diff --git a/test-network-k8s/README.md b/test-network-k8s/README.md index 94d2103e..6656d8e1 100644 --- a/test-network-k8s/README.md +++ b/test-network-k8s/README.md @@ -71,8 +71,8 @@ Tear down the cluster: ## Areas for Improvement / TODOs +- [ ] Refine the recipe and guidelines for use with `k3s` / `nerdctl` (rancherdesktop.io) as an alternative to Docker / KIND. - [ ] Test the recipe with OCP, AWS, gcp, Azure, etc. (These should ONLY differ w.r.t. pvc and ingress) -- [ ] Implement @celder mechanism for bootstrapping dual-headed CAs w/o poisoning the root CA on expiry. - [ ] Address any of the 20+ todo: notes in network.sh - [ ] Implement mutual TLS across peers, orderers, and clients. - [ ] Caliper? diff --git a/test-network-k8s/config/org0/fabric-ecert-ca-server-config.yaml b/test-network-k8s/config/org0/fabric-ca-server-config.yaml similarity index 99% rename from test-network-k8s/config/org0/fabric-ecert-ca-server-config.yaml rename to test-network-k8s/config/org0/fabric-ca-server-config.yaml index eff91c34..d2c5fd9b 100644 --- a/test-network-k8s/config/org0/fabric-ecert-ca-server-config.yaml +++ b/test-network-k8s/config/org0/fabric-ca-server-config.yaml @@ -86,7 +86,7 @@ tls: ############################################################################# ca: # Name of this CA - name: org0-ecert-ca + name: org0-ca # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) @@ -320,8 +320,8 @@ csr: hosts: - localhost - 127.0.0.1 - - org0-ecert-ca - - org0-ecert-ca.test-network.svc.cluster.local + - org0-ca + - org0-ca.test-network.svc.cluster.local ca: expiry: 131400h pathlength: 1 diff --git a/test-network-k8s/config/org0/fabric-tls-ca-server-config.yaml b/test-network-k8s/config/org0/fabric-tls-ca-server-config.yaml deleted file mode 100644 index b574e72b..00000000 --- a/test-network-k8s/config/org0/fabric-tls-ca-server-config.yaml +++ /dev/null @@ -1,496 +0,0 @@ -############################################################################# -# This is a configuration file for the fabric-ca-server command. -# -# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES -# ------------------------------------------------ -# Each configuration element can be overridden via command line -# arguments or environment variables. The precedence for determining -# the value of each element is as follows: -# 1) command line argument -# Examples: -# a) --port 443 -# To set the listening port -# b) --ca.keyfile ../mykey.pem -# To set the "keyfile" element in the "ca" section below; -# note the '.' separator character. -# 2) environment variable -# Examples: -# a) FABRIC_CA_SERVER_PORT=443 -# To set the listening port -# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" -# To set the "keyfile" element in the "ca" section below; -# note the '_' separator character. -# 3) configuration file -# 4) default value (if there is one) -# All default values are shown beside each element below. -# -# FILE NAME ELEMENTS -# ------------------ -# The value of all fields whose name ends with "file" or "files" are -# name or names of other files. -# For example, see "tls.certfile" and "tls.clientauth.certfiles". -# The value of each of these fields can be a simple filename, a -# relative path, or an absolute path. If the value is not an -# absolute path, it is interpretted as being relative to the location -# of this configuration file. -# -############################################################################# - -# Version of config file -version: 1.5.2 - -# Server's listening port (default: 7054) -port: 443 - -# Cross-Origin Resource Sharing (CORS) -cors: - enabled: false - origins: - - "*" - -# Enables debug logging (default: false) -debug: false - -# Size limit of an acceptable CRL in bytes (default: 512000) -crlsizelimit: 512000 - -############################################################################# -# TLS section for the server's listening port -# -# The following types are supported for client authentication: NoClientCert, -# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, -# and RequireAndVerifyClientCert. -# -# Certfiles is a list of root certificate authorities that the server uses -# when verifying client certificates. -############################################################################# -tls: - # Enable TLS (default: false) - enabled: true - # TLS for the server's listening port - certfile: - keyfile: - clientauth: - type: noclientcert - certfiles: - -############################################################################# -# The CA section contains information related to the Certificate Authority -# including the name of the CA, which should be unique for all members -# of a blockchain network. It also includes the key and certificate files -# used when issuing enrollment certificates (ECerts) and transaction -# certificates (TCerts). -# The chainfile (if it exists) contains the certificate chain which -# should be trusted for this CA, where the 1st in the chain is always the -# root CA certificate. -############################################################################# -ca: - # Name of this CA - name: org0-tls-ca - # Key file (is only used to import a private key into BCCSP) - keyfile: - # Certificate file (default: ca-cert.pem) - certfile: - # Chain file - chainfile: - -############################################################################# -# The gencrl REST endpoint is used to generate a CRL that contains revoked -# certificates. This section contains configuration options that are used -# during gencrl request processing. -############################################################################# -crl: - # Specifies expiration for the generated CRL. The number of hours - # specified by this property is added to the UTC time, the resulting time - # is used to set the 'Next Update' date of the CRL. - expiry: 24h - -############################################################################# -# The registry section controls how the fabric-ca-server does two things: -# 1) authenticates enrollment requests which contain a username and password -# (also known as an enrollment ID and secret). -# 2) once authenticated, retrieves the identity's attribute names and -# values which the fabric-ca-server optionally puts into TCerts -# which it issues for transacting on the Hyperledger Fabric blockchain. -# These attributes are useful for making access control decisions in -# chaincode. -# There are two main configuration options: -# 1) The fabric-ca-server is the registry. -# This is true if "ldap.enabled" in the ldap section below is false. -# 2) An LDAP server is the registry, in which case the fabric-ca-server -# calls the LDAP server to perform these tasks. -# This is true if "ldap.enabled" in the ldap section below is true, -# which means this "registry" section is ignored. -############################################################################# -registry: - # Maximum number of times a password/secret can be reused for enrollment - # (default: -1, which means there is no limit) - maxenrollments: -1 - - # Contains identity information which is used when LDAP is disabled - identities: - - name: tlsadmin - pass: tlsadminpw - type: client - affiliation: "" - attrs: - hf.Registrar.Roles: "*" - hf.Registrar.DelegateRoles: "*" - hf.Revoker: true - hf.IntermediateCA: true - hf.GenCRL: true - hf.Registrar.Attributes: "*" - hf.AffiliationMgr: true - -############################################################################# -# Database section -# Supported types are: "sqlite3", "postgres", and "mysql". -# The datasource value depends on the type. -# If the type is "sqlite3", the datasource value is a file name to use -# as the database store. Since "sqlite3" is an embedded database, it -# may not be used if you want to run the fabric-ca-server in a cluster. -# To run the fabric-ca-server in a cluster, you must choose "postgres" -# or "mysql". -############################################################################# -db: - type: sqlite3 - datasource: fabric-ca-server.db - tls: - enabled: false - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# LDAP section -# If LDAP is enabled, the fabric-ca-server calls LDAP to: -# 1) authenticate enrollment ID and secret (i.e. username and password) -# for enrollment requests; -# 2) To retrieve identity attributes -############################################################################# -ldap: - # Enables or disables the LDAP client (default: false) - # If this is set to true, the "registry" section is ignored. - enabled: false - # The URL of the LDAP server - url: ldap://:@:/ - # TLS configuration for the client connection to the LDAP server - tls: - certfiles: - client: - certfile: - keyfile: - # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes - attribute: - # 'names' is an array of strings containing the LDAP attribute names which are - # requested from the LDAP server for an LDAP identity's entry - names: ['uid','member'] - # The 'converters' section is used to convert an LDAP entry to the value of - # a fabric CA attribute. - # For example, the following converts an LDAP 'uid' attribute - # whose value begins with 'revoker' to a fabric CA attribute - # named "hf.Revoker" with a value of "true" (because the boolean expression - # evaluates to true). - # converters: - # - name: hf.Revoker - # value: attr("uid") =~ "revoker*" - converters: - - name: - value: - # The 'maps' section contains named maps which may be referenced by the 'map' - # function in the 'converters' section to map LDAP responses to arbitrary values. - # For example, assume a user has an LDAP attribute named 'member' which has multiple - # values which are each a distinguished name (i.e. a DN). For simplicity, assume the - # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. - # Further assume the following configuration. - # converters: - # - name: hf.Registrar.Roles - # value: map(attr("member"),"groups") - # maps: - # groups: - # - name: dn1 - # value: peer - # - name: dn2 - # value: client - # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be - # "peer,client,dn3". This is because the value of 'attr("member")' is - # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of - # "group" replaces "dn1" with "peer" and "dn2" with "client". - maps: - groups: - - name: - value: - -############################################################################# -# Affiliations section. Fabric CA server can be bootstrapped with the -# affiliations specified in this section. Affiliations are specified as maps. -# For example: -# businessunit1: -# department1: -# - team1 -# businessunit2: -# - department2 -# - department3 -# -# Affiliations are hierarchical in nature. In the above example, -# department1 (used as businessunit1.department1) is the child of businessunit1. -# team1 (used as businessunit1.department1.team1) is the child of department1. -# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) -# are children of businessunit2. -# Note: Affiliations are case sensitive except for the non-leaf affiliations -# (like businessunit1, department1, businessunit2) that are specified in the configuration file, -# which are always stored in lower case. -############################################################################# -affiliations: - org1: - - department1 - - department2 - org2: - - department1 - -############################################################################# -# Signing section -# -# The "default" subsection is used to sign enrollment certificates; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -# -# The "ca" profile subsection is used to sign intermediate CA certificates; -# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. -# Note that "isca" is true, meaning that it issues a CA certificate. -# A maxpathlen of 0 means that the intermediate CA cannot issue other -# intermediate CA certificates, though it can still issue end entity certificates. -# (See RFC 5280, section 4.2.1.9) -# -# The "tls" profile subsection is used to sign TLS certificate requests; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -############################################################################# -signing: - default: - authremote: {} - caconstraint: {} - expiry: 8760h - usage: - - signing - - key encipherment - - server auth - - client auth - - key agreement - profiles: null - -########################################################################### -# Certificate Signing Request (CSR) section. -# This controls the creation of the root CA certificate. -# The expiration for the root CA certificate is configured with the -# "ca.expiry" field below, whose default value is "131400h" which is -# 15 years in hours. -# The pathlength field is used to limit CA certificate hierarchy as described -# in section 4.2.1.9 of RFC 5280. -# Examples: -# 1) No pathlength value means no limit is requested. -# 2) pathlength == 1 means a limit of 1 is requested which is the default for -# a root CA. This means the root CA can issue intermediate CA certificates, -# but these intermediate CAs may not in turn issue other CA certificates -# though they can still issue end entity certificates. -# 3) pathlength == 0 means a limit of 0 is requested; -# this is the default for an intermediate CA, which means it can not issue -# CA certificates though it can still issue end entity certificates. -########################################################################### -csr: - cn: fabric-ca-server - keyrequest: - algo: ecdsa - size: 256 - names: - - C: US - ST: "North Carolina" - L: - O: Hyperledger - OU: Fabric - hosts: - - localhost - - 127.0.0.1 - - org0-tls-ca - - org0-tls-ca.test-network.svc.cluster.local - ca: - expiry: 131400h - pathlength: 1 - -########################################################################### -# Each CA can issue both X509 enrollment certificate as well as Idemix -# Credential. This section specifies configuration for the issuer component -# that is responsible for issuing Idemix credentials. -########################################################################### -idemix: - # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an - # Idemix credential. The issuer will create a pool revocation handles of this specified size. When - # a credential is requested, issuer will get handle from the pool and assign it to the credential. - # Issuer will repopulate the pool with new handles when the last handle in the pool is used. - # A revocation handle and credential revocation information (CRI) are used to create non revocation proof - # by the prover to prove to the verifier that her credential is not revoked. - rhpoolsize: 1000 - - # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer - # and second step is send credential request that is constructed using the nonce to the isuser to - # request a credential. This configuration property specifies expiration for the nonces. By default is - # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). - nonceexpiration: 15s - - # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. - # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) - noncesweepinterval: 