orderer:{{FABRIC_VERSION}} + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: org0-orderer1-env + ports: + - containerPort: 6050 + - containerPort: 8443 + - containerPort: 9443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric/config + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org0 + - name: fabric-config + configMap: + name: org0-config + +--- +apiVersion: v1 +kind: Service +metadata: + name: org0-orderer1 +spec: + ports: + - name: general + port: 6050 + protocol: TCP + - name: operations + port: 8443 + protocol: TCP + - name: admin + port: 9443 + protocol: TCP + selector: + app: org0-orderer1 \ No newline at end of file diff --git a/test-network-k8s/kube/org0/org0-orderer2.yaml b/test-network-k8s/kube/org0/org0-orderer2.yaml new file mode 100644 index 00000000..0070fda9 --- /dev/null +++ b/test-network-k8s/kube/org0/org0-orderer2.yaml @@ -0,0 +1,85 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: org0-orderer2-env +data: + FABRIC_CFG_PATH: /var/hyperledger/fabric/config + FABRIC_LOGGING_SPEC: INFO # debug:cauthdsl,policies,msp,common.configtx,common.channelconfig=info + ORDERER_GENERAL_LISTENADDRESS: 0.0.0.0 + ORDERER_GENERAL_LISTENPORT: "6050" + ORDERER_GENERAL_LOCALMSPID: OrdererMSP + ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp + ORDERER_GENERAL_TLS_ENABLED: "true" + ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/signcerts/cert.pem + ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/cacerts/org0-tls-ca.pem + ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/server.key + ORDERER_GENERAL_BOOTSTRAPMETHOD: none + ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer2 + ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer2/etcdraft/wal + ORDERER_CONSENSUS_SNAPDIR: /var/hyperledger/fabric/data/orderer2/etcdraft/wal + ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:8443 + ORDERER_ADMIN_LISTENADDRESS: 0.0.0.0:9443 + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org0-orderer2 +spec: + replicas: 1 + selector: + matchLabels: + app: org0-orderer2 + template: + metadata: + labels: + app: org0-orderer2 + spec: + containers: + - name: main + image: hyperledger/fabric-orderer:{{FABRIC_VERSION}} + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: org0-orderer2-env + ports: + - containerPort: 6050 + - containerPort: 8443 + - containerPort: 9443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric/config + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org0 + - name: fabric-config + configMap: + name: org0-config + +--- +apiVersion: v1 +kind: Service +metadata: + name: org0-orderer2 +spec: + ports: + - name: general + port: 6050 + protocol: TCP + - name: operations + port: 8443 + protocol: TCP + - name: admin + port: 9443 + protocol: TCP + selector: + app: org0-orderer2 \ No newline at end of file diff --git a/test-network-k8s/kube/org0/org0-orderer3.yaml b/test-network-k8s/kube/org0/org0-orderer3.yaml new file mode 100644 index 00000000..4db6edbf --- /dev/null +++ b/test-network-k8s/kube/org0/org0-orderer3.yaml @@ -0,0 +1,85 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: org0-orderer3-env +data: + FABRIC_CFG_PATH: /var/hyperledger/fabric/config + FABRIC_LOGGING_SPEC: INFO # debug:cauthdsl,policies,msp,common.configtx,common.channelconfig=info + ORDERER_GENERAL_LISTENADDRESS: 0.0.0.0 + ORDERER_GENERAL_LISTENPORT: "6050" + ORDERER_GENERAL_LOCALMSPID: OrdererMSP + ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp + ORDERER_GENERAL_TLS_ENABLED: "true" + ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/signcerts/cert.pem + ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/cacerts/org0-tls-ca.pem + ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/server.key + ORDERER_GENERAL_BOOTSTRAPMETHOD: none + ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer3 + ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer3/etcdraft/wal + ORDERER_CONSENSUS_SNAPDIR: /var/hyperledger/fabric/data/orderer3/etcdraft/wal + ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:8443 + ORDERER_ADMIN_LISTENADDRESS: 0.0.0.0:9443 + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org0-orderer3 +spec: + replicas: 1 + selector: + matchLabels: + app: org0-orderer3 + template: + metadata: + labels: + app: org0-orderer3 + spec: + containers: + - name: main + image: hyperledger/fabric-orderer:{{FABRIC_VERSION}} + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: org0-orderer3-env + ports: + - containerPort: 6050 + - containerPort: 8443 + - containerPort: 9443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric/config + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org0 + - name: fabric-config + configMap: + name: org0-config + +--- +apiVersion: v1 +kind: Service +metadata: + name: org0-orderer3 +spec: + ports: + - name: general + port: 6050 + protocol: TCP + - name: operations + port: 8443 + protocol: TCP + - name: admin + port: 9443 + protocol: TCP + selector: + app: org0-orderer3 \ No newline at end of file diff --git a/test-network-k8s/kube/org0/org0-tls-ca.yaml b/test-network-k8s/kube/org0/org0-tls-ca.yaml new file mode 100644 index 00000000..179d9c44 --- /dev/null +++ b/test-network-k8s/kube/org0/org0-tls-ca.yaml @@ -0,0 +1,65 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org0-tls-ca +spec: + replicas: 1 + selector: + matchLabels: + app: org0-tls-ca + template: + metadata: + labels: + app: org0-tls-ca + spec: + containers: + - name: main + image: hyperledger/fabric-ca:1.5.2 + env: + - name: FABRIC_CA_SERVER_CA_NAME + value: "org0-tls-ca" + - name: FABRIC_CA_SERVER_DEBUG + value: "false" + - name: FABRIC_CA_SERVER_HOME + value: "/var/hyperledger/fabric-tls-ca-server" + - name: FABRIC_CA_CLIENT_HOME + value: "/var/hyperledger/fabric-ca-client" + ports: + - containerPort: 443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric-tls-ca-server/fabric-ca-server-config.yaml + subPath: fabric-tls-ca-server-config.yaml + readinessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 2 + periodSeconds: 5 + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org0 + - name: fabric-config + configMap: + name: org0-config + +--- +apiVersion: v1 +kind: Service +metadata: + name: org0-tls-ca +spec: + ports: + - name: tls + port: 443 + protocol: TCP + selector: + app: org0-tls-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-admin-cli.yaml b/test-network-k8s/kube/org1/org1-admin-cli.yaml new file mode 100644 index 00000000..665f3595 --- /dev/null +++ b/test-network-k8s/kube/org1/org1-admin-cli.yaml @@ -0,0 +1,65 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org1-admin-cli +spec: + replicas: 1 + selector: + matchLabels: + app: org1-admin-cli + template: + metadata: + labels: + app: org1-admin-cli + spec: + containers: + - name: main + image: hyperledger/fabric-tools:{{FABRIC_VERSION}} + imagePullPolicy: IfNotPresent + env: + - name: FABRIC_CFG_PATH + value: /var/hyperledger/fabric/config + - name: CORE_PEER_MSPCONFIGPATH + value: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp + - name: CORE_PEER_TLS_ROOTCERT_FILE + value: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/org1-tls-ca.pem + args: + - sleep + - "2147483647" + workingDir: /root + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric/config + + # This init container will unfurl all of the MSP archives listed in the msp-config config map. + initContainers: + - name: msp-unfurl + image: busybox + command: + - sh + - -c + - "for msp in $(ls /msp/msp-*.tgz); do echo $msp && tar zxvf $msp -C /var/hyperledger/fabric; done" + volumeMounts: + - name: msp-config + mountPath: /msp + - name: fabric-volume + mountPath: /var/hyperledger + + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org1 + - name: fabric-config + configMap: + name: org1-config + - name: msp-config + configMap: + name: msp-config diff --git a/test-network-k8s/kube/org1/org1-cc-template.yaml b/test-network-k8s/kube/org1/org1-cc-template.yaml new file mode 100644 index 00000000..4c72bb4e --- /dev/null +++ b/test-network-k8s/kube/org1/org1-cc-template.yaml @@ -0,0 +1,45 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org1-cc-{{CHAINCODE_NAME}} +spec: + replicas: 1 + selector: + matchLabels: + app: org1-cc-{{CHAINCODE_NAME}} + template: + metadata: + labels: + app: org1-cc-{{CHAINCODE_NAME}} + spec: + containers: + - name: main + image: {{CHAINCODE_IMAGE}} + env: + - name: CHAINCODE_SERVER_ADDRESS + value: 0.0.0.0:9999 + + # todo: load with an envFrom and a dynamic config map with the ID. + - name: CHAINCODE_ID + value: {{CHAINCODE_ID}} + ports: + - containerPort: 9999 + +--- +apiVersion: v1 +kind: Service +metadata: + name: org1-cc-{{CHAINCODE_NAME}} +spec: + ports: + - name: chaincode + port: 9999 + protocol: TCP + selector: + app: org1-cc-{{CHAINCODE_NAME}} \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-ecert-ca.yaml b/test-network-k8s/kube/org1/org1-ecert-ca.yaml new file mode 100644 index 00000000..e3da8d11 --- /dev/null +++ b/test-network-k8s/kube/org1/org1-ecert-ca.yaml @@ -0,0 +1,69 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org1-ecert-ca +spec: + replicas: 1 + selector: + matchLabels: + app: org1-ecert-ca + template: + metadata: + labels: + app: org1-ecert-ca + spec: + containers: + - name: main + image: hyperledger/fabric-ca:1.5.2 + env: + - name: FABRIC_CA_SERVER_CA_NAME + value: "org1-ecert-ca" + - name: FABRIC_CA_SERVER_DEBUG + value: "false" + - name: FABRIC_CA_SERVER_HOME + value: "/var/hyperledger/fabric-ca-server" + - name: FABRIC_CA_SERVER_TLS_CERTFILE + value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem" + - name: FABRIC_CA_SERVER_TLS_KEYFILE + value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem" + - name: FABRIC_CA_CLIENT_HOME + value: "/var/hyperledger/fabric-ca-client" + ports: + - containerPort: 443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml + subPath: fabric-ecert-ca-server-config.yaml + readinessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 2 + periodSeconds: 5 + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org1 + - name: fabric-config + configMap: + name: org1-config + +--- +apiVersion: v1 +kind: Service +metadata: + name: org1-ecert-ca +spec: + ports: + - name: tls + port: 443 + protocol: TCP + selector: + app: org1-ecert-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-peer1.yaml b/test-network-k8s/kube/org1/org1-peer1.yaml new file mode 100644 index 00000000..0f756a40 --- /dev/null +++ b/test-network-k8s/kube/org1/org1-peer1.yaml @@ -0,0 +1,103 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: org1-peer1-config +data: + FABRIC_CFG_PATH: /var/hyperledger/fabric/config + FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" + CORE_PEER_TLS_ENABLED: "true" + CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/signcerts/cert.pem + CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/keystore/server.key + CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/cacerts/org1-tls-ca.pem + CORE_PEER_ID: org1-peer1.org1.example.com + CORE_PEER_ADDRESS: org1-peer1:7051 + CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 + CORE_PEER_CHAINCODEADDRESS: org1-peer1:7052 + CORE_PEER_CHAINCODELISTENADDRESS: 0.0.0.0:7052 + # bootstrap peer is the other peer in the same org + CORE_PEER_GOSSIP_BOOTSTRAP: org1-peer2:7051 + CORE_PEER_GOSSIP_EXTERNALENDPOINT: org1-peer1:7051 + CORE_PEER_LOCALMSPID: Org1MSP + CORE_PEER_MSPCONFIGPATH: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp + CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443 + CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org1-peer1.org1.example.com + CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org1-peer1.org1.example.com/snapshots + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org1-peer1 +spec: + replicas: 1 + selector: + matchLabels: + app: org1-peer1 + template: + metadata: + labels: + app: org1-peer1 + spec: + containers: + - name: main + image: hyperledger/fabric-peer:{{FABRIC_VERSION}} + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: org1-peer1-config + ports: + - containerPort: 7051 + - containerPort: 7052 + - containerPort: 9443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric/config + - name: ccs-builder + mountPath: /var/hyperledger/fabric/chaincode/ccs-builder/bin + + # load the external chaincode builder into the peer image prior to peer launch. + initContainers: + - name: fabric-ccs-builder + image: ghcr.io/hyperledgendary/fabric-ccs-builder + imagePullPolicy: IfNotPresent + command: [sh, -c] + args: ["cp /go/bin/* /var/hyperledger/fabric/chaincode/ccs-builder/bin/"] + volumeMounts: + - name: ccs-builder + mountPath: /var/hyperledger/fabric/chaincode/ccs-builder/bin + + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org1 + - name: fabric-config + configMap: + name: org1-config + - name: ccs-builder + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: org1-peer1 +spec: + ports: + - name: gossip + port: 7051 + protocol: TCP + - name: chaincode + port: 7052 + protocol: TCP + - name: operations + port: 9443 + protocol: TCP + selector: + app: org1-peer1 \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-peer2.yaml b/test-network-k8s/kube/org1/org1-peer2.yaml new file mode 100644 index 00000000..152c950e --- /dev/null +++ b/test-network-k8s/kube/org1/org1-peer2.yaml @@ -0,0 +1,89 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: org1-peer2-config +data: + FABRIC_CFG_PATH: /var/hyperledger/fabric/config + FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" + CORE_PEER_TLS_ENABLED: "true" + CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/signcerts/cert.pem + CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/keystore/server.key + CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/cacerts/org1-tls-ca.pem + CORE_PEER_ID: org1-peer2.org1.example.com + CORE_PEER_ADDRESS: org1-peer2:7051 + CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 + CORE_PEER_CHAINCODEADDRESS: org1-peer2:7052 + CORE_PEER_CHAINCODELISTENADDRESS: 0.0.0.0:7052 + # bootstrap peer is the other peer in the same org + CORE_PEER_GOSSIP_BOOTSTRAP: org1-peer1:7051 + CORE_PEER_GOSSIP_EXTERNALENDPOINT: org1-peer2:7051 + CORE_PEER_LOCALMSPID: Org1MSP + CORE_PEER_MSPCONFIGPATH: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp + CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443 + CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org1-peer2.org1.example.com + CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org1-peer2.org1.example.com/snapshots + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org1-peer2 +spec: + replicas: 1 + selector: + matchLabels: + app: org1-peer2 + template: + metadata: + labels: + app: org1-peer2 + spec: + containers: + - name: main + image: hyperledger/fabric-peer:{{FABRIC_VERSION}} + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: org1-peer2-config + ports: + - containerPort: 7051 + - containerPort: 7052 + - containerPort: 9443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric/config + + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org1 + - name: fabric-config + configMap: + name: org1-config + +--- +apiVersion: v1 +kind: Service +metadata: + name: org1-peer2 +spec: + ports: + - name: gossip + port: 7051 + protocol: TCP + - name: chaincode + port: 7052 + protocol: TCP + - name: operations + port: 9443 + protocol: TCP + selector: + app: org1-peer2 \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-tls-ca.yaml b/test-network-k8s/kube/org1/org1-tls-ca.yaml new file mode 100644 index 00000000..afedbe4d --- /dev/null +++ b/test-network-k8s/kube/org1/org1-tls-ca.yaml @@ -0,0 +1,65 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org1-tls-ca +spec: + replicas: 1 + selector: + matchLabels: + app: org1-tls-ca + template: + metadata: + labels: + app: org1-tls-ca + spec: + containers: + - name: main + image: hyperledger/fabric-ca:1.5.2 + env: + - name: FABRIC_CA_SERVER_CA_NAME + value: "org1-tls-ca" + - name: FABRIC_CA_SERVER_DEBUG + value: "false" + - name: FABRIC_CA_SERVER_HOME + value: "/var/hyperledger/fabric-tls-ca-server" + - name: FABRIC_CA_CLIENT_HOME + value: "/var/hyperledger/fabric-ca-client" + ports: + - containerPort: 443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric-tls-ca-server/fabric-ca-server-config.yaml + subPath: fabric-tls-ca-server-config.yaml + readinessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 2 + periodSeconds: 5 + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org1 + - name: fabric-config + configMap: + name: org1-config + +--- +apiVersion: v1 +kind: Service +metadata: + name: org1-tls-ca +spec: + ports: + - name: tls + port: 443 + protocol: TCP + selector: + app: org1-tls-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-admin-cli.yaml b/test-network-k8s/kube/org2/org2-admin-cli.yaml new file mode 100644 index 00000000..be47123a --- /dev/null +++ b/test-network-k8s/kube/org2/org2-admin-cli.yaml @@ -0,0 +1,65 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org2-admin-cli +spec: + replicas: 1 + selector: + matchLabels: + app: org2-admin-cli + template: + metadata: + labels: + app: org2-admin-cli + spec: + containers: + - name: main + image: hyperledger/fabric-tools:{{FABRIC_VERSION}} + imagePullPolicy: IfNotPresent + env: + - name: FABRIC_CFG_PATH + value: /var/hyperledger/fabric/config + - name: CORE_PEER_MSPCONFIGPATH + value: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp + - name: CORE_PEER_TLS_ROOTCERT_FILE + value: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/org2-tls-ca.pem + args: + - sleep + - "2147483647" + workingDir: /root + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric/config + + # This init container will unfurl all of the MSP archives listed in the msp-config config map. + initContainers: + - name: msp-unfurl + image: busybox + command: + - sh + - -c + - "for msp in $(ls /msp/msp-*.tgz); do echo $msp && tar zxvf $msp -C /var/hyperledger/fabric; done" + volumeMounts: + - name: msp-config + mountPath: /msp + - name: fabric-volume + mountPath: /var/hyperledger + + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org2 + - name: fabric-config + configMap: + name: org2-config + - name: msp-config + configMap: + name: msp-config diff --git a/test-network-k8s/kube/org2/org2-cc.yaml b/test-network-k8s/kube/org2/org2-cc.yaml new file mode 100644 index 00000000..5075f2ba --- /dev/null +++ b/test-network-k8s/kube/org2/org2-cc.yaml @@ -0,0 +1,6 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + diff --git a/test-network-k8s/kube/org2/org2-ecert-ca.yaml b/test-network-k8s/kube/org2/org2-ecert-ca.yaml new file mode 100644 index 00000000..56c3350f --- /dev/null +++ b/test-network-k8s/kube/org2/org2-ecert-ca.yaml @@ -0,0 +1,69 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org2-ecert-ca +spec: + replicas: 1 + selector: + matchLabels: + app: org2-ecert-ca + template: + metadata: + labels: + app: org2-ecert-ca + spec: + containers: + - name: main + image: hyperledger/fabric-ca:1.5.2 + env: + - name: FABRIC_CA_SERVER_CA_NAME + value: "org2-ecert-ca" + - name: FABRIC_CA_SERVER_DEBUG + value: "false" + - name: FABRIC_CA_SERVER_HOME + value: "/var/hyperledger/fabric-ca-server" + - name: FABRIC_CA_SERVER_TLS_CERTFILE + value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem" + - name: FABRIC_CA_SERVER_TLS_KEYFILE + value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem" + - name: FABRIC_CA_CLIENT_HOME + value: "/var/hyperledger/fabric-ca-client" + ports: + - containerPort: 443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml + subPath: fabric-ecert-ca-server-config.yaml + readinessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 2 + periodSeconds: 5 + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org2 + - name: fabric-config + configMap: + name: org2-config + +--- +apiVersion: v1 +kind: Service +metadata: + name: org2-ecert-ca +spec: + ports: + - name: tls + port: 443 + protocol: TCP + selector: + app: org2-ecert-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-peer1.yaml b/test-network-k8s/kube/org2/org2-peer1.yaml new file mode 100644 index 00000000..193dd2cc --- /dev/null +++ b/test-network-k8s/kube/org2/org2-peer1.yaml @@ -0,0 +1,104 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: org2-peer1-config +data: + FABRIC_CFG_PATH: /var/hyperledger/fabric/config + FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" + CORE_PEER_TLS_ENABLED: "true" + CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/signcerts/cert.pem + CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/keystore/server.key + CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/cacerts/org2-tls-ca.pem + CORE_PEER_ID: org2-peer1.org2.example.com + CORE_PEER_ADDRESS: org2-peer1:7051 + CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 + CORE_PEER_CHAINCODEADDRESS: org2-peer1:7052 + CORE_PEER_CHAINCODELISTENADDRESS: 0.0.0.0:7052 + # bootstrap peer is the other peer in the same org + CORE_PEER_GOSSIP_BOOTSTRAP: org2-peer2:7051 + CORE_PEER_GOSSIP_EXTERNALENDPOINT: org2-peer1:7051 + CORE_PEER_LOCALMSPID: Org2MSP + CORE_PEER_MSPCONFIGPATH: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp + CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443 + CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org2-peer1.org2.example.com + CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org2-peer1.org2.example.com/snapshots + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org2-peer1 +spec: + replicas: 1 + selector: + matchLabels: + app: org2-peer1 + template: + metadata: + labels: + app: org2-peer1 + spec: + containers: + - name: main + image: hyperledger/fabric-peer:{{FABRIC_VERSION}} + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: org2-peer1-config + ports: + - containerPort: 7051 + - containerPort: 7052 + - containerPort: 9443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric/config + - name: ccs-builder + mountPath: /var/hyperledger/fabric/chaincode/ccs-builder/bin + + # load the external chaincode builder into the peer image prior to peer launch. + initContainers: + - name: fabric-ccs-builder + image: ghcr.io/hyperledgendary/fabric-ccs-builder + imagePullPolicy: IfNotPresent + command: [sh, -c] + args: ["cp /go/bin/* /var/hyperledger/fabric/chaincode/ccs-builder/bin/"] + volumeMounts: + - name: ccs-builder + mountPath: /var/hyperledger/fabric/chaincode/ccs-builder/bin + + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org2 + - name: fabric-config + configMap: + name: org2-config + - name: ccs-builder + emptyDir: {} + +--- +apiVersion: v1 +kind: Service +metadata: + name: org2-peer1 +spec: + ports: + - name: gossip + port: 7051 + protocol: TCP + - name: chaincode + port: 7052 + protocol: TCP + - name: operations + port: 9443 + protocol: TCP + selector: + app: org2-peer1 \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-peer2.yaml b/test-network-k8s/kube/org2/org2-peer2.yaml new file mode 100644 index 00000000..c0df9b4e --- /dev/null +++ b/test-network-k8s/kube/org2/org2-peer2.yaml @@ -0,0 +1,89 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: org2-peer2-config +data: + FABRIC_CFG_PATH: /var/hyperledger/fabric/config + FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" + CORE_PEER_TLS_ENABLED: "true" + CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/signcerts/cert.pem + CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/keystore/server.key + CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/cacerts/org2-tls-ca.pem + CORE_PEER_ID: org2-peer2.org2.example.com + CORE_PEER_ADDRESS: org2-peer2:7051 + CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 + CORE_PEER_CHAINCODEADDRESS: org2-peer2:7052 + CORE_PEER_CHAINCODELISTENADDRESS: 0.0.0.0:7052 + # bootstrap peer is the other peer in the same org + CORE_PEER_GOSSIP_BOOTSTRAP: org2-peer1:7051 + CORE_PEER_GOSSIP_EXTERNALENDPOINT: org2-peer2:7051 + CORE_PEER_LOCALMSPID: Org2MSP + CORE_PEER_MSPCONFIGPATH: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp + CORE_OPERATIONS_LISTENADDRESS: 0.0.0.0:9443 + CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org2-peer2.org2.example.com + CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org2-peer2.org2.example.com/snapshots + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org2-peer2 +spec: + replicas: 1 + selector: + matchLabels: + app: org2-peer2 + template: + metadata: + labels: + app: org2-peer2 + spec: + containers: + - name: main + image: hyperledger/fabric-peer:{{FABRIC_VERSION}} + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: org2-peer2-config + ports: + - containerPort: 7051 + - containerPort: 7052 + - containerPort: 9443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric/config + + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org2 + - name: fabric-config + configMap: + name: org2-config + +--- +apiVersion: v1 +kind: Service +metadata: + name: org2-peer2 +spec: + ports: + - name: gossip + port: 7051 + protocol: TCP + - name: chaincode + port: 7052 + protocol: TCP + - name: operations + port: 9443 + protocol: TCP + selector: + app: org2-peer2 \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-tls-ca.yaml b/test-network-k8s/kube/org2/org2-tls-ca.yaml new file mode 100644 index 00000000..b28a7aa0 --- /dev/null +++ b/test-network-k8s/kube/org2/org2-tls-ca.yaml @@ -0,0 +1,65 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: org2-tls-ca +spec: + replicas: 1 + selector: + matchLabels: + app: org2-tls-ca + template: + metadata: + labels: + app: org2-tls-ca + spec: + containers: + - name: main + image: hyperledger/fabric-ca:1.5.2 + env: + - name: FABRIC_CA_SERVER_CA_NAME + value: "org2-tls-ca" + - name: FABRIC_CA_SERVER_DEBUG + value: "false" + - name: FABRIC_CA_SERVER_HOME + value: "/var/hyperledger/fabric-tls-ca-server" + - name: FABRIC_CA_CLIENT_HOME + value: "/var/hyperledger/fabric-ca-client" + ports: + - containerPort: 443 + volumeMounts: + - name: fabric-volume + mountPath: /var/hyperledger + - name: fabric-config + mountPath: /var/hyperledger/fabric-tls-ca-server/fabric-ca-server-config.yaml + subPath: fabric-tls-ca-server-config.yaml + readinessProbe: + tcpSocket: + port: 443 + initialDelaySeconds: 2 + periodSeconds: 5 + volumes: + - name: fabric-volume + persistentVolumeClaim: + claimName: fabric-org2 + - name: fabric-config + configMap: + name: org2-config + +--- +apiVersion: v1 +kind: Service +metadata: + name: org2-tls-ca +spec: + ports: + - name: tls + port: 443 + protocol: TCP + selector: + app: org2-tls-ca \ No newline at end of file diff --git a/test-network-k8s/kube/pv-fabric-org0.yaml b/test-network-k8s/kube/pv-fabric-org0.yaml new file mode 100644 index 00000000..085872a4 --- /dev/null +++ b/test-network-k8s/kube/pv-fabric-org0.yaml @@ -0,0 +1,18 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: fabric-org0 +spec: + storageClassName: standard + accessModes: + - ReadWriteOnce + capacity: + storage: 2Gi + hostPath: + path: /var/hyperledger/example.com diff --git a/test-network-k8s/kube/pv-fabric-org1.yaml b/test-network-k8s/kube/pv-fabric-org1.yaml new file mode 100644 index 00000000..58de91af --- /dev/null +++ b/test-network-k8s/kube/pv-fabric-org1.yaml @@ -0,0 +1,18 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: fabric-org1 +spec: + storageClassName: standard + accessModes: + - ReadWriteOnce + capacity: + storage: 2Gi + hostPath: + path: /var/hyperledger/org1.example.com diff --git a/test-network-k8s/kube/pv-fabric-org2.yaml b/test-network-k8s/kube/pv-fabric-org2.yaml new file mode 100644 index 00000000..aa3660c7 --- /dev/null +++ b/test-network-k8s/kube/pv-fabric-org2.yaml @@ -0,0 +1,18 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: fabric-org2 +spec: + storageClassName: standard + accessModes: + - ReadWriteOnce + capacity: + storage: 2Gi + hostPath: + path: /var/hyperledger/org2.example.com diff --git a/test-network-k8s/kube/pvc-fabric-org0.yaml b/test-network-k8s/kube/pvc-fabric-org0.yaml new file mode 100644 index 00000000..c3d64208 --- /dev/null +++ b/test-network-k8s/kube/pvc-fabric-org0.yaml @@ -0,0 +1,17 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: fabric-org0 +spec: + volumeName: fabric-org0 + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/test-network-k8s/kube/pvc-fabric-org1.yaml b/test-network-k8s/kube/pvc-fabric-org1.yaml new file mode 100644 index 00000000..d06bc01c --- /dev/null +++ b/test-network-k8s/kube/pvc-fabric-org1.yaml @@ -0,0 +1,17 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: fabric-org1 +spec: + volumeName: fabric-org1 + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/test-network-k8s/kube/pvc-fabric-org2.yaml b/test-network-k8s/kube/pvc-fabric-org2.yaml new file mode 100644 index 00000000..40d2e48f --- /dev/null +++ b/test-network-k8s/kube/pvc-fabric-org2.yaml @@ -0,0 +1,17 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: fabric-org2 +spec: + volumeName: fabric-org2 + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/test-network-k8s/network b/test-network-k8s/network new file mode 100755 index 00000000..ecbef2a3 --- /dev/null +++ b/test-network-k8s/network @@ -0,0 +1,157 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# +set -o errexit + +# todo: better handling for input parameters. +# todo: skip storage volume init if deploying to a remote / cloud cluster (ICP IKS ROKS etc...) +# todo: for logging, set up a stack and allow multi-line status output codes +# todo: refactor - lots of for-org-in-0-to-2-... +# todo: find a better technique for passing input commands to a remote kube exec +# todo: register tls csr.hosts w/ kube DNS domain .NS.svc.cluster.local +# todo: user:pass auth for tls and ecert bootstrap admins. here and in the server-config.yaml +# todo: set tls.certfiles= ... arg in deployment