15m - -############################################################################# -# BCCSP (BlockChain Crypto Service Provider) section is used to select which -# crypto library implementation to use -############################################################################# -bccsp: - default: SW - sw: - hash: SHA2 - security: 256 - filekeystore: - # The directory used for the software file-based keystore - keystore: msp/keystore - -############################################################################# -# Multi CA section -# -# Each Fabric CA server contains one CA by default. This section is used -# to configure multiple CAs in a single server. -# -# 1) --cacount -# Automatically generate non-default CAs. The names of these -# additional CAs are "ca1", "ca2", ... "caN", where "N" is -# This is particularly useful in a development environment to quickly set up -# multiple CAs. Note that, this config option is not applicable to intermediate CA server -# i.e., Fabric CA server that is started with intermediate.parentserver.url config -# option (-u command line option) -# -# 2) --cafiles -# For each CA config file in the list, generate a separate signing CA. Each CA -# config file in this list MAY contain all of the same elements as are found in -# the server config file except port, debug, and tls sections. -# -# Examples: -# fabric-ca-server start -b admin:adminpw --cacount 2 -# -# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml -# --cafiles ca/ca2/fabric-ca-server-config.yaml -# -############################################################################# - -cacount: - -cafiles: - -############################################################################# -# Intermediate CA section -# -# The relationship between servers and CAs is as follows: -# 1) A single server process may contain or function as one or more CAs. -# This is configured by the "Multi CA section" above. -# 2) Each CA is either a root CA or an intermediate CA. -# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. -# -# This section pertains to configuration of #2 and #3. -# If the "intermediate.parentserver.url" property is set, -# then this is an intermediate CA with the specified parent -# CA. -# -# parentserver section -# url - The URL of the parent server -# caname - Name of the CA to enroll within the server -# -# enrollment section used to enroll intermediate CA with parent CA -# profile - Name of the signing profile to use in issuing the certificate -# label - Label to use in HSM operations -# -# tls section for secure socket connection -# certfiles - PEM-encoded list of trusted root certificate files -# client: -# certfile - PEM-encoded certificate file for when client authentication -# is enabled on server -# keyfile - PEM-encoded key file for when client authentication -# is enabled on server -############################################################################# -intermediate: - parentserver: - url: - caname: - - enrollment: - hosts: - profile: - label: - - tls: - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# CA configuration section -# -# Configure the number of incorrect password attempts are allowed for -# identities. By default, the value of 'passwordattempts' is 10, which -# means that 10 incorrect password attempts can be made before an identity get -# locked out. -############################################################################# -cfg: - identities: - passwordattempts: 10 - -############################################################################### -# -# Operations section -# -############################################################################### -operations: - # host and port for the operations server - listenAddress: 127.0.0.1:9444 - - # TLS configuration for the operations endpoint - tls: - # TLS enabled - enabled: false - - # path to PEM encoded server certificate for the operations server - cert: - file: - - # path to PEM encoded server key for the operations server - key: - file: - - # require client certificate authentication to access all resources - clientAuthRequired: false - - # paths to PEM encoded ca certificates to trust for client authentication - clientRootCAs: - files: [] - -############################################################################### -# -# Metrics section -# -############################################################################### -metrics: - # statsd, prometheus, or disabled - provider: disabled - - # statsd configuration - statsd: - # network type: tcp or udp - network: udp - - # statsd server address - address: 127.0.0.1:8125 - - # the interval at which locally cached counters and gauges are pushsed - # to statsd; timings are pushed immediately - writeInterval: 10s - - # prefix is prepended to all emitted statsd merics - prefix: server diff --git a/test-network-k8s/config/org2/fabric-ecert-ca-server-config.yaml b/test-network-k8s/config/org1/fabric-ca-server-config.yaml similarity index 99% rename from test-network-k8s/config/org2/fabric-ecert-ca-server-config.yaml rename to test-network-k8s/config/org1/fabric-ca-server-config.yaml index 23732ff8..ccce6f91 100644 --- a/test-network-k8s/config/org2/fabric-ecert-ca-server-config.yaml +++ b/test-network-k8s/config/org1/fabric-ca-server-config.yaml @@ -86,7 +86,7 @@ tls: ############################################################################# ca: # Name of this CA - name: org2-ecert-ca + name: org1-ca # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) @@ -320,8 +320,8 @@ csr: hosts: - localhost - 127.0.0.1 - - org2-ecert-ca - - org2-ecert-ca.test-network.svc.cluster.local + - org1-ca + - org1-ca.test-network.svc.cluster.local ca: expiry: 131400h pathlength: 1 diff --git a/test-network-k8s/config/org1/fabric-tls-ca-server-config.yaml b/test-network-k8s/config/org1/fabric-tls-ca-server-config.yaml deleted file mode 100644 index 23860537..00000000 --- a/test-network-k8s/config/org1/fabric-tls-ca-server-config.yaml +++ /dev/null @@ -1,496 +0,0 @@ -############################################################################# -# This is a configuration file for the fabric-ca-server command. -# -# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES -# ------------------------------------------------ -# Each configuration element can be overridden via command line -# arguments or environment variables. The precedence for determining -# the value of each element is as follows: -# 1) command line argument -# Examples: -# a) --port 443 -# To set the listening port -# b) --ca.keyfile ../mykey.pem -# To set the "keyfile" element in the "ca" section below; -# note the '.' separator character. -# 2) environment variable -# Examples: -# a) FABRIC_CA_SERVER_PORT=443 -# To set the listening port -# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" -# To set the "keyfile" element in the "ca" section below; -# note the '_' separator character. -# 3) configuration file -# 4) default value (if there is one) -# All default values are shown beside each element below. -# -# FILE NAME ELEMENTS -# ------------------ -# The value of all fields whose name ends with "file" or "files" are -# name or names of other files. -# For example, see "tls.certfile" and "tls.clientauth.certfiles". -# The value of each of these fields can be a simple filename, a -# relative path, or an absolute path. If the value is not an -# absolute path, it is interpretted as being relative to the location -# of this configuration file. -# -############################################################################# - -# Version of config file -version: 1.5.2 - -# Server's listening port (default: 7054) -port: 443 - -# Cross-Origin Resource Sharing (CORS) -cors: - enabled: false - origins: - - "*" - -# Enables debug logging (default: false) -debug: false - -# Size limit of an acceptable CRL in bytes (default: 512000) -crlsizelimit: 512000 - -############################################################################# -# TLS section for the server's listening port -# -# The following types are supported for client authentication: NoClientCert, -# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, -# and RequireAndVerifyClientCert. -# -# Certfiles is a list of root certificate authorities that the server uses -# when verifying client certificates. -############################################################################# -tls: - # Enable TLS (default: false) - enabled: true - # TLS for the server's listening port - certfile: - keyfile: - clientauth: - type: noclientcert - certfiles: - -############################################################################# -# The CA section contains information related to the Certificate Authority -# including the name of the CA, which should be unique for all members -# of a blockchain network. It also includes the key and certificate files -# used when issuing enrollment certificates (ECerts) and transaction -# certificates (TCerts). -# The chainfile (if it exists) contains the certificate chain which -# should be trusted for this CA, where the 1st in the chain is always the -# root CA certificate. -############################################################################# -ca: - # Name of this CA - name: org1-tls-ca - # Key file (is only used to import a private key into BCCSP) - keyfile: - # Certificate file (default: ca-cert.pem) - certfile: - # Chain file - chainfile: - -############################################################################# -# The gencrl REST endpoint is used to generate a CRL that contains revoked -# certificates. This section contains configuration options that are used -# during gencrl request processing. -############################################################################# -crl: - # Specifies expiration for the generated CRL. The number of hours - # specified by this property is added to the UTC time, the resulting time - # is used to set the 'Next Update' date of the CRL. - expiry: 24h - -############################################################################# -# The registry section controls how the fabric-ca-server does two things: -# 1) authenticates enrollment requests which contain a username and password -# (also known as an enrollment ID and secret). -# 2) once authenticated, retrieves the identity's attribute names and -# values which the fabric-ca-server optionally puts into TCerts -# which it issues for transacting on the Hyperledger Fabric blockchain. -# These attributes are useful for making access control decisions in -# chaincode. -# There are two main configuration options: -# 1) The fabric-ca-server is the registry. -# This is true if "ldap.enabled" in the ldap section below is false. -# 2) An LDAP server is the registry, in which case the fabric-ca-server -# calls the LDAP server to perform these tasks. -# This is true if "ldap.enabled" in the ldap section below is true, -# which means this "registry" section is ignored. -############################################################################# -registry: - # Maximum number of times a password/secret can be reused for enrollment - # (default: -1, which means there is no limit) - maxenrollments: -1 - - # Contains identity information which is used when LDAP is disabled - identities: - - name: tlsadmin - pass: tlsadminpw - type: client - affiliation: "" - attrs: - hf.Registrar.Roles: "*" - hf.Registrar.DelegateRoles: "*" - hf.Revoker: true - hf.IntermediateCA: true - hf.GenCRL: true - hf.Registrar.Attributes: "*" - hf.AffiliationMgr: true - -############################################################################# -# Database section -# Supported types are: "sqlite3", "postgres", and "mysql". -# The datasource value depends on the type. -# If the type is "sqlite3", the datasource value is a file name to use -# as the database store. Since "sqlite3" is an embedded database, it -# may not be used if you want to run the fabric-ca-server in a cluster. -# To run the fabric-ca-server in a cluster, you must choose "postgres" -# or "mysql". -############################################################################# -db: - type: sqlite3 - datasource: fabric-ca-server.db - tls: - enabled: false - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# LDAP section -# If LDAP is enabled, the fabric-ca-server calls LDAP to: -# 1) authenticate enrollment ID and secret (i.e. username and password) -# for enrollment requests; -# 2) To retrieve identity attributes -############################################################################# -ldap: - # Enables or disables the LDAP client (default: false) - # If this is set to true, the "registry" section is ignored. - enabled: false - # The URL of the LDAP server - url: ldap://:@:/ - # TLS configuration for the client connection to the LDAP server - tls: - certfiles: - client: - certfile: - keyfile: - # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes - attribute: - # 'names' is an array of strings containing the LDAP attribute names which are - # requested from the LDAP server for an LDAP identity's entry - names: ['uid','member'] - # The 'converters' section is used to convert an LDAP entry to the value of - # a fabric CA attribute. - # For example, the following converts an LDAP 'uid' attribute - # whose value begins with 'revoker' to a fabric CA attribute - # named "hf.Revoker" with a value of "true" (because the boolean expression - # evaluates to true). - # converters: - # - name: hf.Revoker - # value: attr("uid") =~ "revoker*" - converters: - - name: - value: - # The 'maps' section contains named maps which may be referenced by the 'map' - # function in the 'converters' section to map LDAP responses to arbitrary values. - # For example, assume a user has an LDAP attribute named 'member' which has multiple - # values which are each a distinguished name (i.e. a DN). For simplicity, assume the - # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. - # Further assume the following configuration. - # converters: - # - name: hf.Registrar.Roles - # value: map(attr("member"),"groups") - # maps: - # groups: - # - name: dn1 - # value: peer - # - name: dn2 - # value: client - # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be - # "peer,client,dn3". This is because the value of 'attr("member")' is - # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of - # "group" replaces "dn1" with "peer" and "dn2" with "client". - maps: - groups: - - name: - value: - -############################################################################# -# Affiliations section. Fabric CA server can be bootstrapped with the -# affiliations specified in this section. Affiliations are specified as maps. -# For example: -# businessunit1: -# department1: -# - team1 -# businessunit2: -# - department2 -# - department3 -# -# Affiliations are hierarchical in nature. In the above example, -# department1 (used as businessunit1.department1) is the child of businessunit1. -# team1 (used as businessunit1.department1.team1) is the child of department1. -# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) -# are children of businessunit2. -# Note: Affiliations are case sensitive except for the