env / yaml +# todo: refactor chaincode install to support other chaincode routines +# todo: actually compile the chaincode archive, rather than reading a pre-canned one from chaincode/*.tgz (use sha256 to get CC ID) +# todo: consider using templates for boilerplate network nodes (orderers, peers, ...) +# todo: allow the user to specify the chaincode name (hardcoded as 'basic') both in install and invoke/query +# todo: track down a nasty bug whereby the CA service endpoints (kube services) will occasionally reject TCP connections after network down/up. This is patched by introducing a 10s sleep after the deployments are up... +# todo: refactor query/invoke to specify chaincode name (-n param) + +FABRIC_VERSION=${TEST_NETWORK_FABRIC_VERSION:-2.3.2} +NETWORK_NAME=${TEST_NETWORK_NAME:-test-network} +CLUSTER_NAME=${TEST_NETWORK_KIND_CLUSTER_NAME:-kind} +NS=${TEST_NETWORK_KUBE_NAMESPACE:-${NETWORK_NAME}} +CHANNEL_NAME=${TEST_NETWORK_CHANNEL_NAME:-mychannel} +LOG_FILE=${TEST_NETWORK_LOG_FILE:-network.log} +DEBUG_FILE=${TEST_NETWORK_DEBUG_FILE:-network-debug.log} +CONTAINER_REGISTRY_NAME=${TEST_NETWORK_CONTAINER_REGISTRY_NAME:-kind-registry} +CONTAINER_REGISTRY_PORT=${TEST_NETWORK_CONTAINER_REGISTRY_PORT:-5000} +NGINX_HTTP_PORT=${TEST_NETWORK_INGRESS_HTTP_PORT:-80} +NGINX_HTTPS_PORT=${TEST_NETWORK_INGRESS_HTTPS_PORT:-443} +CHAINCODE_NAME=${TEST_NETWORK_CHAINCODE_NAME:-asset-transfer-basic} +CHAINCODE_IMAGE=${TEST_NETWORK_CHAINCODE_IMAGE:-ghcr.io/hyperledgendary/fabric-ccaas-asset-transfer-basic} +CHAINCODE_LABEL=${TEST_NETWORK_CHAINCODE_LABEL:-basic_1.0} + +# todo: more complicated config, as these bleed into the yaml descriptors (sed? kustomize? helm (no)? tkn? ansible?...) or other script locations +FABRIC_CA_VERSION=1.5.2 +TLSADMIN_AUTH=tlsadmin:tlsadminpw +RCAADMIN_AUTH=rcaadmin:rcaadminpw + +function print_help() { + echo todo: help output, parse mode, flags, env, etc. +} + +. scripts/utils.sh +. scripts/prereqs.sh +. scripts/kind.sh +. scripts/fabric_config.sh +. scripts/fabric_CAs.sh +. scripts/test_network.sh +. scripts/channel.sh +. scripts/chaincode.sh +. scripts/rest_sample.sh +. scripts/application_connection.sh + +# check for kind, kubectl, etc. +check_prereqs + +## Parse mode +if [[ $# -lt 1 ]] ; then + print_help + exit 0 +else + MODE=$1 + shift +fi + +# Initialize the logging system - control output to 'network.log' and everything else to 'network-debug.log' +logging_init + +if [ "${MODE}" == "kind" ]; then + log "Initializing KIND cluster \"${CLUSTER_NAME}\":" + kind_init + log "🏁 - Cluster is ready." + +elif [ "${MODE}" == "unkind" ]; then + log "Deleting cluster \"${CLUSTER_NAME}\":" + kind_unkind + log "🏁 - Cluster is gone." + +elif [ "${MODE}" == "up" ]; then + log "Launching network \"${NETWORK_NAME}\":" + network_up + log "🏁 - Network is ready." + +elif [ "${MODE}" == "down" ]; then + log "Shutting down test network \"${NETWORK_NAME}\":" + network_down + log "🏁 - Fabric network is down." + +elif [ "${MODE}" == "channel" ]; then + ACTION=$1 + shift + + if [ "${ACTION}" == "create" ]; then + log "Creating channel \"${CHANNEL_NAME}\":" + channel_up + log "🏁 - Channel is ready." + + else + print_help + exit 1 + fi + +elif [ "${MODE}" == "chaincode" ]; then + ACTION=$1 + shift + + if [ "${ACTION}" == "deploy" ]; then + log "Deploying chaincode \"${CHAINCODE_NAME}\":" + deploy_chaincode + log "🏁 - Chaincode is ready." + + elif [ "${ACTION}" == "install" ]; then + log "Installing chaincode \"${CHAINCODE_NAME}\":" + install_chaincode + log "🏁 - Chaincode is installed with CHAINCODE_ID=${CHAINCODE_ID}" + + elif [ "${ACTION}" == "activate" ]; then + log "Activating chaincode \"${CHAINCODE_NAME}\":" + activate_chaincode + log "🏁 - Chaincode is activated with CHAINCODE_ID=${CHAINCODE_ID}" + + elif [ "${ACTION}" == "invoke" ]; then + invoke_chaincode $@ 2>> ${LOG_FILE} + + elif [ "${ACTION}" == "query" ]; then + query_chaincode $@ >> ${LOG_FILE} + + elif [ "${ACTION}" == "metadata" ]; then + query_chaincode_metadata >> ${LOG_FILE} + else + print_help + exit 1 + fi + +elif [ "${MODE}" == "anchor" ]; then + update_anchor_peers $@ + +elif [ "${MODE}" == "rest-easy" ]; then + log "Launching fabric-rest-sample application:" + launch_rest_sample + log "🏁 - Fabric REST sample is ready." + +elif [ "${MODE}" == "application" ]; then + log "Getting application connection information:" + application_connection + log "🏁 - Output in...xxx" + +else + print_help + exit 1 +fi + diff --git a/test-network-k8s/scripts/application_connection.sh b/test-network-k8s/scripts/application_connection.sh new file mode 100755 index 00000000..3f73dd20 --- /dev/null +++ b/test-network-k8s/scripts/application_connection.sh @@ -0,0 +1,114 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +function app_extract_MSP_archives() { + mkdir -p build/msp + set -ex + kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp | tar zxf - -C build/msp + + kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp | tar zxf - -C build/msp +} + +function app_one_line_pem { + echo "`awk 'NF {sub(/\\n/, ""); printf "%s\\\\\\\n",$0;}' $1`" +} + +function app_json_ccp { + local ORG=$1 + local PP=$(one_line_pem $2) + local CP=$(one_line_pem $3) + sed -e "s/\${ORG}/$ORG/" \ + -e "s#\${PEERPEM}#$PP#" \ + -e "s#\${CAPEM}#$CP#" \ + scripts/ccp-template.json +} + +function app_id { + local MSP=$1 + local CERT=$(one_line_pem $2) + local PK=$(one_line_pem $3) + + sed -e "s#\${CERTIFICATE}#$CERT#" \ + -e "s#\${PRIVATE_KEY}#$PK#" \ + -e "s#\${MSPID}#$MSP#" \ + scripts/appuser.id.template +} + +function construct_application_configmap() { + push_fn "Constructing application connection profiles" + + app_extract_MSP_archives + + mkdir -p build/application/wallet + mkdir -p build/application/gateways + + local peer_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/org1-tls-ca.pem + local ca_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/cacerts/org1-ecert-ca.pem + + echo "$(json_ccp 1 $peer_pem $ca_pem)" > build/application/gateways/org1_ccp.json + + peer_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/org2-tls-ca.pem + ca_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/cacerts/org2-ecert-ca.pem + + echo "$(json_ccp 2 $peer_pem $ca_pem)" > build/application/gateways/org2_ccp.json + + local cert=build/msp/organizations/peerOrganizations/org1.example.com/users/Admin\@org1.example.com/msp/signcerts/cert.pem + local pk=build/msp/organizations/peerOrganizations/org1.example.com/users/Admin\@org1.example.com/msp/keystore/server.key + + echo "$(app_id Org1MSP $cert $pk)" > build/application/wallet/appuser_org1.id + + local cert=build/msp/organizations/peerOrganizations/org2.example.com/users/Admin\@org2.example.com/msp/signcerts/cert.pem + local pk=build/msp/organizations/peerOrganizations/org2.example.com/users/Admin\@org2.example.com/msp/keystore/server.key + + echo "$(app_id Org2MSP $cert $pk)" > build/application/wallet/appuser_org2.id + + kubectl -n $NS delete configmap app-fabric-tls-v1-map || log "app-fabric-tls-v1-map not present" + kubectl -n $NS create configmap app-fabric-tls-v1-map --from-file=./build/msp/organizations/peerOrganizations/org1.example.com/msp/tlscacerts + + kubectl -n $NS delete configmap app-fabric-ids-v1-map || log "app-fabric-id-v1-map not present" + kubectl -n $NS create configmap app-fabric-ids-v1-map --from-file=./build/application/wallet + + kubectl -n $NS delete configmap app-fabric-ccp-v1-map || log "app-fabric-id-v1-map not present" + kubectl -n $NS create configmap app-fabric-ccp-v1-map --from-file=./build/application/gateways + +cat < build/app-fabric-org1-v1-map.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: app-fabric-org1-v1-map +data: + fabric_channel: ${CHANNEL_NAME} + fabric_contract: ${CHAINCODE_NAME} + fabric_wallet_dir: /fabric/application/wallet + fabric_gateway_hostport: org1-peer1:7051 + fabric_gateway_sslHostOverride: org1-peer1 + fabric_user: appuser_org1 + fabric_gateway_tlsCertPath: /fabric/tlscacerts/org1-tls-ca.pem +EOF + + kubectl -n $NS apply -f build/app-fabric-org1-v1-map.yaml + + # todo: could add the second org here + + pop_fn +} + + +function application_connection() { + + construct_application_configmap + + log "" + log "Config Maps created for the application" + log "To deploy your application updated the image name and issue these commands" + log "" + log "kubectl -n $NS apply -f kube/application-deployment.yaml" + log "kubectl -n $NS rollout status deploy/application-deployment" + +} \ No newline at end of file diff --git a/test-network-k8s/scripts/appuser.id.template b/test-network-k8s/scripts/appuser.id.template new file mode 100644 index 00000000..1c67576c --- /dev/null +++ b/test-network-k8s/scripts/appuser.id.template @@ -0,0 +1,9 @@ +{ + "credentials": { + "certificate": "${CERTIFICATE}", + "privateKey": "${PRIVATE_KEY}" + }, + "mspId": "${MSPID}", + "type": "X.509", + "version": 1 +} \ No newline at end of file diff --git a/test-network-k8s/scripts/ccp-template.json b/test-network-k8s/scripts/ccp-template.json new file mode 100755 index 00000000..4bd0a26e --- /dev/null +++ b/test-network-k8s/scripts/ccp-template.json @@ -0,0 +1,49 @@ +{ + "name": "test-network-org${ORG}", + "version": "1.0.0", + "client": { + "organization": "Org${ORG}", + "connection": { + "timeout": { + "peer": { + "endorser": "300" + } + } + } + }, + "organizations": { + "Org${ORG}": { + "mspid": "Org${ORG}MSP", + "peers": [ + "org${ORG}-peer1" + ], + "certificateAuthorities": [ + "org${ORG}-ecert-ca" + ] + } + }, + "peers": { + "org${ORG}-peer1": { + "url": "grpcs://org${ORG}-peer1:7051", + "tlsCACerts": { + "pem": "${PEERPEM}" + }, + "grpcOptions": { + "ssl-target-name-override": "org${ORG}-peer1", + "hostnameOverride": "org${ORG}-peer1" + } + } + }, + "certificateAuthorities": { + "org${ORG}-ecert-ca": { + "url": "https://org${ORG}-ecert-ca", + "caName": "org${ORG}-ecert-ca", + "tlsCACerts": { + "pem": ["${CAPEM}"] + }, + "httpOptions": { + "verify": false + } + } + } +} diff --git a/test-network-k8s/scripts/chaincode.sh b/test-network-k8s/scripts/chaincode.sh new file mode 100755 index 00000000..c0fec221 --- /dev/null +++ b/test-network-k8s/scripts/chaincode.sh @@ -0,0 +1,172 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +function package_chaincode_for() { + local org=$1 + local cc_folder="chaincode/${CHAINCODE_NAME}" + local build_folder="build/chaincode" + local cc_archive="${build_folder}/${CHAINCODE_NAME}.tgz" + push_fn "Packaging chaincode folder ${cc_folder}" + + mkdir -p ${build_folder} + + tar -C ${cc_folder} -zcf ${cc_folder}/code.tar.gz connection.json + tar -C ${cc_folder} -zcf ${cc_archive} code.tar.gz metadata.json + + rm ${cc_folder}/code.tar.gz + + pop_fn +} + +# Copy the chaincode archive from the local host to the org admin +function transfer_chaincode_archive_for() { + local org=$1 + local cc_archive="build/chaincode/${CHAINCODE_NAME}.tgz" + push_fn "Transferring chaincode archive to ${org}" + + # Like kubectl cp, but targeted to a deployment rather than an individual pod. + tar cf - ${cc_archive} | kubectl -n $NS exec -i deploy/${org}-admin-cli -c main -- tar xvf - + + pop_fn +} + +function install_chaincode_for() { + local org=$1 + push_fn "Installing chaincode for org ${org}" + + # Install the chaincode + echo 'set -x + export CORE_PEER_ADDRESS='${org}'-peer1:7051 + peer lifecycle chaincode install build/chaincode/'${CHAINCODE_NAME}'.tgz + ' | exec kubectl -n $NS exec deploy/${org}-admin-cli -c main -i -- /bin/bash + + pop_fn +} + +function launch_chaincode_service() { + local org=$1 + local cc_id=$2 + local cc_image=$3 + push_fn "Launching chaincode container \"${cc_image}\"" + + # The chaincode endpoint needs to have the generated chaincode ID available in the environment. + # This could be from a config map, a secret, or by directly editing the deployment spec. Here we'll keep + # things simple by using sed to substitute script variables into a yaml template. + cat kube/${org}/${org}-cc-template.yaml \ + | sed 's,{{CHAINCODE_NAME}},'${CHAINCODE_NAME}',g' \ + | sed 's,{{CHAINCODE_ID}},'${cc_id}',g' \ + | sed 's,{{CHAINCODE_IMAGE}},'${cc_image}',g' \ + | exec kubectl -n $NS apply -f - + + kubectl -n $NS rollout status deploy/${org}-cc-${CHAINCODE_NAME} + + pop_fn +} + +function activate_chaincode_for() { + local org=$1 + local cc_id=$2 + push_fn "Activating chaincode ${CHAINCODE_ID}" + + echo 'set -x + export CORE_PEER_ADDRESS='${org}'-peer1:7051 + + peer lifecycle \ + chaincode approveformyorg \ + --channelID '${CHANNEL_NAME}' \ + --name '${CHAINCODE_NAME}' \ + --version 1 \ + --package-id '${cc_id}' \ + --sequence 1 \ + -o org0-orderer1:6050 \ + --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem + + peer lifecycle \ + chaincode commit \ + --channelID '${CHANNEL_NAME}' \ + --name '${CHAINCODE_NAME}' \ + --version 1 \ + --sequence 1 \ + -o org0-orderer1:6050 \ + --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem + ' | exec kubectl -n $NS exec deploy/${org}-admin-cli -c main -i -- /bin/bash + + pop_fn +} + +function query_chaincode() { + set -x + # todo: mangle additional $@ parameters with bash escape quotations + echo ' + export CORE_PEER_ADDRESS=org1-peer1:7051 + peer chaincode query -n '${CHAINCODE_NAME}' -C '${CHANNEL_NAME}' -c '"'$@'"' + ' | exec kubectl -n $NS exec deploy/org1-admin-cli -c main -i -- /bin/bash +} + +function query_chaincode_metadata() { + set -x + local args='{"Args":["org.hyperledger.fabric:GetMetadata"]}' + # todo: mangle additional $@ parameters with bash escape quotations + echo ' + export CORE_PEER_ADDRESS=org1-peer1:7051 + peer chaincode query -n '${CHAINCODE_NAME}' -C '${CHANNEL_NAME}' -c '"'$args'"' + ' | exec kubectl -n $NS exec deploy/org1-admin-cli -c main -i -- /bin/bash +} + +function invoke_chaincode() { + # set -x + # todo: mangle additional $@ parameters with bash escape quotations + echo ' + export CORE_PEER_ADDRESS=org1-peer1:7051 + peer chaincode \ + invoke \ + -o org0-orderer1:6050 \ + --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem \ + -n '${CHAINCODE_NAME}' \ + -C '${CHANNEL_NAME}' \ + -c '"'$@'"' + ' | exec kubectl -n $NS exec deploy/org1-admin-cli -c main -i -- /bin/bash + + sleep 2 +} + +# Normally the chaincode ID is emitted by the peer install command. In this case, we'll generate the +# package ID as the sha-256 checksum of the chaincode archive. +function set_chaincode_id() { + local cc_sha256=$(shasum -a 256 build/chaincode/${CHAINCODE_NAME}.tgz | tr -s ' ' | cut -d ' ' -f 1) + + CHAINCODE_ID=${CHAINCODE_LABEL}:${cc_sha256} +} + +# Package and install the chaincode, but do not activate. +function install_chaincode() { + local org=org1 + + package_chaincode_for ${org} + transfer_chaincode_archive_for ${org} + install_chaincode_for ${org} + + set_chaincode_id +} + +# Activate the installed chaincode but do not package/install a new archive. +function activate_chaincode() { + set -x + + set_chaincode_id + activate_chaincode_for org1 $CHAINCODE_ID +} + +# Install, launch, and activate the chaincode +function deploy_chaincode() { + set -x + + install_chaincode + launch_chaincode_service org1 $CHAINCODE_ID $CHAINCODE_IMAGE + activate_chaincode +} + diff --git a/test-network-k8s/scripts/channel.sh b/test-network-k8s/scripts/channel.sh new file mode 100755 index 00000000..f8a79555 --- /dev/null +++ b/test-network-k8s/scripts/channel.sh @@ -0,0 +1,201 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +function create_channel_org_MSP() { + local org=$1 + local org_type=$2 + local ecert_ca=${org}-ecert-ca + + echo 'set -x + + mkdir -p /var/hyperledger/fabric/organizations/'${org_type}'Organizations/'${org}'.example.com/msp/cacerts + cp \ + $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp/cacerts/'${ecert_ca}'.pem \ + /var/hyperledger/fabric/organizations/'${org_type}'Organizations/'${org}'.example.com/msp/cacerts + + mkdir -p /var/hyperledger/fabric/organizations/'${org_type}'Organizations/'${org}'.example.com/msp/tlscacerts + cp \ + $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp/cacerts/'${org}'-tls-ca.pem \ + /var/hyperledger/fabric/organizations/'${org_type}'Organizations/'${org}'.example.com/msp/tlscacerts + + echo "NodeOUs: + Enable: true + ClientOUIdentifier: + Certificate: cacerts/'${ecert_ca}'.pem + OrganizationalUnitIdentifier: client + PeerOUIdentifier: + Certificate: cacerts/'${ecert_ca}'.pem + OrganizationalUnitIdentifier: peer + AdminOUIdentifier: + Certificate: cacerts/'${ecert_ca}'.pem + OrganizationalUnitIdentifier: admin + OrdererOUIdentifier: + Certificate: cacerts/'${ecert_ca}'.pem + OrganizationalUnitIdentifier: orderer "> /var/hyperledger/fabric/organizations/'${org_type}'Organizations/'${org}'.example.com/msp/config.yaml + + ' | exec kubectl -n $NS exec deploy/${ecert_ca} -i -- /bin/sh +} + +function create_channel_MSP() { + push_fn "Creating channel MSP" + + create_channel_org_MSP org0 orderer + create_channel_org_MSP org1 peer + create_channel_org_MSP org2 peer + + pop_fn +} + +function aggregate_channel_MSP() { + push_fn "Aggregating channel MSP" + + rm -rf ./build/msp/ + mkdir -p ./build/msp + + kubectl -n $NS exec deploy/org0-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/ordererOrganizations/org0.example.com/msp > build/msp/msp-org0.example.com.tgz + kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp > build/msp/msp-org1.example.com.tgz + kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp > build/msp/msp-org2.example.com.tgz + + kubectl -n $NS delete configmap msp-config || true + kubectl -n $NS create configmap msp-config --from-file=build/msp/ + + pop_fn +} + +function launch_admin_CLIs() { + push_fn "Launching admin CLIs" + + cat kube/org0/org0-admin-cli.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS apply -f - + cat kube/org1/org1-admin-cli.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS apply -f - + cat kube/org2/org2-admin-cli.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS apply -f - + + kubectl -n $NS rollout status deploy/org0-admin-cli + kubectl -n $NS rollout status deploy/org1-admin-cli + kubectl -n $NS rollout status deploy/org2-admin-cli + + pop_fn +} + +function create_genesis_block() { + push_fn "Creating channel \"${CHANNEL_NAME}\"" + + echo 'set -x + configtxgen -profile TwoOrgsApplicationGenesis -channelID '${CHANNEL_NAME}' -outputBlock genesis_block.pb + # configtxgen -inspectBlock genesis_block.pb + + osnadmin channel join --orderer-address org0-orderer1:9443 --channelID '${CHANNEL_NAME}' --config-block genesis_block.pb + osnadmin channel join --orderer-address org0-orderer2:9443 --channelID '${CHANNEL_NAME}' --config-block genesis_block.pb + osnadmin channel join --orderer-address org0-orderer3:9443 --channelID '${CHANNEL_NAME}' --config-block genesis_block.pb + + ' | exec kubectl -n $NS exec deploy/org0-admin-cli -i -- /bin/bash + + # todo: readiness / liveiness equivalent for channel ? Needs a little bit to settle before peers can join. + sleep 10 + + pop_fn +} + +function join_org_peers() { + local org=$1 + push_fn "Joining ${org} peers to channel \"${CHANNEL_NAME}\"" + + echo 'set -x + # Fetch the genesis block from an orderer + peer channel \ + fetch oldest \ + genesis_block.pb \ + -c '${CHANNEL_NAME}' \ + -o org0-orderer1:6050 \ + --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem + + # Join peer1 to the channel. + CORE_PEER_ADDRESS='${org}'-peer1:7051 \ + peer channel \ + join \ + -b genesis_block.pb \ + -o org0-orderer1:6050 \ + --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem + + # Join peer2 to the channel. + CORE_PEER_ADDRESS='${org}'-peer2:7051 \ + peer channel \ + join \ + -b genesis_block.pb \ + -o org0-orderer1:6050 \ + --tls --cafile /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem + + ' | exec kubectl -n $NS exec deploy/${org}-admin-cli -i -- /bin/bash + + pop_fn +} + +function join_peers() { + join_org_peers org1 + join_org_peers org2 +} + +# Copy the scripts/anchor_peers.sh to a remote volume +function push_anchor_peer_script() { + local org=$1 + + tar cf - scripts/ | kubectl -n $NS exec -i -c main deploy/${org}-admin-cli -- tar xf - -C /var/hyperledger/fabric +} + +verify_result() { + if [ $1 -ne 0 ]; then + echo $2 + exit $1 + fi +} + +# Launch the anchor peer update script on a remote org admin CLI +function invoke_anchor_peer_update() { + local org_num=$1 + local peer_name=$2 + + kubectl exec \ + -n $NS \ + -c main \ + deploy/org${org_num}-admin-cli \ + -i \ + /bin/bash -c "/var/hyperledger/fabric/scripts/set_anchor_peer.sh ${org_num} ${CHANNEL_NAME} ${peer_name}" + + verify_result $? "Error updating anchor peer for org ${org_num}" +} + +# +# To update the anchor peers we will need to execute a script on each of the peer admin CLI containers. These +# commands can be individually piped into kubectl exec ... but it will be simpler if we transfer the anchor +# peer update script over to the org volume and then trigger it from kubectl. +# +function update_anchor_peers() { + local peer_name=$1 + push_fn "Updating anchor peers to ${peer_name}" + + push_anchor_peer_script org1 + push_anchor_peer_script org2 + + invoke_anchor_peer_update 1 ${peer_name} + invoke_anchor_peer_update 2 ${peer_name} + + pop_fn +} + +function channel_up() { + + create_channel_MSP + aggregate_channel_MSP + launch_admin_CLIs + + create_genesis_block + join_peers + + # peer1 was set as the anchor peer in configtx.yaml. Setting this again will force an + # error to be returned from the channel up. We might want to render the warning in + # this case to indicate that the call was made but had a nonzero exit. + # update_anchor_peers peer1 +} \ No newline at end of file diff --git a/test-network-k8s/scripts/fabric_CAs.sh b/test-network-k8s/scripts/fabric_CAs.sh new file mode 100755 index 00000000..6ec4708a --- /dev/null +++ b/test-network-k8s/scripts/fabric_CAs.sh @@ -0,0 +1,137 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +function launch_TLS_CAs() { + push_fn "Launching TLS CAs" + + kubectl -n $NS apply -f kube/org0/org0-tls-ca.yaml + kubectl -n $NS apply -f kube/org1/org1-tls-ca.yaml + kubectl -n $NS apply -f kube/org2/org2-tls-ca.yaml + + kubectl -n $NS rollout status deploy/org0-tls-ca + kubectl -n $NS rollout status deploy/org1-tls-ca + kubectl -n $NS rollout status deploy/org2-tls-ca + + # todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up + sleep 10 + + pop_fn +} + +function launch_ECert_CAs() { + push_fn "Launching ECert CAs" + + kubectl -n $NS apply -f kube/org0/org0-ecert-ca.yaml + kubectl -n $NS apply -f kube/org1/org1-ecert-ca.yaml + kubectl -n $NS apply -f kube/org2/org2-ecert-ca.yaml + + kubectl -n $NS rollout status deploy/org0-ecert-ca + kubectl -n $NS rollout status deploy/org1-ecert-ca + kubectl -n $NS rollout status deploy/org2-ecert-ca + + # todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up + sleep 10 + + pop_fn +} + +# Enroll bootstrap user with TLS CA +# https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-bootstrap-user-with-tls-ca +function enroll_bootstrap_TLS_CA_user() { + local org=$1 + local auth=$2 + local tlsca=${org}-tls-ca + + # todo: get rid of export here - put in yaml + + echo 'set -x + + mkdir -p $FABRIC_CA_CLIENT_HOME/tls-root-cert + cp $FABRIC_CA_SERVER_HOME/ca-cert.pem $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem + + fabric-ca-client enroll \ + --url https://'$auth'@'${tlsca}' \ + --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ + --csr.hosts '${tlsca}' \ + --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp + + ' | exec kubectl -n $NS exec deploy/${tlsca} -i -- /bin/sh +} + +function enroll_bootstrap_TLS_CA_users() { + push_fn "Enrolling bootstrap TLS CA users" + + enroll_bootstrap_TLS_CA_user org0 $TLSADMIN_AUTH + enroll_bootstrap_TLS_CA_user org1 $TLSADMIN_AUTH + enroll_bootstrap_TLS_CA_user org2 $TLSADMIN_AUTH + + pop_fn +} + +function register_enroll_ECert_CA_bootstrap_user() { + local org=$1 + local tlsauth=$2 + local tlsca=${org}-tls-ca + local ecertca=${org}-ecert-ca + + echo 'set -x + + fabric-ca-client register \ + --id.name rcaadmin \ + --id.secret rcaadminpw \ + --url https://'${tlsca}' \ + --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ + --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp + + fabric-ca-client enroll \ + --url https://'${tlsauth}'@'${tlsca}' \ + --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ + --csr.hosts '${ecertca}' \ + --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp + + # Important: the rcaadmin signing certificate is referenced by the ECert CA FABRIC_CA_SERVER_TLS_CERTFILE config attribute. + # For simplicity, reference the key at a fixed, known location + cp $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp/keystore/*_sk $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp/keystore/key.pem + + ' | exec kubectl -n $NS exec deploy/${tlsca} -i -- /bin/sh +} + +# https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#register-and-enroll-the-organization-ca-bootstrap-identity-with-the-tls-ca +function register_enroll_ECert_CA_bootstrap_users() { + push_fn "Registering and enrolling ECert CA bootstrap users" + + register_enroll_ECert_CA_bootstrap_user org0 $TLSADMIN_AUTH + register_enroll_ECert_CA_bootstrap_user org1 $TLSADMIN_AUTH + register_enroll_ECert_CA_bootstrap_user org2 $TLSADMIN_AUTH + + pop_fn +} + +function enroll_bootstrap_ECert_CA_user() { + local org=$1 + local auth=$2 + local ecert_ca=${org}-ecert-ca + + echo 'set -x + + fabric-ca-client enroll \ + --url https://'${auth}'@'${ecert_ca}' \ + --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ + --mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp + + ' | exec kubectl -n $NS exec deploy/${ecert_ca} -i -- /bin/sh +} + +function enroll_bootstrap_ECert_CA_users() { + push_fn "Enrolling bootstrap ECert CA users" + + enroll_bootstrap_ECert_CA_user org0 $RCAADMIN_AUTH + enroll_bootstrap_ECert_CA_user org1 $RCAADMIN_AUTH + enroll_bootstrap_ECert_CA_user org2 $RCAADMIN_AUTH + + pop_fn +} \ No newline at end of file diff --git a/test-network-k8s/scripts/fabric_config.sh b/test-network-k8s/scripts/fabric_config.sh new file mode 100755 index 00000000..03ef9d9e --- /dev/null +++ b/test-network-k8s/scripts/fabric_config.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +function init_namespace() { + push_fn "Creating namespace \"$NS\"" + + kubectl create namespace $NS || true + + pop_fn +} + +function init_storage_volumes() { + push_fn "Provisioning volume storage" + + kubectl create -f kube/pv-fabric-org0.yaml || true + kubectl create -f kube/pv-fabric-org1.yaml || true + kubectl create -f kube/pv-fabric-org2.yaml || true + + kubectl -n $NS create -f kube/pvc-fabric-org0.yaml || true + kubectl -n $NS create -f kube/pvc-fabric-org1.yaml || true + kubectl -n $NS create -f kube/pvc-fabric-org2.yaml || true + + pop_fn +} + +function load_org_config() { + push_fn "Creating fabric config maps" + + kubectl -n $NS delete configmap org0-config || true + kubectl -n $NS delete configmap org1-config || true + kubectl -n $NS delete configmap org2-config || true + + kubectl -n $NS create configmap org0-config --from-file=config/org0 + kubectl -n $NS create configmap org1-config --from-file=config/org1 + kubectl -n $NS create configmap org2-config --from-file=config/org2 + + pop_fn +} \ No newline at end of file diff --git a/test-network-k8s/scripts/kind.sh b/test-network-k8s/scripts/kind.sh new file mode 100755 index 00000000..1784204d --- /dev/null +++ b/test-network-k8s/scripts/kind.sh @@ -0,0 +1,134 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +function pull_docker_images() { + push_fn "Pulling docker images for Fabric ${FABRIC_VERSION}" + + docker pull hyperledger/fabric-ca:$FABRIC_CA_VERSION + docker pull hyperledger/fabric-orderer:$FABRIC_VERSION + docker pull hyperledger/fabric-peer:$FABRIC_VERSION + docker pull hyperledger/fabric-tools:$FABRIC_VERSION + + pop_fn +} + +function apply_nginx_ingress() { + push_fn "Launching Nginx ingress controller" + + # This ingress-nginx.yaml was generated 9/24 from https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + # with modifications for ssl-passthrough required to launch IBP-support with the nginx ingress. + # It may be preferable to always load from the remote mainline? + # kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + kubectl apply -f kube/ingress-nginx.yaml + + pop_fn +} + +function kind_create() { + push_fn "Creating cluster \"${CLUSTER_NAME}\"" + + # todo: always delete? Maybe return no-op if the cluster already exists? + kind delete cluster --name $CLUSTER_NAME + + local reg_name=${CONTAINER_REGISTRY_NAME} + local reg_port=${CONTAINER_REGISTRY_PORT} + local ingress_http_port=${NGINX_HTTP_PORT} + local ingress_https_port=${NGINX_HTTPS_PORT} + + cat </dev/null || true)" + if [ "${running}" != 'true' ]; then + docker run \ + -d --restart=always -p "127.0.0.1:${reg_port}:5000" --name "${reg_name}" \ + registry:2 + fi + + # connect the registry to the cluster network + # (the network may already be connected) + docker network connect "kind" "${reg_name}" || true + + # Document the local registry + # https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry + cat < /dev/null + if [[ $? -ne 0 ]]; then + echo "No 'docker' binary available? (https://www.docker.com)" + exit 1 + fi + + kind version > /dev/null + if [[ $? -ne 0 ]]; then + echo "No 'kind' binary available? (https://kind.sigs.k8s.io/docs/user/quick-start/#installation)" + exit 1 + fi + + kubectl > /dev/null + if [[ $? -ne 0 ]]; then + echo "No 'kubectl' binary available? (https://kubernetes.io/docs/tasks/tools/)" + exit 1 + fi +} \ No newline at end of file diff --git a/test-network-k8s/scripts/rest_sample.sh