non-leaf affiliations -# (like businessunit1, department1, businessunit2) that are specified in the configuration file, -# which are always stored in lower case. -############################################################################# -affiliations: - org1: - - department1 - - department2 - org2: - - department1 - -############################################################################# -# Signing section -# -# The "default" subsection is used to sign enrollment certificates; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -# -# The "ca" profile subsection is used to sign intermediate CA certificates; -# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. -# Note that "isca" is true, meaning that it issues a CA certificate. -# A maxpathlen of 0 means that the intermediate CA cannot issue other -# intermediate CA certificates, though it can still issue end entity certificates. -# (See RFC 5280, section 4.2.1.9) -# -# The "tls" profile subsection is used to sign TLS certificate requests; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -############################################################################# -signing: - default: - authremote: {} - caconstraint: {} - expiry: 8760h - usage: - - signing - - key encipherment - - server auth - - client auth - - key agreement - profiles: null - -########################################################################### -# Certificate Signing Request (CSR) section. -# This controls the creation of the root CA certificate. -# The expiration for the root CA certificate is configured with the -# "ca.expiry" field below, whose default value is "131400h" which is -# 15 years in hours. -# The pathlength field is used to limit CA certificate hierarchy as described -# in section 4.2.1.9 of RFC 5280. -# Examples: -# 1) No pathlength value means no limit is requested. -# 2) pathlength == 1 means a limit of 1 is requested which is the default for -# a root CA. This means the root CA can issue intermediate CA certificates, -# but these intermediate CAs may not in turn issue other CA certificates -# though they can still issue end entity certificates. -# 3) pathlength == 0 means a limit of 0 is requested; -# this is the default for an intermediate CA, which means it can not issue -# CA certificates though it can still issue end entity certificates. -########################################################################### -csr: - cn: fabric-ca-server - keyrequest: - algo: ecdsa - size: 256 - names: - - C: US - ST: "North Carolina" - L: - O: Hyperledger - OU: Fabric - hosts: - - localhost - - 127.0.0.1 - - org1-tls-ca - - org1-tls-ca.test-network.svc.cluster.local - ca: - expiry: 131400h - pathlength: 1 - -########################################################################### -# Each CA can issue both X509 enrollment certificate as well as Idemix -# Credential. This section specifies configuration for the issuer component -# that is responsible for issuing Idemix credentials. -########################################################################### -idemix: - # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an - # Idemix credential. The issuer will create a pool revocation handles of this specified size. When - # a credential is requested, issuer will get handle from the pool and assign it to the credential. - # Issuer will repopulate the pool with new handles when the last handle in the pool is used. - # A revocation handle and credential revocation information (CRI) are used to create non revocation proof - # by the prover to prove to the verifier that her credential is not revoked. - rhpoolsize: 1000 - - # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer - # and second step is send credential request that is constructed using the nonce to the isuser to - # request a credential. This configuration property specifies expiration for the nonces. By default is - # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). - nonceexpiration: 15s - - # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. - # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) - noncesweepinterval: 15m - -############################################################################# -# BCCSP (BlockChain Crypto Service Provider) section is used to select which -# crypto library implementation to use -############################################################################# -bccsp: - default: SW - sw: - hash: SHA2 - security: 256 - filekeystore: - # The directory used for the software file-based keystore - keystore: msp/keystore - -############################################################################# -# Multi CA section -# -# Each Fabric CA server contains one CA by default. This section is used -# to configure multiple CAs in a single server. -# -# 1) --cacount -# Automatically generate non-default CAs. The names of these -# additional CAs are "ca1", "ca2", ... "caN", where "N" is -# This is particularly useful in a development environment to quickly set up -# multiple CAs. Note that, this config option is not applicable to intermediate CA server -# i.e., Fabric CA server that is started with intermediate.parentserver.url config -# option (-u command line option) -# -# 2) --cafiles -# For each CA config file in the list, generate a separate signing CA. Each CA -# config file in this list MAY contain all of the same elements as are found in -# the server config file except port, debug, and tls sections. -# -# Examples: -# fabric-ca-server start -b admin:adminpw --cacount 2 -# -# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml -# --cafiles ca/ca2/fabric-ca-server-config.yaml -# -############################################################################# - -cacount: - -cafiles: - -############################################################################# -# Intermediate CA section -# -# The relationship between servers and CAs is as follows: -# 1) A single server process may contain or function as one or more CAs. -# This is configured by the "Multi CA section" above. -# 2) Each CA is either a root CA or an intermediate CA. -# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. -# -# This section pertains to configuration of #2 and #3. -# If the "intermediate.parentserver.url" property is set, -# then this is an intermediate CA with the specified parent -# CA. -# -# parentserver section -# url - The URL of the parent server -# caname - Name of the CA to enroll within the server -# -# enrollment section used to enroll intermediate CA with parent CA -# profile - Name of the signing profile to use in issuing the certificate -# label - Label to use in HSM operations -# -# tls section for secure socket connection -# certfiles - PEM-encoded list of trusted root certificate files -# client: -# certfile - PEM-encoded certificate file for when client authentication -# is enabled on server -# keyfile - PEM-encoded key file for when client authentication -# is enabled on server -############################################################################# -intermediate: - parentserver: - url: - caname: - - enrollment: - hosts: - profile: - label: - - tls: - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# CA configuration section -# -# Configure the number of incorrect password attempts are allowed for -# identities. By default, the value of 'passwordattempts' is 10, which -# means that 10 incorrect password attempts can be made before an identity get -# locked out. -############################################################################# -cfg: - identities: - passwordattempts: 10 - -############################################################################### -# -# Operations section -# -############################################################################### -operations: - # host and port for the operations server - listenAddress: 127.0.0.1:9444 - - # TLS configuration for the operations endpoint - tls: - # TLS enabled - enabled: false - - # path to PEM encoded server certificate for the operations server - cert: - file: - - # path to PEM encoded server key for the operations server - key: - file: - - # require client certificate authentication to access all resources - clientAuthRequired: false - - # paths to PEM encoded ca certificates to trust for client authentication - clientRootCAs: - files: [] - -############################################################################### -# -# Metrics section -# -############################################################################### -metrics: - # statsd, prometheus, or disabled - provider: disabled - - # statsd configuration - statsd: - # network type: tcp or udp - network: udp - - # statsd server address - address: 127.0.0.1:8125 - - # the interval at which locally cached counters and gauges are pushsed - # to statsd; timings are pushed immediately - writeInterval: 10s - - # prefix is prepended to all emitted statsd merics - prefix: server diff --git a/test-network-k8s/config/org1/fabric-ecert-ca-server-config.yaml b/test-network-k8s/config/org2/fabric-ca-server-config.yaml similarity index 99% rename from test-network-k8s/config/org1/fabric-ecert-ca-server-config.yaml rename to test-network-k8s/config/org2/fabric-ca-server-config.yaml index f1ed9da4..992315f0 100644 --- a/test-network-k8s/config/org1/fabric-ecert-ca-server-config.yaml +++ b/test-network-k8s/config/org2/fabric-ca-server-config.yaml @@ -86,7 +86,7 @@ tls: ############################################################################# ca: # Name of this CA - name: org1-ecert-ca + name: org2-ca # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) @@ -320,8 +320,8 @@ csr: hosts: - localhost - 127.0.0.1 - - org1-ecert-ca - - org1-ecert-ca.test-network.svc.cluster.local + - org2-ca + - org2-ca.test-network.svc.cluster.local ca: expiry: 131400h pathlength: 1 diff --git a/test-network-k8s/config/org2/fabric-tls-ca-server-config.yaml b/test-network-k8s/config/org2/fabric-tls-ca-server-config.yaml deleted file mode 100644 index 74879302..00000000 --- a/test-network-k8s/config/org2/fabric-tls-ca-server-config.yaml +++ /dev/null @@ -1,496 +0,0 @@ -############################################################################# -# This is a configuration file for the fabric-ca-server command. -# -# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES -# ------------------------------------------------ -# Each configuration element can be overridden via command line -# arguments or environment variables. The precedence for determining -# the value of each element is as follows: -# 1) command line argument -# Examples: -# a) --port 443 -# To set the listening port -# b) --ca.keyfile ../mykey.pem -# To set the "keyfile" element in the "ca" section below; -# note the '.' separator character. -# 2) environment variable -# Examples: -# a) FABRIC_CA_SERVER_PORT=443 -# To set the listening port -# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" -# To set the "keyfile" element in the "ca" section below; -# note the '_' separator character. -# 3) configuration file -# 4) default value (if there is one) -# All default values are shown beside each element below. -# -# FILE NAME ELEMENTS -# ------------------ -# The value of all fields whose name ends with "file" or "files" are -# name or names of other files. -# For example, see "tls.certfile" and "tls.clientauth.certfiles". -# The value of each of these fields can be a simple filename, a -# relative path, or an absolute path. If the value is not an -# absolute path, it is interpretted as being relative to the location -# of this configuration file. -# -############################################################################# - -# Version of config file -version: 1.5.2 - -# Server's listening port (default: 7054) -port: 443 - -# Cross-Origin Resource Sharing (CORS) -cors: - enabled: false - origins: - - "*" - -# Enables debug logging (default: false) -debug: false - -# Size limit of an acceptable CRL in bytes (default: 512000) -crlsizelimit: 512000 - -############################################################################# -# TLS section for the server's listening port -# -# The following types are supported for client authentication: NoClientCert, -# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, -# and RequireAndVerifyClientCert. -# -# Certfiles is a list of root certificate authorities that the server uses -# when verifying client certificates. -############################################################################# -tls: - # Enable TLS (default: false) - enabled: true - # TLS for the server's listening port - certfile: - keyfile: - clientauth: - type: noclientcert - certfiles: - -############################################################################# -# The CA section contains information related to the Certificate Authority -# including the name of the CA, which should be unique for all members -# of a blockchain network. It also includes the key and certificate files -# used when issuing enrollment certificates (ECerts) and transaction -# certificates (TCerts). -# The chainfile (if it exists) contains the certificate chain which -# should be trusted for this CA, where the 1st in the chain is always the -# root CA certificate. -############################################################################# -ca: - # Name of this CA - name: org2-tls-ca - # Key file (is only used to import a private key into BCCSP) - keyfile: - # Certificate file (default: ca-cert.pem) - certfile: - # Chain file - chainfile: - -############################################################################# -# The gencrl REST endpoint is used to generate a CRL that contains revoked -# certificates. This section contains configuration options that are used -# during gencrl request processing. -############################################################################# -crl: - # Specifies expiration for the generated CRL. The number of hours - # specified by this property is added to the UTC time, the resulting time - # is used to set the 'Next Update' date of the CRL. - expiry: 24h - -############################################################################# -# The registry section controls how the fabric-ca-server does two things: -# 1) authenticates enrollment requests which contain a username and password -# (also known as an enrollment ID and secret). -# 2) once authenticated, retrieves the identity's attribute names and -# values which the fabric-ca-server optionally puts into TCerts -# which it issues for transacting on the Hyperledger Fabric blockchain. -# These attributes are useful for making access control decisions in -# chaincode. -# There are two main configuration options: -# 1) The fabric-ca-server is the registry. -# This is true if "ldap.enabled" in the ldap section below is false. -# 2) An LDAP server is the registry, in which case the fabric-ca-server -# calls the LDAP server to perform these tasks. -# This is true if "ldap.enabled" in the ldap section below is true, -# which means this "registry" section is ignored. -############################################################################# -registry: - # Maximum number of times a password/secret can be reused for enrollment - # (default: -1, which means there is no limit) - maxenrollments: -1 - - # Contains identity information which is used when LDAP is disabled - identities: - - name: tlsadmin - pass: tlsadminpw - type: client - affiliation: "" - attrs: - hf.Registrar.Roles: "*" - hf.Registrar.DelegateRoles: "*" - hf.Revoker: true - hf.IntermediateCA: true - hf.GenCRL: true - hf.Registrar.Attributes: "*" - hf.AffiliationMgr: true - -############################################################################# -# Database section -# Supported types are: "sqlite3", "postgres", and "mysql". -# The datasource value depends on the type. -# If the type is "sqlite3", the datasource value is a file name to use -# as the database store. Since "sqlite3" is an embedded database, it -# may not be used if you want to run the fabric-ca-server in a cluster. -# To run the fabric-ca-server in a cluster, you must choose "postgres" -# or "mysql". -############################################################################# -db: - type: sqlite3 - datasource: fabric-ca-server.db - tls: - enabled: false - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# LDAP section -# If LDAP is enabled, the fabric-ca-server calls LDAP to: -# 1) authenticate enrollment ID and secret (i.e. username and password) -# for enrollment requests; -# 2) To retrieve identity attributes -############################################################################# -ldap: - # Enables or disables the LDAP client (default: false) - # If this is set to true, the "registry" section is ignored. - enabled: false - # The URL of the LDAP server - url: ldap://:@:/ - # TLS configuration for the client connection to the LDAP server - tls: - certfiles: - client: - certfile: - keyfile: - # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes - attribute: - # 'names' is an array of strings containing the LDAP attribute names which are - # requested from the LDAP server for an LDAP identity's entry - names: ['uid','member'] - # The 'converters' section is used to convert an LDAP entry to the value of - # a fabric CA attribute. - # For example, the following converts an LDAP 'uid' attribute - # whose value begins with 'revoker' to a fabric CA attribute - # named "hf.Revoker" with a value of "true" (because the boolean expression - # evaluates to true). - # converters: - # - name: hf.Revoker - # value: attr("uid") =~ "revoker*" - converters: - - name: - value: - # The 'maps' section contains named maps which may be referenced by the 'map' - # function in the 'converters' section to map LDAP responses to arbitrary values. - # For example, assume a user has an LDAP attribute named 'member' which has multiple - # values which are each a distinguished name (i.e. a DN). For simplicity, assume the - # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. - # Further assume the following configuration. - # converters: - # - name: hf.Registrar.Roles - # value: map(attr("member"),"groups") - # maps: - # groups: - # - name: dn1 - # value: peer - # - name: dn2 - # value: client - # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be - # "peer,client,dn3". This is because the value of 'attr("member")' is - # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of - # "group" replaces "dn1" with "peer" and "dn2" with "client". - maps: - groups: - - name: - value: - -############################################################################# -# Affiliations section. Fabric CA server can be bootstrapped with the -# affiliations specified in this section. Affiliations are specified as maps. -# For example: -# businessunit1: -# department1: -# - team1 -# businessunit2: -# - department2 -# - department3 -# -# Affiliations are hierarchical in nature. In the above example, -# department1 (used as businessunit1.department1) is the child of businessunit1. -# team1 (used as businessunit1.department1.team1) is the child of department1. -# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) -# are children of businessunit2. -# Note: Affiliations are case sensitive except for the non-leaf affiliations -# (like businessunit1, department1, businessunit2) that are specified in the configuration file, -# which are always stored in lower case. -############################################################################# -affiliations: - org1: - - department1 - - department2 - org2: - - department1 - -############################################################################# -# Signing section -# -# The "default" subsection is used to sign enrollment certificates; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -# -# The "ca" profile subsection is used to sign intermediate CA certificates; -# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. -# Note that "isca" is true, meaning that it issues a CA certificate. -# A maxpathlen of 0 means that the intermediate CA cannot issue other -# intermediate CA certificates, though it can still issue end entity certificates. -# (See RFC 5280, section 4.2.1.9) -# -# The "tls" profile subsection is used to sign TLS certificate requests; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -############################################################################# -signing: - default: - authremote: {} - caconstraint: {} - expiry: 8760h - usage: - - signing - - key encipherment - - server auth - - client auth - - key agreement - profiles: null - -########################################################################### -# Certificate Signing Request (CSR) section. -# This controls the creation of the root CA certificate. -# The expiration for the root CA certificate is configured with the -# "ca.expiry" field below, whose default value is "131400h" which is -# 15 years in hours. -# The pathlength field is used to limit CA certificate hierarchy as described -# in section 4.2.1.9 of RFC 5280. -# Examples: -# 1) No pathlength value means no limit is requested. -# 2) pathlength == 1 means a limit of 1 is requested which is the default for -# a root CA. This means the root CA can issue intermediate CA certificates, -# but these intermediate CAs may not in turn issue other CA certificates -# though they can still issue end entity certificates. -# 3) pathlength == 0 means a limit of 0 is requested; -# this is the default for an intermediate CA, which means it can not issue -# CA certificates though it can still issue end entity certificates. -########################################################################### -csr: - cn: fabric-ca-server - keyrequest: - algo: ecdsa - size: 256 - names: - - C: US - ST: "North Carolina" - L: - O: Hyperledger - OU: Fabric - hosts: - - localhost - - 127.0.0.1 - - org2-tls-ca - - org2-tls-ca.test-network.svc.cluster.local - ca: - expiry: 131400h - pathlength: 1 - -########################################################################### -# Each CA can issue both X509 enrollment certificate as well as Idemix -# Credential. This section specifies configuration for the issuer component -# that is responsible for issuing Idemix credentials. -########################################################################### -idemix: - # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an - # Idemix credential. The issuer will create a pool revocation handles of this specified size. When - # a credential is requested, issuer will get handle from the pool and assign it to the credential. - # Issuer will repopulate the pool with new handles when the last handle in the pool is used. - # A revocation handle and credential revocation information (CRI) are used to create non revocation proof - # by the prover to prove to the verifier that her credential is not revoked. - rhpoolsize: 1000 - - # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer - # and second step is send credential request that is constructed using the nonce to the isuser to - # request a credential. This configuration property specifies expiration for the nonces. By default is - # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). - nonceexpiration: 15s - - # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. - # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) - noncesweepinterval: 15m - -############################################################################# -# BCCSP (BlockChain Crypto Service Provider) section is used to select which -# crypto library implementation to use -############################################################################# -bccsp: - default: SW - sw: - hash: SHA2 - security: 256 - filekeystore: - # The directory used for the software file-based keystore - keystore: msp/keystore - -############################################################################# -# Multi CA section -# -# Each Fabric CA server contains one CA by default. This section is used -# to configure multiple CAs in a single server. -# -# 1) --cacount -# Automatically generate non-default CAs. The names of these -# additional CAs are "ca1", "ca2", ... "caN", where "N" is -# This is particularly useful in a development environment to quickly set up -# multiple CAs. Note that, this config option is not applicable to intermediate CA server -# i.e., Fabric CA server that is started with intermediate.parentserver.url config -# option (-u command line option) -# -# 2) --cafiles -# For each CA config file in the list, generate a separate signing CA. Each CA -# config file in this list MAY contain all of the same elements as are found in -# the server config file except port, debug, and tls sections. -# -# Examples: -# fabric-ca-server start -b admin:adminpw --cacount 2 -# -# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml -# --cafiles ca/ca2/fabric-ca-server-config.yaml -# -############################################################################# - -cacount: - -cafiles: - -############################################################################# -# Intermediate CA section -# -# The relationship between servers and CAs is as follows: -# 1) A single server process may contain or function as one or more CAs. -# This is configured by the "Multi CA section" above. -# 2) Each CA is either a root CA or an intermediate CA. -# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. -# -# This section pertains to configuration of #2 and #3. -# If the "intermediate.parentserver.url" property is set, -# then this is an intermediate CA with the specified parent -# CA. -# -# parentserver section -# url - The URL of the parent server -# caname - Name of the CA to enroll within the server -# -# enrollment section used to enroll intermediate CA with parent CA -# profile - Name of the signing profile to use in issuing the certificate -# label - Label to use in HSM operations -# -# tls section for secure socket connection -# certfiles - PEM-encoded list of trusted root certificate files -# client: -# certfile - PEM-encoded certificate file for when client authentication -# is enabled on server -# keyfile - PEM-encoded key file for when client authentication -# is enabled on server -############################################################################# -intermediate: - parentserver: - url: - caname: - - enrollment: - hosts: - profile: - label: - - tls: - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# CA configuration section -# -# Configure the number of incorrect password attempts are allowed for -# identities. By default, the value of 'passwordattempts' is 10, which -# means that 10 incorrect password attempts can be made before an identity get -# locked out. -############################################################################# -cfg: - identities: - passwordattempts: 10 - -############################################################################### -# -# Operations section -# -############################################################################### -operations: - # host and port for the operations server - listenAddress: 127.0.0.1:9444 - - # TLS configuration for the operations endpoint - tls: - # TLS enabled - enabled: false - - # path to PEM encoded server certificate for the operations server - cert: - file: - - # path to PEM encoded server key for the operations server - key: - file: - - # require client certificate authentication to access all resources - clientAuthRequired: false - - # paths to PEM encoded ca certificates to trust for client authentication - clientRootCAs: - files: [] - -############################################################################### -# -# Metrics section -# -############################################################################### -metrics: - # statsd, prometheus, or disabled - provider: disabled - - # statsd configuration - statsd: - # network type: tcp or udp - network: udp - - # statsd server address - address: 127.0.0.1:8125 - - # the interval at which locally cached counters and gauges are pushsed - # to statsd; timings are pushed immediately - writeInterval: 10s - - # prefix is prepended to all emitted statsd merics - prefix: server diff --git a/test-network-k8s/docs/CA.md b/test-network-k8s/docs/CA.md index c8758b24..2acc922b 100644 --- a/test-network-k8s/docs/CA.md +++ b/test-network-k8s/docs/CA.md @@ -19,53 +19,54 @@ $ ./network up Launching network "test-network": ... -✅ - Launching TLS CAs ... -✅ - Enrolling bootstrap TLS CA users ... - -✅ - Registering and enrolling ECert CA bootstrap users ... +✅ - Initializing TLS certificate Issuers ... ✅ - Launching ECert CAs ... ✅ - Enrolling bootstrap ECert CA users ... ... 