b/test-network-k8s/scripts/rest_sample.sh new file mode 100755 index 00000000..fe397164 --- /dev/null +++ b/test-network-k8s/scripts/rest_sample.sh @@ -0,0 +1,91 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +function extract_MSP_archives() { + mkdir -p build/msp + + kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp | tar zxf - -C build/msp + + kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp | tar zxf - -C build/msp +} + +function one_line_pem { + echo "`awk 'NF {sub(/\\n/, ""); printf "%s\\\\\\\n",$0;}' $1`" +} + +function json_ccp { + local ORG=$1 + local PP=$(one_line_pem $2) + local CP=$(one_line_pem $3) + sed -e "s/\${ORG}/$ORG/" \ + -e "s#\${PEERPEM}#$PP#" \ + -e "s#\${CAPEM}#$CP#" \ + scripts/ccp-template.json +} + +function construct_rest_sample_configmap() { + push_fn "Constructing fabric-rest-sample connection profiles" + + extract_MSP_archives + + mkdir -p build/fabric-rest-sample-config + + local peer_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/org1-tls-ca.pem + local ca_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/cacerts/org1-ecert-ca.pem + + echo "$(json_ccp 1 $peer_pem $ca_pem)" > build/fabric-rest-sample-config/HLF_CONNECTION_PROFILE_ORG1 + + peer_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/org2-tls-ca.pem + ca_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/cacerts/org2-ecert-ca.pem + + echo "$(json_ccp 2 $peer_pem $ca_pem)" > build/fabric-rest-sample-config/HLF_CONNECTION_PROFILE_ORG2 + + cat build/msp/organizations/peerOrganizations/org1.example.com/users/Admin\@org1.example.com/msp/signcerts/cert.pem > build/fabric-rest-sample-config/HLF_CERTIFICATE_ORG1 + cat build/msp/organizations/peerOrganizations/org2.example.com/users/Admin\@org2.example.com/msp/signcerts/cert.pem > build/fabric-rest-sample-config/HLF_CERTIFICATE_ORG2 + + cat build/msp/organizations/peerOrganizations/org1.example.com/users/Admin\@org1.example.com/msp/keystore/server.key > build/fabric-rest-sample-config/HLF_PRIVATE_KEY_ORG1 + cat build/msp/organizations/peerOrganizations/org2.example.com/users/Admin\@org2.example.com/msp/keystore/server.key > build/fabric-rest-sample-config/HLF_PRIVATE_KEY_ORG2 + + kubectl -n $NS delete configmap fabric-rest-sample-config || true + kubectl -n $NS create configmap fabric-rest-sample-config --from-file=build/fabric-rest-sample-config/ + + pop_fn +} + +# todo: Make sure to port this to IKS / ICP +function ensure_rest_sample_image() { + push_fn "Ensuring fabric-rest-sample image" + + # todo: apply a tag / label to avoid pulling :latest from ghcr.io + + pop_fn 0 +} + +function rollout_rest_sample() { + push_fn "Starting fabric-rest-sample" + + kubectl -n $NS apply -f kube/fabric-rest-sample.yaml + kubectl -n $NS rollout status deploy/fabric-rest-sample + + pop_fn +} + +function launch_rest_sample() { + ensure_rest_sample_image + construct_rest_sample_configmap + rollout_rest_sample + + log "" + log "The fabric-rest-sample has started. See https://github.com/hyperledgendary/fabric-rest-sample/tree/main/asset-transfer-basic/rest-api-typescript#rest-api for additional usage." + log "To access the endpoint:" + log "" + log "export SAMPLE_APIKEY=97834158-3224-4CE7-95F9-A148C886653E" + log 'curl -s --header "X-Api-Key: ${SAMPLE_APIKEY}" http://localhost/api/assets' + log "" +} \ No newline at end of file diff --git a/test-network-k8s/scripts/set_anchor_peer.sh b/test-network-k8s/scripts/set_anchor_peer.sh new file mode 100755 index 00000000..59551f5e --- /dev/null +++ b/test-network-k8s/scripts/set_anchor_peer.sh @@ -0,0 +1,110 @@ +#!/bin/bash +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +function fetch_channel_config() { + local output=$1 + + echo "Fetching the most recent configuration block for channel ${CHANNEL_NAME}" + peer channel \ + fetch config config_block.pb \ + -o org0-orderer1:6050 \ + -c ${CHANNEL_NAME} \ + --tls --cafile ${ORDERER_TLS_CA_FILE} + + echo "Decoding config block to JSON and isolating config to ${output}" + configtxlator proto_decode \ + --input config_block.pb \ + --type common.Block \ + | jq .data.data[0].payload.data.config > ${output} +} + +verify_result() { + if [ $1 -ne 0 ]; then + echo $2 + exit $1 + fi +} + +function create_config_update() { + local original=$1 + local modified=$2 + local output=$3 + + configtxlator proto_encode --input "${original}" --type common.Config > original_config.pb + configtxlator proto_encode --input "${modified}" --type common.Config > modified_config.pb + + # returns non-zero if no updates were detected between current and new config + configtxlator compute_update --channel_id "${CHANNEL_NAME}" --original original_config.pb --updated modified_config.pb > config_update.pb + if [ $? -ne 0 ]; then + echo "Anchor peer has already been set to ${ANCHOR_PEER_HOST}:${ANCHOR_PEER_PORT} - no update required." + return 1 + fi + + configtxlator proto_decode --input config_update.pb --type common.ConfigUpdate > config_update.json + echo '{"payload":{"header":{"channel_header":{"channel_id":"'${CHANNEL_NAME}'", "type":2}},"data":{"config_update":'$(cat config_update.json)'}}}' | jq . > config_update_in_envelope.json + configtxlator proto_encode --input config_update_in_envelope.json --type common.Envelope > ${output} + + return 0 +} + +function create_anchor_peer_update() { + echo "Generating anchor peer update transaction for Org${ORG_NUM} on channel ${CHANNEL_NAME}" + fetch_channel_config config.json + + set -x + # Modify the configuration to append the anchor peer + jq '.channel_group.groups.Application.groups.'${CORE_PEER_LOCALMSPID}'.values += {"AnchorPeers":{"mod_policy": "Admins","value":{"anchor_peers": [{"host": "'${ANCHOR_PEER_HOST}'","port": '${ANCHOR_PEER_PORT}'}]},"version": "0"}}' config.json > modified_config.json + { set +x; } 2>/dev/null + + # Compute a config update, based on the differences between + # config.json and modified_config.json, write + # it as a transaction to anchors.tx + create_config_update config.json modified_config.json anchors.tx + return $? +} + +function update_anchor_peer() { + peer channel \ + update -f anchors.tx \ + -o org0-orderer1:6050 \ + -c ${CHANNEL_NAME} \ + --tls --cafile ${ORDERER_TLS_CA_FILE} >& log.txt + + res=$? + cat log.txt + + verify_result $res "Anchor peer update failed" + + echo "Anchor peer set for org ${ORG_NAME} on channel ${CHANNEL_NAME} to ${ANCHOR_PEER_HOST}:${ANCHOR_PEER_PORT}" +} + +function set_anchor_peer() { + echo "Updating org ${ORG_NUM} anchor peer for channel ${CHANNEL_NAME} to ${ANCHOR_PEER_HOST}:${ANCHOR_PEER_PORT}" + + create_anchor_peer_update + res=$? + + if [ $res -eq 0 ]; then + update_anchor_peer + fi +} + +set -x + +ORG_NUM=$1 +CHANNEL_NAME=$2 +PEER_NAME=$3 +ORG_NAME="org${ORG_NUM}" +ANCHOR_PEER_HOST=${ORG_NAME}-${PEER_NAME} +ANCHOR_PEER_PORT=7051 +ORDERER_TLS_CA_FILE=/var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/msp/tlscacerts/org0-tls-ca.pem + +export CORE_PEER_LOCALMSPID="Org${ORG_NUM}MSP" + +set_anchor_peer + +{ set +x; } 2>/dev/null diff --git a/test-network-k8s/scripts/test_network.sh b/test-network-k8s/scripts/test_network.sh new file mode 100755 index 00000000..a0a0c87a --- /dev/null +++ b/test-network-k8s/scripts/test_network.sh @@ -0,0 +1,259 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +# todo: oof this is rough. + + +function launch() { + local yaml=$1 + cat ${yaml} | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' | kubectl -n $NS apply -f - +} + +function launch_orderers() { + push_fn "Launching orderers" + + launch kube/org0/org0-orderer1.yaml + launch kube/org0/org0-orderer2.yaml + launch kube/org0/org0-orderer3.yaml + + kubectl -n $NS rollout status deploy/org0-orderer1 + kubectl -n $NS rollout status deploy/org0-orderer2 + kubectl -n $NS rollout status deploy/org0-orderer3 + + pop_fn +} + +function launch_peers() { + push_fn "Launching peers" + + launch kube/org1/org1-peer1.yaml + launch kube/org1/org1-peer2.yaml + launch kube/org2/org2-peer1.yaml + launch kube/org2/org2-peer2.yaml + + kubectl -n $NS rollout status deploy/org1-peer1 + kubectl -n $NS rollout status deploy/org1-peer2 + kubectl -n $NS rollout status deploy/org2-peer1 + kubectl -n $NS rollout status deploy/org2-peer2 + + pop_fn +} + +function create_org0_local_MSP() { + echo 'set -x + export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client + export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem + + # Each identity in the network needs a registration and enrollment. + fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp + fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp + fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp + fabric-ca-client register --id.name org0-admin --id.secret org0adminpw --id.type admin --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" + + fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-ecert-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp + fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-ecert-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp + fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ecert-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp + fabric-ca-client enroll --url https://org0-admin:org0adminpw@org0-ecert-ca --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/users/Admin@org0.example.com/msp + + # Each node in the network needs a TLS registration and enrollment. + fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp + fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp + fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp + + fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-tls-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls + fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-tls-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls + fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-tls-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls + + # Copy the TLS signing keys to a fixed path for convenience when starting the orderers. + cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/server.key + cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/server.key + cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/server.key + + # Create an MSP config.yaml (why is this not generated by the enrollment by fabric-ca-client?) + echo "NodeOUs: + Enable: true + ClientOUIdentifier: + Certificate: cacerts/org0-ecert-ca.pem + OrganizationalUnitIdentifier: client + PeerOUIdentifier: + Certificate: cacerts/org0-ecert-ca.pem + OrganizationalUnitIdentifier: peer + AdminOUIdentifier: + Certificate: cacerts/org0-ecert-ca.pem + OrganizationalUnitIdentifier: admin + OrdererOUIdentifier: + Certificate: cacerts/org0-ecert-ca.pem + OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml + + cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp/config.yaml + cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp/config.yaml + ' | exec kubectl -n $NS exec deploy/org0-ecert-ca -i -- /bin/sh +} + +function create_org1_local_MSP() { + + echo 'set -x + export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client + export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem + + # Each identity in the network needs a registration and enrollment. + fabric-ca-client register --id.name org1-peer1 --id.secret peerpw --id.type peer --url https://org1-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ecert-ca/rcaadmin/msp + fabric-ca-client register --id.name org1-peer2 --id.secret peerpw --id.type peer --url https://org1-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ecert-ca/rcaadmin/msp + fabric-ca-client register --id.name org1-admin --id.secret org1adminpw --id.type admin --url https://org1-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ecert-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" + + fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-ecert-ca --csr.hosts org1-peer1 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp + fabric-ca-client enroll --url https://org1-peer2:peerpw@org1-ecert-ca --csr.hosts org1-peer2 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp + fabric-ca-client enroll --url https://org1-admin:org1adminpw@org1-ecert-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp + + # Each node in the network needs a TLS registration and enrollment. + fabric-ca-client register --id.name org1-peer1 --id.secret peerpw --id.type peer --url https://org1-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp + fabric-ca-client register --id.name org1-peer2 --id.secret peerpw --id.type peer --url https://org1-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp + + fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-tls-ca --csr.hosts org1-peer1 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls + fabric-ca-client enroll --url https://org1-peer2:peerpw@org1-tls-ca --csr.hosts org1-peer2 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls + + # Copy the TLS signing keys to a fixed path for convenience when launching the peers + cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/keystore/server.key + cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/keystore/server.key + + cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/server.key + + # Create local MSP config.yaml + echo "NodeOUs: + Enable: true + ClientOUIdentifier: + Certificate: cacerts/org1-ecert-ca.pem + OrganizationalUnitIdentifier: client + PeerOUIdentifier: + Certificate: cacerts/org1-ecert-ca.pem + OrganizationalUnitIdentifier: peer + AdminOUIdentifier: + Certificate: cacerts/org1-ecert-ca.pem + OrganizationalUnitIdentifier: admin + OrdererOUIdentifier: + Certificate: cacerts/org1-ecert-ca.pem + OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml + + + cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp/config.yaml + cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml + ' | exec kubectl -n $NS exec deploy/org1-ecert-ca -i -- /bin/sh + +} + +function create_org2_local_MSP() { + echo 'set -x + export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client + export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem + + # Each identity in the network needs a registration and enrollment. + fabric-ca-client register --id.name org2-peer1 --id.secret peerpw --id.type peer --url https://org2-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ecert-ca/rcaadmin/msp + fabric-ca-client register --id.name org2-peer2 --id.secret peerpw --id.type peer --url https://org2-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ecert-ca/rcaadmin/msp + fabric-ca-client register --id.name org2-admin --id.secret org2adminpw --id.type admin --url https://org2-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ecert-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" + + fabric-ca-client enroll --url https://org2-peer1:peerpw@org2-ecert-ca --csr.hosts org2-peer1 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp + fabric-ca-client enroll --url https://org2-peer2:peerpw@org2-ecert-ca --csr.hosts org2-peer2 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp + fabric-ca-client enroll --url https://org2-admin:org2adminpw@org2-ecert-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp + + # Each node in the network needs a TLS registration and enrollment. + fabric-ca-client register --id.name org2-peer1 --id.secret peerpw --id.type peer --url https://org2-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp + fabric-ca-client register --id.name org2-peer2 --id.secret peerpw --id.type peer --url https://org2-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp + + fabric-ca-client enroll --url https://org2-peer1:peerpw@org2-tls-ca --csr.hosts org2-peer1 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls + fabric-ca-client enroll --url https://org2-peer2:peerpw@org2-tls-ca --csr.hosts org2-peer2 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls + + # Copy the TLS signing keys to a fixed path for convenience when launching the peers + cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/keystore/server.key + cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/keystore/server.key + + cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/server.key + + # Create local MSP config.yaml + echo "NodeOUs: + Enable: true + ClientOUIdentifier: + Certificate: cacerts/org2-ecert-ca.pem + OrganizationalUnitIdentifier: client + PeerOUIdentifier: + Certificate: cacerts/org2-ecert-ca.pem + OrganizationalUnitIdentifier: peer + AdminOUIdentifier: + Certificate: cacerts/org2-ecert-ca.pem + OrganizationalUnitIdentifier: admin + OrdererOUIdentifier: + Certificate: cacerts/org2-ecert-ca.pem + OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp/config.yaml + + cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp/config.yaml + cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/config.yaml + ' | exec kubectl -n $NS exec deploy/org2-ecert-ca -i -- /bin/sh +} + +function create_local_MSP() { + push_fn "Creating local node MSP" + + create_org0_local_MSP + create_org1_local_MSP + create_org2_local_MSP + + pop_fn +} + +function network_up() { + + # Kube config + init_namespace + init_storage_volumes + load_org_config + + # Network TLS CAs + launch_TLS_CAs + enroll_bootstrap_TLS_CA_users + + # Network ECert CAs + register_enroll_ECert_CA_bootstrap_users + launch_ECert_CAs + enroll_bootstrap_ECert_CA_users + + # Test Network + create_local_MSP + launch_orderers + launch_peers +} + +function stop_services() { + push_fn "Stopping Fabric services" + + # These pods are busy executing `sleep MAX_INT` and do not shut down very quickly... +# kubectl -n $NS delete deployment/org0-admin-cli --grace-period=0 --force +# kubectl -n $NS delete deployment/org1-admin-cli --grace-period=0 --force +# kubectl -n $NS delete deployment/org2-admin-cli --grace-period=0 --force + + kubectl -n $NS delete deployment --all + kubectl -n $NS delete pod --all + kubectl -n $NS delete service --all + kubectl -n $NS delete configmap --all + kubectl -n $NS delete secret --all + + pop_fn +} + +function scrub_org_volumes() { + push_fn "Scrubbing Fabric volumes" + + # scrub all pv contents + kubectl -n $NS create -f kube/job-scrub-fabric-volumes.yaml + kubectl -n $NS wait --for=condition=complete --timeout=60s job/job-scrub-fabric-volumes + kubectl -n $NS delete jobs --all + + pop_fn +} + +function network_down() { + stop_services + scrub_org_volumes +} \ No newline at end of file diff --git a/test-network-k8s/scripts/utils.sh b/test-network-k8s/scripts/utils.sh new file mode 100644 index 00000000..a1631aa4 --- /dev/null +++ b/test-network-k8s/scripts/utils.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +function logging_init() { + # Reset the output and debug log files + printf '' > ${LOG_FILE} > ${DEBUG_FILE} + + # Write all output to the control flow log to STDOUT + tail -f ${LOG_FILE} & + + # Call the exit handler when we exit. + trap "exit_fn" EXIT + + # Send stdout and stderr from child programs to the debug log file + exec 1>>${DEBUG_FILE} 2>>${DEBUG_FILE} +} + +function exit_fn() { + rc=$? + + # Write an error icon to the current logging statement. + if [ "0" -ne $rc ]; then + pop_fn $rc + fi + + # always remove the log trailer when the process exits. + pkill -P $$ +} + +function push_fn() { + #echo -ne " - entering ${FUNCNAME[1]} with arguments $@" + + echo -ne " - $@ ..." >> ${LOG_FILE} +} + +function log() { + echo -e $@ >> ${LOG_FILE} +} + +function pop_fn() { +# echo exiting ${FUNCNAME[1]} + + local res=$1 + if [ $# -eq 0 ]; then + echo -ne "\rβœ…" >> ${LOG_FILE} + + elif [ $res -eq 0 ]; then + echo -ne "\rβœ…" >> ${LOG_FILE} + + elif [ $res -eq 1 ]; then + echo -ne "\r⚠️" >> ${LOG_FILE} + + elif [ $res -eq 2 ]; then + echo -ne "\r☠️" >> ${LOG_FILE} + + else + echo -ne "\r" >> ${LOG_FILE} + fi + + echo "" >> ${LOG_FILE} +} +