🏁 - Network is ready. ``` - ## [Planning for a CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/ca-deploy-topology.html#planning-for-a-ca) Setting up a CA framework is one of the more daunting aspects of a Fabric installation. There is an incredible amount of flexibility possible with the Fabric CA architecture, so to keep things straightforward we have opted to aim for a -simplified, but realistic CA deployment illustrating the key touch points with Kubernetes: +simplified, but realistic CA deployment illustrating key touch points with Kubernetes: - Each organization maintains distinct, [independent volumes](../kube/pv-fabric-org0.yaml) for the storage of MSP and - TLS certificates. This forces the consortium organizer to plan for the distribution of _public_ certificates to + node certificates. This forces the consortium organizer to plan for the distribution of _public_ certificates to member organizations, while maintaining an independent, secret storage location for _private_ signing keys. -- Each organization maintains two distinct, separate CA instances : one dedicated to [TLS](../kube/org0/org0-tls-ca.yaml) - Certificate Signing Requests, and a second process dedicated to [ECert](../kube/org0/org0-ecert-ca.yaml) Enrollments - and identity MSPs. - - -- Certificate organization and [Folder Structure](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#folder-structure-for-your-org-and-node-admin-identities) - strictly adheres to the best practices and guidelines recommended by the CA Deployment Guide. +- This guide simplifies the storage and organization of Fabric certificates into two distinct flows. For securing + inter-node communication with TLS, [cert-manager](https://cert-manager.io) is responsible for the lifecycle of issuing, + renewing, and revoking SSL certificates and keys as native Kubernetes `Certificate` resources. Complementing the + SSL certificate lifecycle is a set of fabric-CAs responsible for fulfilling Fabric [ECert](../kube/org0/org0-ca.yaml) + Enrollments and identities. -- The `cryptogen` anti-pattern is **strictly forbidden**. All TLS and MSP enrollments are constructed using the CA - registration and enrollment REST services, coordinated by calls to `fabric-ca-client` running directly on the - CA pods. When working with certificates, the fabric CA client ONLY has visibility to the organization's local volume - storage. +- MSP Certificate organization and [Folder Structure](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html#folder-structure-for-your-org-and-node-admin-identities) + strictly adheres to the best practices and guidelines recommended by the CA Deployment Guide. -- TLS CA configuration and certificates are maintained in each org's persistent volume at `/var/hyperledger/fabric-tls-ca-server` +- The `cryptogen` anti-pattern is **strictly forbidden**. All MSP enrollments are constructed using the CA + registration and enrollment REST services, coordinated by calls to `fabric-ca-client`. At runtime, the ca-client + ONLY has visibility to the organization's shared volume mount. -- ECert CA configuration and certificates are maintained in each org's persistent volume at `/var/hyperledger/fabric-ca-server` +- TLS Certificates are stored and organized within the cluster as a series of `Certificate` resources with associated + Kube `Secret` and volume mounts. Service pods mount the node TLS key pair and CA certificate at `/var/hyperledger/fabric/config/tls`. + Each organization in the network maintains an independent [CA `Issuer`](https://cert-manager.io/docs/configuration/ca/) + endorsed by a system-wide, self-signed root CA. + + +- Each organization in the network maintains an independent fabric CA instance, with configuration and certificates + stored in each org's persistent volume at `/var/hyperledger/fabric-ca-server`. - fabric-ca-client configuration and certificates are maintained in each org's persistent volume at `/var/hyperledger/fabric-ca-client` -- ECert and MSP data structures are maintained in each org's persistent volume at `/var/hyperledger/fabric/organizations` +- ECert and MSP enrollment structures are maintained in each org's persistent volume at `/var/hyperledger/fabric/organizations` @@ -77,11 +78,6 @@ simplified, but realistic CA deployment illustrating the key touch points with K and/or alternate signing chains backed by formal (e.g. letsencrypt, Thawte, Verisign, etc.) certificate authorities. -- **_Dual Headed CAs_** : In practice, juggling two distinct deployments between TLS and ECert servers adds little - functional value. It would be nice to simplify the configuration, deployment, and bootstrapping scripts such that - each org manages a single, dual-headed CA capable of responding to both TLS as well as ECert enrollmnent rerquests. - - - **_Time-Bomb Certificates_** : By default the certificates issued by the test network are valid for 1 (one) year. For lightweight or adhoc testing, this is fine. But when applied to production deployments, certificate expiry is a real operational challenge. For instance, it is possible to soft-lock a Fabric network when all system certificates @@ -103,86 +99,41 @@ simplified, but realistic CA deployment illustrating the key touch points with K The [sequence of activities](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#what-order-should-i-deploy-the-cas) necessary to bring up a CA infrastructure is well documented by the CA Deployment Guide: -1. [Deploy the TLS CAs](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#deploy-the-tls-ca) - 1. [Configure the TLS CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-tls-ca-server-configuration) - 1. [Launch the TLS CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#start-the-tls-ca-server) - 1. [Enroll the TLS CA Bootstrap Admin Users](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-bootstrap-user-with-tls-ca) +1. [Deploy TLS CA Issuers](#deploy-tls-ca-issuers) 1. [Deploy the Organization CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#deploy-an-organization-ca) - 1. [Register and enroll the org CA bootstrap identity with the TLS CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#register-and-enroll-the-organization-ca-bootstrap-identity-with-the-tls-ca) 1. [Configure the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-ca-server-configuration) 1. [Launch the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#start-the-ca-server) 1. [Enroll the ECert CA Bootstrap / Admin User](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-the-ca-admin) -## [Deploy the TLS CAs](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#deploy-the-tls-ca) +## Deploy TLS CA Issuers -### [Configure the TLS CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-tls-ca-server-configuration) - -While the CA guide suggests running the `fabric-ca-server` binary to generate a default configuration file, for the -test network we've skipped this step and have added a [config/fabric-tls-ca-server-config.yaml](../config/org0/fabric-tls-ca-server-config.yaml) -to the top level of this project. - -Changes have been made to reflect: - -- `port: 443` binds all traffic to the default HTTPS port -- `tls.enabled: true` enables TLS for registration and enrollment requests -- `ca.name: ` matches the Kubernetes `Service` host alias -- `csr.hosts:` includes host aliases for accessing the CA with Kube DNS - - -Prior to launching the CA, for each org we create a configmap including the TLS CA server yaml: - -```shell -kubectl -n test-network create configmap org0-config --from-file=config/org0 -kubectl -n test-network create configmap org1-config --from-file=config/org1 -kubectl -n test-network create configmap org2-config --from-file=config/org2 +``` +✅ - Initializing TLS certificate Issuers ... +... ``` +The Kubernetes Test Network relies on [cert-manager](https://cert-manager.io) to issue, renew, and revoke TLS +certificates for network endpoints. Before launching peers, orderers, and chaincode pods, each node must +have a corresponding [`Certificate`](https://cert-manager.io/docs/usage/certificate/) generated by a cert manager [CA +`Issuer`](https://cert-manager.io/docs/configuration/ca/), stored in Kubernetes and exposed as a kube `Secret` at +runtime. -### [Launch the TLS CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#start-the-tls-ca-server) +In the test network, the root TLS certificate is automatically generated by requesting a self-signed ECDSA key pair. +In turn, the root key is used to create a series of CA `Issuers`, one per member organization participating in the +blockchain: -```shell -✅ - Launching TLS CAs ... +``` +# Use the self-signing issuer to generate three Issuers, one for each org: +kubectl -n test-network apply -f kube/org0/org0-tls-cert-issuer.yaml +kubectl -n test-network apply -f kube/org1/org1-tls-cert-issuer.yaml +kubectl -n test-network apply -f kube/org2/org2-tls-cert-issuer.yaml ``` -For each org we create a Kube Deployment and Service, ensuring that the org config -map and persistent volume maps to the correct location on disk. - -```shell -kubectl -n test-network apply -f kube/org0/org0-tls-ca.yaml -kubectl -n test-network apply -f kube/org1/org1-tls-ca.yaml -kubectl -n test-network apply -f kube/org2/org2-tls-ca.yaml -``` - -As a side-effect of bootstrapping the TLS CA, each storage volume will include a self-signed certificate -pair to serve as the **Root TLS Certificate**. Pay special attention to this path, as it will be used extensively -to verify the TLS host name of all services within the organization: -```shell -${FABRIC_CA_CLIENT_HOME}/tls-root-cert/tls-ca-cert.pem -``` - - -### [Enroll the TLS CA Bootstrap Admin Users](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-bootstrap-user-with-tls-ca) -```shell -✅ - Enrolling bootstrap TLS CA users ... -``` - -After the TLS server is running, we need to enroll the bootstrap admin user with the CA. This admin user will -then be employed to fulfill a Certificate Signing request for the ECert CA servers, allowing for full host -verification when connecting to the ECert CAs via https. - -To enroll the bootstrap TLS CA users, each org runs within the TLS CA pod: -```shell - fabric-ca-client enroll \ - --url https://'$auth'@'${tlsca}' \ - --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ - --csr.hosts '${tlsca}' \ - --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp -``` - -The --mspdir output of this command is a set of certificates for use with the ECert CA. This enrollment MSP -will be used to register and enroll the ECert bootstrap user. +Each organization's CA `Issuer` will be used to construct a TLS `Certificate` for each node in the network. At +runtime, the deployment pods will mount the certificate contents (`tls.key`, `tls.pem`, and `ca.pem`) as a kube +secrets mounted at `/var/hyperledger/fabric/config/tls`. ## [Deploy the Organization CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#deploy-an-organization-ca) @@ -192,47 +143,16 @@ Before we can set up the peers, orderers, and channels, we will need to bootstra for each org in the network. -### [Register and enroll the organization CA bootstrap identity with the TLS CA](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#register-and-enroll-the-organization-ca-bootstrap-identity-with-the-tls-ca) -```shell -✅ - Registering and enrolling ECert CA bootstrap users ... -``` - -The TLS CA can be used to fulfill a Certificate Signing Request on behalf of each organization's ECert CA. - -```shell - fabric-ca-client register \ - --id.name rcaadmin \ - --id.secret rcaadminpw \ - --url https://'${tlsca}' \ - --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ - --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - - fabric-ca-client enroll \ - --url https://'${tlsauth}'@'${tlsca}' \ - --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ - --csr.hosts '${ecertca}' \ - --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp -``` - -**Important**: The output from this enrollment includes the ECert CA's public certificate and private signing keys. -When the ECert CA pod is launched, the server configuration references the `tls.certfile` and `tls.keyfile` attributes -by specifying `FABRIC_CA_SERVER_TLS_CERTFILE` and `FABRIC_CA_SERVER_TLS_KEYFILE` environment in the pod's environment. - - ### [Configure the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-ca-server-configuration) When launching the ECert CA pods, both the org volume shares and org config maps are made available via volume shares. -The [fabric-ecert-ca-server.yaml](../config/org0/fabric-ecert-ca-server-config.yaml) includes overrides for: +The [fabric-ecert-ca-server.yaml](../config/org0/fabric-ca-server-config.yaml) includes overrides for: - `port: 443` binds all traffic to the default HTTPS port - `tls.enabled: true` enables TLS for registration and enrollment requests - `ca.name: ` matches the Kubernetes `Service` host alias - `csr.hosts:` includes host aliases for accessing the CA with Kube DNS -In addition, pay special attention to the location of the `FABRIC_CA_SERVER_TLS_CERTFILE` and `FABRIC_CA_SERVER_TLS_KEYFILE` -environment variables in the [ECert deployment descriptor](../kube/org0/org0-ecert-ca.yaml). These variables -reference the TLS certificate authority and signing keys as generated by the admin bootstrap enrollment. - ### [Launch the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#start-the-ca-server) ```shell @@ -240,9 +160,9 @@ reference the TLS certificate authority and signing keys as generated by the adm ``` ```shell -kubectl -n test-network apply -f kube/org0/org0-ecert-ca.yaml -kubectl -n test-network apply -f kube/org1/org1-ecert-ca.yaml -kubectl -n test-network apply -f kube/org2/org2-ecert-ca.yaml +kubectl -n test-network apply -f kube/org0/org0-ca.yaml +kubectl -n test-network apply -f kube/org1/org1-ca.yaml +kubectl -n test-network apply -f kube/org2/org2-ca.yaml ``` - [x] Note: The `rcaadmin` enrollment's `cert.pem` and `key.pem` locations are specified in the ecert CA's k8s deployment as environment variables. @@ -259,7 +179,7 @@ local MSP certificate structure for all of the nodes in our test network. ```shell fabric-ca-client enroll \ --url https://'${auth}'@'${ecert_ca}' \ - --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ + --tls.certfiles /var/hyperledger/fabric/config/tls/ca.pem \ --mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp ``` @@ -268,13 +188,10 @@ local MSP certificate structure for all of the nodes in our test network. After the CAs have been deployed, each org in the Kube namespace includes: -- One TLS CA `Service`, forwarding internal traffic from https://orgN-tls-ca to the TLS CA -- One TLS CA `Deployment` -- One TLS CA `Pod` +- One TLS CA `Issuer` and issuer `Certificate` - One ECert CA `Service`, forwarding internal traffic from https://orgN-ecert-ca to the ECert CA - One ECert CA `Deployment` - One ECert CA `Pod` -- One TLS CA admin bootstrap user `tlsadmin` enrollment and TLS root certificate. - One ECert CA admin bootstrap user `rcaadmin` enrollment and MSP root certificate. diff --git a/test-network-k8s/docs/CHANNELS.md b/test-network-k8s/docs/CHANNELS.md index 23fa33f6..dacd70cc 100644 --- a/test-network-k8s/docs/CHANNELS.md +++ b/test-network-k8s/docs/CHANNELS.md @@ -74,9 +74,9 @@ of a remote `kubectl` into a local archive files. These files are then mounted constructing the `msp-config` config map: ```shell -kubectl -n $NS exec deploy/org0-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/ordererOrganizations/org0.example.com/msp > msp/msp-org0.example.com.tgz -kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp > msp/msp-org1.example.com.tgz -kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp > msp/msp-org2.example.com.tgz +kubectl -n $NS exec deploy/org0-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/ordererOrganizations/org0.example.com/msp > msp/msp-org0.example.com.tgz +kubectl -n $NS exec deploy/org1-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp > msp/msp-org1.example.com.tgz +kubectl -n $NS exec deploy/org2-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp > msp/msp-org2.example.com.tgz kubectl -n $NS delete configmap msp-config || true kubectl -n $NS create configmap msp-config --from-file=msp/``` diff --git a/test-network-k8s/docs/HIGH_AVAILABILITY.md b/test-network-k8s/docs/HIGH_AVAILABILITY.md index d23a411a..585f09cc 100644 --- a/test-network-k8s/docs/HIGH_AVAILABILITY.md +++ b/test-network-k8s/docs/HIGH_AVAILABILITY.md @@ -56,7 +56,7 @@ It is important that applications connect to the `org2-peer-gateway-svc` or `org The solution is to add the additional servicename to the hosts field in the SAN section of the TLS certificate. As an example here is the command that is used to create the TLS certificate for org1-peer1. Note the ```bash -fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-ecert-ca --csr.hosts org1-peer1,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp +fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-ca --csr.hosts org1-peer1,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp ``` ## Summary diff --git a/test-network-k8s/docs/README.md b/test-network-k8s/docs/README.md index cd21bdc9..dab0135f 100644 --- a/test-network-k8s/docs/README.md +++ b/test-network-k8s/docs/README.md @@ -6,11 +6,9 @@ providing a study guide for operational patterns, the test-network provided a ba the Fabric community to quickly get up to speed with a working, local system, author smart contracts, and develop simple blockchain applications. -While test-network provided a solid foundation for casual Fabric development, the over-reliance on -[Docker Compose](https://docs.docker.com/compose/) introduced tremendous, non-trivial complexity when transitioning -applications to production. Without belaboring the many issues and anti-patterns present in the Compose-based -test network, we'll submit that the best path forward is to _align_ the development and production patterns around a -common orchestration framework - Kubernetes. +As a supplement to the docker-compose based test-network, this guide presents an equivalent Fabric network +suitable for running sample applications and chaincode, developing Gateway and Chaincode-as-a-Service applications, +and harmonizing CI and deployment flows with a unified container framework - Kubernetes. Similar to Fabric, Kubernetes introduces a steep learning curve and presents a dizzying array of operational flexibility. In this guide, we'll outline the design considerations in the [`./network`](../network) @@ -25,8 +23,7 @@ _Ahoy!_ The Kube test network establishes as consortium among a dedicated ordering organization and two peer organizations. Participation in the network is managed over a channel, and transactions are committed to the blockchain ledgers by invoking the [asset-transfer-basic](https://github.com/hyperledgendary/fabric-ccaas-asset-transfer-basic) -_Chaincode-as-a-Service_ running in a shared Kubernetes namespace. Each organization maintains indepedendent TLS -and ECert CAs for management of local, channel, and user MSP contexts. +_Chaincode-as-a-Service_ running in a shared Kubernetes namespace. ![Test Network](images/test-network.png) @@ -37,7 +34,7 @@ and ECert CAs for management of local, channel, and user MSP contexts. - [Working with Kubernetes](KUBERNETES.md) - [Certificate Authorities](CA.md) - [Planning for a CA](CA.md#planning-for-a-ca) - - [Deploy the TLS CAs](CA.md#deploy-the-tls-cas) + - [Deploy the TLS CAs](CA.md#deploy-tls-ca-issuers) - [Deploy the ECert CAs](CA.md#deploy-the-organization-ca) - [Launching the Test Network](TEST_NETWORK.md) - [Registering and Enrolling Identities](CA.md#registering-and-enrolling-identities) diff --git a/test-network-k8s/docs/TEST_NETWORK.md b/test-network-k8s/docs/TEST_NETWORK.md index c3832bad..a16d0af8 100644 --- a/test-network-k8s/docs/TEST_NETWORK.md +++ b/test-network-k8s/docs/TEST_NETWORK.md @@ -44,44 +44,30 @@ the target usage in the network. For example, the ordering organization sets up the node local MSP with: ```shell # Each identity in the network needs a registration and enrollment. -fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp -fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp -fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp -fabric-ca-client register --id.name org0-admin --id.secret org0adminpw --id.type admin --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" +fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp +fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp +fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp +fabric-ca-client register --id.name org0-admin --id.secret org0adminpw --id.type admin --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-ecert-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp -fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-ecert-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp -fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ecert-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp -fabric-ca-client enroll --url https://org0-admin:org0adminpw@org0-ecert-ca --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/users/Admin@org0.example.com/msp - -# Each node in the network needs a TLS registration and enrollment. -fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp -fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp -fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - -fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-tls-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls -fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-tls-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls -fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-tls-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls - -# Copy the TLS signing keys to a fixed path for convenience when starting the orderers. -cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/server.key -cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/server.key -cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/server.key +fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp +fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp +fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp +fabric-ca-client enroll --url https://org0-admin:org0adminpw@org0-ca --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/users/Admin@org0.example.com/msp # Create an MSP config.yaml (why is this not generated by the enrollment by fabric-ca-client?) echo "NodeOUs: Enable: true ClientOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp/config.yaml @@ -181,23 +167,20 @@ cat kube/org2/org2-peer2.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' After the peers and orderers have started, the Kube namespace includes pods, deployments, and service bindings for: - Org0 (org0.example.com): - - TLS Certificate Authority : https://org0-tls-ca - - ECert Certificate Authority : https://org0-ecert-ca + - ECert Certificate Authority : https://org0-ca - Orderer1 : grpcs://org0-orderer1 - Orderer2 : grpcs://org0-orderer2 - Orderer3 : grpcs://org0-orderer3 - Org1 (org1.example.com): - - TLS Certificate Authority : https://org1-tls-ca - - ECert Certificate Authority : https://org1-ecert-ca + - ECert Certificate Authority : https://org1-ca - Peer Node 1 : grpcs://org1-peer1 - Peer Node 2 : grpcs://org1-peer2 - Org2 (org2.example.com): - - TLS Certificate Authority : https://org2-tls-ca - - ECert Certificate Authority : https://org2-ecert-ca + - ECert Certificate Authority : https://org2-ca - Peer Node 1 : grpcs://org2-peer1 - Peer Node 2 : grpcs://org2-peer2 diff --git a/test-network-k8s/kube/fabric-rest-sample.yaml b/test-network-k8s/kube/fabric-rest-sample.yaml index 9254c5e6..be56920d 100644 --- a/test-network-k8s/kube/fabric-rest-sample.yaml +++ b/test-network-k8s/kube/fabric-rest-sample.yaml @@ -30,7 +30,7 @@ data: "org1-peer1" ], "certificateAuthorities": [ - "org1-ecert" + "org1-ca" ] } }, @@ -48,9 +48,9 @@ data: } }, "certificateAuthorities": { - "org1-ecert-ca": { - "url": "https://org1-ecert-ca", - "caName": "org1-ecert-ca", + "org1-ca": { + "url": "https://org1-ca", + "caName": "org1-ca", "tlsCACerts": { "pem": "TODO" }, @@ -106,7 +106,7 @@ data: "org2-peer1" ], "certificateAuthorities": [ - "org2-ecert-ca" + "org2-ca" ] } }, @@ -123,9 +123,9 @@ data: } }, "certificateAuthorities": { - "org2-ecert-ca": { - "url": "https://org2-ecert-ca", - "caName": "org2-ecert-ca", + "org2-ca": { + "url": "https://org2-ca", + "caName": "org2-ca", "tlsCACerts": { "pem": ["-----BEGIN CERTIFICATE-----\\nMIICKDCCAc6gAwIBAgIUJAF4fQK1KsnvdaUjau462D/5HPYwCgYIKoZIzj0EAwIw\\naDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt\\nY2Etc2VydmVyMB4XDTIxMDkxOTExMTcwMFoXDTM2MDkxNTExMTcwMFowaDELMAkG\\nA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl\\ncmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2Vy\\ndmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8bLvzagP3YANMGHVomZoGCQD\\nRgM3SenagZQ4IWqNQJSV3yTxzdgAWnPhwc+B/HdAOvAq2Oz54FmiSL9dAJoivqNW\\nMFQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\\nFDdBAwT47jtbj48aXdMfRvMPbD5tMA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E\\nAwIDSAAwRQIhAITSk4lYWqu12jZkR94aNoKT36ctaeKHuRvXs7m2qaHSAiAtUPO7\\nXlHtI9SDTRvI4DNSb2O7y7+B3WxVeCx50fivDw==\\n-----END CERTIFICATE-----\\n"] }, diff --git a/test-network-k8s/kube/org0/org0-ecert-ca.yaml b/test-network-k8s/kube/org0/org0-ca.yaml similarity index 64% rename from test-network-k8s/kube/org0/org0-ecert-ca.yaml rename to test-network-k8s/kube/org0/org0-ca.yaml index 4e1960f5..d79a8737 100644 --- a/test-network-k8s/kube/org0/org0-ecert-ca.yaml +++ b/test-network-k8s/kube/org0/org0-ca.yaml @@ -3,20 +3,40 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org0-ca-tls-cert +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org0-ca + - org0-ca.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org0-ca-tls-cert + issuerRef: + name: org0-tls-cert-issuer + --- apiVersion: apps/v1 kind: Deployment metadata: - name: org0-ecert-ca + name: org0-ca spec: replicas: 1 selector: matchLabels: - app: org0-ecert-ca + app: org0-ca template: metadata: labels: - app: org0-ecert-ca + app: org0-ca spec: containers: - name: main @@ -24,15 +44,15 @@ spec: imagePullPolicy: IfNotPresent env: - name: FABRIC_CA_SERVER_CA_NAME - value: "org0-ecert-ca" + value: "org0-ca" - name: FABRIC_CA_SERVER_DEBUG value: "false" - name: FABRIC_CA_SERVER_HOME value: "/var/hyperledger/fabric-ca-server" - name: FABRIC_CA_SERVER_TLS_CERTFILE - value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem" + value: "/var/hyperledger/fabric/config/tls/tls.crt" - name: FABRIC_CA_SERVER_TLS_KEYFILE - value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem" + value: "/var/hyperledger/fabric/config/tls/tls.key" - name: FABRIC_CA_CLIENT_HOME value: "/var/hyperledger/fabric-ca-client" ports: @@ -42,7 +62,10 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml - subPath: fabric-ecert-ca-server-config.yaml + subPath: fabric-ca-server-config.yaml + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric/config/tls + readOnly: true readinessProbe: tcpSocket: port: 443 @@ -55,16 +78,19 @@ spec: - name: fabric-config configMap: name: org0-config + - name: tls-cert-volume + secret: + secretName: org0-ca-tls-cert --- apiVersion: v1 kind: Service metadata: - name: org0-ecert-ca + name: org0-ca spec: ports: - name: tls port: 443 protocol: TCP selector: - app: org0-ecert-ca \ No newline at end of file + app: org0-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org0/org0-orderer1.yaml b/test-network-k8s/kube/org0/org0-orderer1.yaml index ce70b59a..fdef3938 100644 --- a/test-network-k8s/kube/org0/org0-orderer1.yaml +++ b/test-network-k8s/kube/org0/org0-orderer1.yaml @@ -3,6 +3,28 @@ # # SPDX-License-Identifier: Apache-2.0 # + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org0-orderer1-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org0-orderer1 + - org0-orderer1.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org0-orderer1-tls-cert + issuerRef: + name: org0-tls-cert-issuer + --- apiVersion: v1 kind: ConfigMap @@ -16,9 +38,9 @@ data: ORDERER_GENERAL_LOCALMSPID: OrdererMSP ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp ORDERER_GENERAL_TLS_ENABLED: "true" - ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/signcerts/cert.pem - ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/cacerts/org0-tls-ca.pem - ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/server.key + ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt + ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt + ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key ORDERER_GENERAL_BOOTSTRAPMETHOD: none ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer1 ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer1/etcdraft/wal @@ -57,6 +79,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric/config/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -64,7 +89,9 @@ spec: - name: fabric-config configMap: name: org0-config - + - name: tls-cert-volume + secret: + secretName: org0-orderer1-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org0/org0-orderer2.yaml b/test-network-k8s/kube/org0/org0-orderer2.yaml index 0314416d..23e0cb61 100644 --- a/test-network-k8s/kube/org0/org0-orderer2.yaml +++ b/test-network-k8s/kube/org0/org0-orderer2.yaml @@ -3,6 +3,27 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org0-orderer2-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org0-orderer2 + - org0-orderer2.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org0-orderer2-tls-cert + issuerRef: + name: org0-tls-cert-issuer + --- apiVersion: v1 kind: ConfigMap @@ -16,9 +37,9 @@ data: ORDERER_GENERAL_LOCALMSPID: OrdererMSP ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp ORDERER_GENERAL_TLS_ENABLED: "true" - ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/signcerts/cert.pem - ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/cacerts/org0-tls-ca.pem - ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/server.key + ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt + ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt + ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key ORDERER_GENERAL_BOOTSTRAPMETHOD: none ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer2 ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer2/etcdraft/wal @@ -57,6 +78,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric/config/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -64,7 +88,9 @@ spec: - name: fabric-config configMap: name: org0-config - + - name: tls-cert-volume + secret: + secretName: org0-orderer2-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org0/org0-orderer3.yaml b/test-network-k8s/kube/org0/org0-orderer3.yaml index cbca3739..40841146 100644 --- a/test-network-k8s/kube/org0/org0-orderer3.yaml +++ b/test-network-k8s/kube/org0/org0-orderer3.yaml @@ -3,6 +3,27 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org0-orderer3-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org0-orderer3 + - org0-orderer3.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org0-orderer3-tls-cert + issuerRef: + name: org0-tls-cert-issuer + --- apiVersion: v1 kind: ConfigMap @@ -16,9 +37,9 @@ data: ORDERER_GENERAL_LOCALMSPID: OrdererMSP ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp ORDERER_GENERAL_TLS_ENABLED: "true" - ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/signcerts/cert.pem - ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/cacerts/org0-tls-ca.pem - ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/server.key + ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt + ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt + ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key ORDERER_GENERAL_BOOTSTRAPMETHOD: none ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer3 ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer3/etcdraft/wal @@ -57,6 +78,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric/config/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -64,7 +88,9 @@ spec: - name: fabric-config configMap: name: org0-config - + - name: tls-cert-volume + secret: + secretName: org0-orderer3-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org0/org0-tls-ca.yaml b/test-network-k8s/kube/org0/org0-tls-ca.yaml deleted file mode 100644 index 0ae21a25..00000000 --- a/test-network-k8s/kube/org0/org0-tls-ca.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org0-tls-ca -spec: - replicas: 1 - selector: - matchLabels: - app: org0-tls-ca - template: - metadata: - labels: - app: org0-tls-ca - spec: - containers: - - name: main - image: {{FABRIC_CONTAINER_REGISTRY}}/fabric-ca:{{FABRIC_CA_VERSION}} - imagePullPolicy: IfNotPresent - env: - - name: FABRIC_CA_SERVER_CA_NAME - value: "org0-tls-ca" - - name: FABRIC_CA_SERVER_DEBUG - value: "false" - - name: FABRIC_CA_SERVER_HOME - value: "/var/hyperledger/fabric-tls-ca-server" - - name: FABRIC_CA_CLIENT_HOME - value: "/var/hyperledger/fabric-ca-client" - ports: - - containerPort: 443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric-tls-ca-server/fabric-ca-server-config.yaml - subPath: fabric-tls-ca-server-config.yaml - readinessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 2 - periodSeconds: 5 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org0 - - name: fabric-config - configMap: - name: org0-config - ---- -apiVersion: v1 -kind: Service -metadata: - name: org0-tls-ca -spec: - ports: - - name: tls - port: 443 - protocol: TCP - selector: - app: org0-tls-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org0/org0-tls-cert-issuer.yaml b/test-network-k8s/kube/org0/org0-tls-cert-issuer.yaml new file mode 100644 index 00000000..0745afc8 --- /dev/null +++ b/test-network-k8s/kube/org0/org0-tls-cert-issuer.yaml @@ -0,0 +1,34 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org0-tls-cert-issuer +spec: + isCA: true + privateKey: + algorithm: ECDSA + size: 256 + commonName: org0.example.com + secretName: org0-tls-cert-issuer-secret + issuerRef: + name: root-tls-cert-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: org0-tls-cert-issuer +spec: + ca: + secretName: org0-tls-cert-issuer-secret + + + + diff --git a/test-network-k8s/kube/org1/org1-ecert-ca.yaml b/test-network-k8s/kube/org1/org1-ca.yaml similarity index 64% rename from test-network-k8s/kube/org1/org1-ecert-ca.yaml rename to test-network-k8s/kube/org1/org1-ca.yaml index c4a9f4e6..e3985ecd 100644 --- a/test-network-k8s/kube/org1/org1-ecert-ca.yaml +++ b/test-network-k8s/kube/org1/org1-ca.yaml @@ -3,20 +3,40 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org1-ca-tls-cert +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org1-ca + - org1-ca.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org1-ca-tls-cert + issuerRef: + name: org1-tls-cert-issuer + --- apiVersion: apps/v1 kind: Deployment metadata: - name: org1-ecert-ca + name: org1-ca spec: replicas: 1 selector: matchLabels: - app: org1-ecert-ca + app: org1-ca template: metadata: labels: - app: org1-ecert-ca + app: org1-ca spec: containers: - name: main @@ -24,15 +44,15 @@ spec: imagePullPolicy: IfNotPresent env: - name: FABRIC_CA_SERVER_CA_NAME - value: "org1-ecert-ca" + value: "org1-ca" - name: FABRIC_CA_SERVER_DEBUG value: "false" - name: FABRIC_CA_SERVER_HOME value: "/var/hyperledger/fabric-ca-server" - name: FABRIC_CA_SERVER_TLS_CERTFILE - value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem" + value: "/var/hyperledger/fabric/config/tls/tls.crt" - name: FABRIC_CA_SERVER_TLS_KEYFILE - value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem" + value: "/var/hyperledger/fabric/config/tls/tls.key" - name: FABRIC_CA_CLIENT_HOME value: "/var/hyperledger/fabric-ca-client" ports: @@ -42,7 +62,10 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml - subPath: fabric-ecert-ca-server-config.yaml + subPath: fabric-ca-server-config.yaml + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric/config/tls + readOnly: true readinessProbe: tcpSocket: port: 443 @@ -55,16 +78,18 @@ spec: - name: fabric-config configMap: name: org1-config - + - name: tls-cert-volume + secret: + secretName: org1-ca-tls-cert --- apiVersion: v1 kind: Service metadata: - name: org1-ecert-ca + name: org1-ca spec: ports: - name: tls port: 443 protocol: TCP selector: - app: org1-ecert-ca \ No newline at end of file + app: org1-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-peer1.yaml b/test-network-k8s/kube/org1/org1-peer1.yaml index 0b6376db..56fa928d 100644 --- a/test-network-k8s/kube/org1/org1-peer1.yaml +++ b/test-network-k8s/kube/org1/org1-peer1.yaml @@ -3,6 +3,27 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org1-peer1-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org1-peer1 + - org1-peer1.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org1-peer1-tls-cert + issuerRef: + name: org1-tls-cert-issuer + --- apiVersion: v1 kind: ConfigMap @@ -12,9 +33,9 @@ data: FABRIC_CFG_PATH: /var/hyperledger/fabric/config FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" CORE_PEER_TLS_ENABLED: "true" - CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/signcerts/cert.pem - CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/keystore/server.key - CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/cacerts/org1-tls-ca.pem + CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/config/tls/tls.crt + CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/config/tls/tls.key + CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/config/tls/ca.crt CORE_PEER_ID: org1-peer1.org1.example.com CORE_PEER_ADDRESS: org1-peer1:7051 CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 @@ -29,6 +50,7 @@ data: CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org1-peer1.org1.example.com CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org1-peer1.org1.example.com/snapshots CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG: "{\"peername\":\"org1peer1\"}" + --- apiVersion: apps/v1 kind: Deployment @@ -61,6 +83,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric/config/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -68,7 +93,9 @@ spec: - name: fabric-config configMap: name: org1-config - + - name: tls-cert-volume + secret: + secretName: org1-peer1-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org1/org1-peer2.yaml b/test-network-k8s/kube/org1/org1-peer2.yaml index a4073385..770e5b08 100644 --- a/test-network-k8s/kube/org1/org1-peer2.yaml +++ b/test-network-k8s/kube/org1/org1-peer2.yaml @@ -3,6 +3,28 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org1-peer2-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org1-peer2 + - org1-peer2.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org1-peer2-tls-cert + issuerRef: + name: org1-tls-cert-issuer + + --- apiVersion: v1 kind: ConfigMap @@ -12,9 +34,9 @@ data: FABRIC_CFG_PATH: /var/hyperledger/fabric/config FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" CORE_PEER_TLS_ENABLED: "true" - CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/signcerts/cert.pem - CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/keystore/server.key - CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/cacerts/org1-tls-ca.pem + CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/config/tls/tls.crt + CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/config/tls/tls.key + CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/config/tls/ca.crt CORE_PEER_ID: org1-peer2.org1.example.com CORE_PEER_ADDRESS: org1-peer2:7051 CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 @@ -61,7 +83,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config - + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric/config/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -69,7 +93,9 @@ spec: - name: fabric-config configMap: name: org1-config - + - name: tls-cert-volume + secret: + secretName: org1-peer2-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org1/org1-tls-ca.yaml b/test-network-k8s/kube/org1/org1-tls-ca.yaml deleted file mode 100644 index a16da691..00000000 --- a/test-network-k8s/kube/org1/org1-tls-ca.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org1-tls-ca -spec: - replicas: 1 - selector: - matchLabels: - app: org1-tls-ca - template: - metadata: - labels: - app: org1-tls-ca - spec: - containers: - - name: main - image: {{FABRIC_CONTAINER_REGISTRY}}/fabric-ca:{{FABRIC_CA_VERSION}} - imagePullPolicy: IfNotPresent - env: - - name: FABRIC_CA_SERVER_CA_NAME - value: "org1-tls-ca" - - name: FABRIC_CA_SERVER_DEBUG - value: "false" - - name: FABRIC_CA_SERVER_HOME - value: "/var/hyperledger/fabric-tls-ca-server" - - name: FABRIC_CA_CLIENT_HOME - value: "/var/hyperledger/fabric-ca-client" - ports: - - containerPort: 443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric-tls-ca-server/fabric-ca-server-config.yaml - subPath: fabric-tls-ca-server-config.yaml - readinessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 2 - periodSeconds: 5 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org1 - - name: fabric-config - configMap: - name: org1-config - ---- -apiVersion: v1 -kind: Service -metadata: - name: org1-tls-ca -spec: - ports: - - name: tls - port: 443 - protocol: TCP - selector: - app: org1-tls-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-tls-cert-issuer.yaml b/test-network-k8s/kube/org1/org1-tls-cert-issuer.yaml new file mode 100644 index 00000000..863ec0df --- /dev/null +++ b/test-network-k8s/kube/org1/org1-tls-cert-issuer.yaml @@ -0,0 +1,32 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org1-tls-cert-issuer +spec: + isCA: true + privateKey: + algorithm: ECDSA + size: 256 + commonName: org1.example.com + secretName: org1-tls-cert-issuer-secret + issuerRef: + name: root-tls-cert-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: org1-tls-cert-issuer +spec: + ca: + secretName: org1-tls-cert-issuer-secret + + diff --git a/test-network-k8s/kube/org2/org2-ecert-ca.yaml b/test-network-k8s/kube/org2/org2-ca.yaml similarity index 64% rename from test-network-k8s/kube/org2/org2-ecert-ca.yaml rename to test-network-k8s/kube/org2/org2-ca.yaml index 216b53be..ef8c030f 100644 --- a/test-network-k8s/kube/org2/org2-ecert-ca.yaml +++ b/test-network-k8s/kube/org2/org2-ca.yaml @@ -3,20 +3,40 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org2-ca-tls-cert +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org2-ca + - org2-ca.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org2-ca-tls-cert + issuerRef: + name: org2-tls-cert-issuer + --- apiVersion: apps/v1 kind: Deployment metadata: - name: org2-ecert-ca + name: org2-ca spec: replicas: 1 selector: matchLabels: - app: org2-ecert-ca + app: org2-ca template: metadata: labels: - app: org2-ecert-ca + app: org2-ca spec: containers: - name: main @@ -24,15 +44,15 @@ spec: imagePullPolicy: IfNotPresent env: - name: FABRIC_CA_SERVER_CA_NAME - value: "org2-ecert-ca" + value: "org2-ca" - name: FABRIC_CA_SERVER_DEBUG value: "false" - name: FABRIC_CA_SERVER_HOME value: "/var/hyperledger/fabric-ca-server" - name: FABRIC_CA_SERVER_TLS_CERTFILE - value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem" + value: "/var/hyperledger/fabric/config/tls/tls.crt" - name: FABRIC_CA_SERVER_TLS_KEYFILE - value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem" + value: "/var/hyperledger/fabric/config/tls/tls.key" - name: FABRIC_CA_CLIENT_HOME value: "/var/hyperledger/fabric-ca-client" ports: @@ -42,7 +62,10 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml - subPath: fabric-ecert-ca-server-config.yaml + subPath: fabric-ca-server-config.yaml + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric/config/tls + readOnly: true readinessProbe: tcpSocket: port: 443 @@ -55,16 +78,18 @@ spec: - name: fabric-config configMap: name: org2-config - + - name: tls-cert-volume + secret: + secretName: org2-ca-tls-cert --- apiVersion: v1 kind: Service metadata: - name: org2-ecert-ca + name: org2-ca spec: ports: - name: tls port: 443 protocol: TCP selector: - app: org2-ecert-ca \ No newline at end of file + app: org2-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-peer1.yaml b/test-network-k8s/kube/org2/org2-peer1.yaml index 112b98f1..98b4808c 100644 --- a/test-network-k8s/kube/org2/org2-peer1.yaml +++ b/test-network-k8s/kube/org2/org2-peer1.yaml @@ -3,6 +3,27 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org2-peer1-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org2-peer1 + - org2-peer1.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org2-peer1-tls-cert + issuerRef: + name: org2-tls-cert-issuer + --- apiVersion: v1 kind: ConfigMap @@ -12,9 +33,9 @@ data: FABRIC_CFG_PATH: /var/hyperledger/fabric/config FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" CORE_PEER_TLS_ENABLED: "true" - CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/signcerts/cert.pem - CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/keystore/server.key - CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/cacerts/org2-tls-ca.pem + CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/config/tls/tls.crt + CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/config/tls/tls.key + CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/config/tls/ca.crt CORE_PEER_ID: org2-peer1.org2.example.com CORE_PEER_ADDRESS: org2-peer1:7051 CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 @@ -61,6 +82,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric/config/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -68,7 +92,9 @@ spec: - name: fabric-config configMap: name: org2-config - + - name: tls-cert-volume + secret: + secretName: org2-peer1-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org2/org2-peer2.yaml b/test-network-k8s/kube/org2/org2-peer2.yaml index 2cd30175..fbe41020 100644 --- a/test-network-k8s/kube/org2/org2-peer2.yaml +++ b/test-network-k8s/kube/org2/org2-peer2.yaml @@ -3,6 +3,27 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org2-peer2-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org2-peer2 + - org2-peer2.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org2-peer2-tls-cert + issuerRef: + name: org2-tls-cert-issuer + --- apiVersion: v1 kind: ConfigMap @@ -12,9 +33,9 @@ data: FABRIC_CFG_PATH: /var/hyperledger/fabric/config FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" CORE_PEER_TLS_ENABLED: "true" - CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/signcerts/cert.pem - CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/keystore/server.key - CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/cacerts/org2-tls-ca.pem + CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/config/tls/tls.crt + CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/config/tls/tls.key + CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/config/tls/ca.crt CORE_PEER_ID: org2-peer2.org2.example.com CORE_PEER_ADDRESS: org2-peer2:7051 CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 @@ -61,7 +82,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config - + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric/config/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -69,7 +92,9 @@ spec: - name: fabric-config configMap: name: org2-config - + - name: tls-cert-volume + secret: + secretName: org2-peer2-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org2/org2-tls-ca.yaml b/test-network-k8s/kube/org2/org2-tls-ca.yaml deleted file mode 100644 index 53ec23db..00000000 --- a/test-network-k8s/kube/org2/org2-tls-ca.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org2-tls-ca -spec: - replicas: 1 - selector: - matchLabels: - app: org2-tls-ca - template: - metadata: - labels: - app: org2-tls-ca - spec: - containers: - - name: main - image: {{FABRIC_CONTAINER_REGISTRY}}/fabric-ca:{{FABRIC_CA_VERSION}} - imagePullPolicy: IfNotPresent - env: - - name: FABRIC_CA_SERVER_CA_NAME - value: "org2-tls-ca" - - name: FABRIC_CA_SERVER_DEBUG - value: "false" - - name: FABRIC_CA_SERVER_HOME - value: "/var/hyperledger/fabric-tls-ca-server" - - name: FABRIC_CA_CLIENT_HOME - value: "/var/hyperledger/fabric-ca-client" - ports: - - containerPort: 443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric-tls-ca-server/fabric-ca-server-config.yaml - subPath: fabric-tls-ca-server-config.yaml - readinessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 2 - periodSeconds: 5 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org2 - - name: fabric-config - configMap: - name: org2-config - ---- -apiVersion: v1 -kind: Service -metadata: - name: org2-tls-ca -spec: - ports: - - name: tls - port: 443 - protocol: TCP - selector: - app: org2-tls-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-tls-cert-issuer.yaml b/test-network-k8s/kube/org2/org2-tls-cert-issuer.yaml new file mode 100644 index 00000000..86e45de1 --- /dev/null +++ b/test-network-k8s/kube/org2/org2-tls-cert-issuer.yaml @@ -0,0 +1,32 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org2-tls-cert-issuer +spec: + isCA: true + privateKey: + algorithm: ECDSA + size: 256 + commonName: org2.example.com + secretName: org2-tls-cert-issuer-secret + issuerRef: + name: root-tls-cert-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: org2-tls-cert-issuer +spec: + ca: + secretName: org2-tls-cert-issuer-secret + + diff --git a/test-network-k8s/kube/root-tls-cert-issuer.yaml b/test-network-k8s/kube/root-tls-cert-issuer.yaml new file mode 100644 index 00000000..21f94775 --- /dev/null +++ b/test-network-k8s/kube/root-tls-cert-issuer.yaml @@ -0,0 +1,12 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: root-tls-cert-issuer +spec: + selfSigned: {} diff --git a/test-network-k8s/network b/test-network-k8s/network index 05a9e0ac..e1a98bb5 100755 --- a/test-network-k8s/network +++ b/test-network-k8s/network @@ -20,6 +20,7 @@ set -o errexit # todo: track down a nasty bug whereby the CA service endpoints (kube services) will occasionally reject TCP connections after network down/up. This is patched by introducing a 10s sleep after the deployments are up... # todo: refactor query/invoke to specify chaincode name (-n param) +CONTAINER_CLI=${CONTAINER_CLI:-docker} FABRIC_VERSION=${TEST_NETWORK_FABRIC_VERSION:-2.4.1} FABRIC_CA_VERSION=${TEST_NETWORK_FABRIC_CA_VERSION:-1.5.2} FABRIC_CONTAINER_REGISTRY=${TEST_NETWORK_FABRIC_CONTAINER_REGISTRY:-hyperledger} diff --git a/test-network-k8s/scripts/application_connection.sh b/test-network-k8s/scripts/application_connection.sh index 25d451a6..9f053ac0 100755 --- a/test-network-k8s/scripts/application_connection.sh +++ b/test-network-k8s/scripts/application_connection.sh @@ -8,11 +8,11 @@ function app_extract_MSP_archives() { mkdir -p build/msp set -ex - kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp | tar zxf - -C build/msp - kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org1-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org2-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp | tar zxf - -C build/msp - kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp | tar zxf - -C build/msp - kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org1-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org2-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp | tar zxf - -C build/msp } function app_one_line_pem { @@ -49,12 +49,12 @@ function construct_application_configmap() { mkdir -p build/application/gateways local peer_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/org1-tls-ca.pem - local ca_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/cacerts/org1-ecert-ca.pem + local ca_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/cacerts/org1-ca.pem echo "$(json_ccp 1 $peer_pem $ca_pem)" > build/application/gateways/org1_ccp.json peer_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/org2-tls-ca.pem - ca_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/cacerts/org2-ecert-ca.pem + ca_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/cacerts/org2-ca.pem echo "$(json_ccp 2 $peer_pem $ca_pem)" > build/application/gateways/org2_ccp.json diff --git a/test-network-k8s/scripts/channel.sh b/test-network-k8s/scripts/channel.sh index 5aa3158f..e9eb18d2 100755 --- a/test-network-k8s/scripts/channel.sh +++ b/test-network-k8s/scripts/channel.sh @@ -8,7 +8,7 @@ function create_channel_org_MSP() { local org=$1 local org_type=$2 - local ecert_ca=${org}-ecert-ca + local ecert_ca=${org}-ca echo 'set -x @@ -16,12 +16,12 @@ function create_channel_org_MSP() { cp \ $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp/cacerts/'${ecert_ca}'.pem \ /var/hyperledger/fabric/organizations/'${org_type}'Organizations/'${org}'.example.com/msp/cacerts - + mkdir -p /var/hyperledger/fabric/organizations/'${org_type}'Organizations/'${org}'.example.com/msp/tlscacerts cp \ - $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp/cacerts/'${org}'-tls-ca.pem \ - /var/hyperledger/fabric/organizations/'${org_type}'Organizations/'${org}'.example.com/msp/tlscacerts - + /var/hyperledger/fabric/config/tls/ca.crt \ + /var/hyperledger/fabric/organizations/'${org_type}'Organizations/'${org}'.example.com/msp/tlscacerts/'${org}'-tls-ca.pem + echo "NodeOUs: Enable: true ClientOUIdentifier: @@ -56,9 +56,9 @@ function aggregate_channel_MSP() { rm -rf ./build/msp/ mkdir -p ./build/msp - kubectl -n $NS exec deploy/org0-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/ordererOrganizations/org0.example.com/msp > build/msp/msp-org0.example.com.tgz - kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp > build/msp/msp-org1.example.com.tgz - kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp > build/msp/msp-org2.example.com.tgz + kubectl -n $NS exec deploy/org0-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/ordererOrganizations/org0.example.com/msp > build/msp/msp-org0.example.com.tgz + kubectl -n $NS exec deploy/org1-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp > build/msp/msp-org1.example.com.tgz + kubectl -n $NS exec deploy/org2-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp > build/msp/msp-org2.example.com.tgz kubectl -n $NS delete configmap msp-config || true kubectl -n $NS create configmap msp-config --from-file=build/msp/ diff --git a/test-network-k8s/scripts/fabric_CAs.sh b/test-network-k8s/scripts/fabric_CAs.sh index a0ee760f..a9824971 100755 --- a/test-network-k8s/scripts/fabric_CAs.sh +++ b/test-network-k8s/scripts/fabric_CAs.sh @@ -13,108 +13,40 @@ function launch_CA() { | kubectl -n $NS apply -f - } -function launch_TLS_CAs() { - push_fn "Launching TLS CAs" - - launch_CA kube/org0/org0-tls-ca.yaml - launch_CA kube/org1/org1-tls-ca.yaml - launch_CA kube/org2/org2-tls-ca.yaml - - kubectl -n $NS rollout status deploy/org0-tls-ca - kubectl -n $NS rollout status deploy/org1-tls-ca - kubectl -n $NS rollout status deploy/org2-tls-ca - - # todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up - sleep 10 - - pop_fn -} - function launch_ECert_CAs() { - push_fn "Launching ECert CAs" + push_fn "Launching Fabric CAs" - launch_CA kube/org0/org0-ecert-ca.yaml - launch_CA kube/org1/org1-ecert-ca.yaml - launch_CA kube/org2/org2-ecert-ca.yaml + launch_CA kube/org0/org0-ca.yaml + launch_CA kube/org1/org1-ca.yaml + launch_CA kube/org2/org2-ca.yaml - kubectl -n $NS rollout status deploy/org0-ecert-ca - kubectl -n $NS rollout status deploy/org1-ecert-ca - kubectl -n $NS rollout status deploy/org2-ecert-ca + kubectl -n $NS rollout status deploy/org0-ca + kubectl -n $NS rollout status deploy/org1-ca + kubectl -n $NS rollout status deploy/org2-ca # todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up - sleep 10 + # sleep 10 pop_fn } -# Enroll bootstrap user with TLS CA -# https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-bootstrap-user-with-tls-ca -function enroll_bootstrap_TLS_CA_user() { - local org=$1 - local auth=$2 - local tlsca=${org}-tls-ca +# experimental: create TLS CA issuers using cert-manager for each org. +function init_tls_cert_issuers() { + push_fn "Initializing TLS certificate Issuers" - # todo: get rid of export here - put in yaml + # Create a self-signing certificate issuer / root TLS certificate for the blockchain. + # TODO : Bring-Your-Own-Key - allow the network bootstrap to read an optional ECDSA key pair for the TLS trust root CA. + kubectl -n $NS apply -f kube/root-tls-cert-issuer.yaml + kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/root-tls-cert-issuer - echo 'set -x + # Use the self-signing issuer to generate three Issuers, one for each org. + kubectl -n $NS apply -f kube/org0/org0-tls-cert-issuer.yaml + kubectl -n $NS apply -f kube/org1/org1-tls-cert-issuer.yaml + kubectl -n $NS apply -f kube/org2/org2-tls-cert-issuer.yaml - mkdir -p $FABRIC_CA_CLIENT_HOME/tls-root-cert - cp $FABRIC_CA_SERVER_HOME/ca-cert.pem $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem - - fabric-ca-client enroll \ - --url https://'$auth'@'${tlsca}' \ - --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ - --csr.hosts '${tlsca}' \ - --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - - ' | exec kubectl -n $NS exec deploy/${tlsca} -i -- /bin/sh -} - -function enroll_bootstrap_TLS_CA_users() { - push_fn "Enrolling bootstrap TLS CA users" - - enroll_bootstrap_TLS_CA_user org0 $TLSADMIN_AUTH - enroll_bootstrap_TLS_CA_user org1 $TLSADMIN_AUTH - enroll_bootstrap_TLS_CA_user org2 $TLSADMIN_AUTH - - pop_fn -} - -function register_enroll_ECert_CA_bootstrap_user() { - local org=$1 - local tlsauth=$2 - local tlsca=${org}-tls-ca - local ecertca=${org}-ecert-ca - - echo 'set -x - - fabric-ca-client register \ - --id.name rcaadmin \ - --id.secret rcaadminpw \ - --url https://'${tlsca}' \ - --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ - --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - - fabric-ca-client enroll \ - --url https://'${tlsauth}'@'${tlsca}' \ - --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ - --csr.hosts '${ecertca}' \ - --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp - - # Important: the rcaadmin signing certificate is referenced by the ECert CA FABRIC_CA_SERVER_TLS_CERTFILE config attribute. - # For simplicity, reference the key at a fixed, known location - cp $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp/keystore/*_sk $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp/keystore/key.pem - - ' | exec kubectl -n $NS exec deploy/${tlsca} -i -- /bin/sh -} - -# https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#register-and-enroll-the-organization-ca-bootstrap-identity-with-the-tls-ca -function register_enroll_ECert_CA_bootstrap_users() { - push_fn "Registering and enrolling ECert CA bootstrap users" - - register_enroll_ECert_CA_bootstrap_user org0 $TLSADMIN_AUTH - register_enroll_ECert_CA_bootstrap_user org1 $TLSADMIN_AUTH - register_enroll_ECert_CA_bootstrap_user org2 $TLSADMIN_AUTH + kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org0-tls-cert-issuer + kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org1-tls-cert-issuer + kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org2-tls-cert-issuer pop_fn } @@ -122,13 +54,13 @@ function register_enroll_ECert_CA_bootstrap_users() { function enroll_bootstrap_ECert_CA_user() { local org=$1 local auth=$2 - local ecert_ca=${org}-ecert-ca + local ecert_ca=${org}-ca echo 'set -x fabric-ca-client enroll \ --url https://'${auth}'@'${ecert_ca}' \ - --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ + --tls.certfiles /var/hyperledger/fabric/config/tls/ca.crt \ --mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp ' | exec kubectl -n $NS exec deploy/${ecert_ca} -i -- /bin/sh diff --git a/test-network-k8s/scripts/kind.sh b/test-network-k8s/scripts/kind.sh index 6d64d7d9..de0ae3e2 100755 --- a/test-network-k8s/scripts/kind.sh +++ b/test-network-k8s/scripts/kind.sh @@ -41,6 +41,19 @@ function apply_nginx_ingress() { pop_fn } +function install_cert_manager() { + push_fn "Installing cert-manager" + + # Install cert-manager to manage TLS certificates + kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml + + kubectl -n cert-manager rollout status deploy/cert-manager + kubectl -n cert-manager rollout status deploy/cert-manager-cainjector + kubectl -n cert-manager rollout status deploy/cert-manager-webhook + + pop_fn +} + function kind_create() { push_fn "Creating cluster \"${CLUSTER_NAME}\"" @@ -137,6 +150,7 @@ function kind_init() { kind_create apply_nginx_ingress + install_cert_manager launch_docker_registry if [ "${STAGE_DOCKER_IMAGES}" == true ]; then diff --git a/test-network-k8s/scripts/prereqs.sh b/test-network-k8s/scripts/prereqs.sh index 0c6ae815..bdef9d91 100755 --- a/test-network-k8s/scripts/prereqs.sh +++ b/test-network-k8s/scripts/prereqs.sh @@ -8,9 +8,9 @@ # Double check that kind, kubectl, docker, and all required images are present. function check_prereqs() { - docker version > /dev/null + ${CONTAINER_CLI} version > /dev/null if [[ $? -ne 0 ]]; then - echo "No 'docker' binary available? (https://www.docker.com)" + echo "No '${CONTAINER_CLI}' binary available?" exit 1 fi diff --git a/test-network-k8s/scripts/rest_sample.sh b/test-network-k8s/scripts/rest_sample.sh index 52b0af8c..9888f589 100755 --- a/test-network-k8s/scripts/rest_sample.sh +++ b/test-network-k8s/scripts/rest_sample.sh @@ -8,11 +8,11 @@ function extract_MSP_archives() { mkdir -p build/msp - kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp | tar zxf - -C build/msp - kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org1-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org2-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp | tar zxf - -C build/msp - kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp | tar zxf - -C build/msp - kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org1-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org2-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp | tar zxf - -C build/msp } function one_line_pem { @@ -37,12 +37,12 @@ function construct_rest_sample_configmap() { mkdir -p build/fabric-rest-sample-config local peer_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/org1-tls-ca.pem - local ca_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/cacerts/org1-ecert-ca.pem + local ca_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/cacerts/org1-ca.pem echo "$(json_ccp 1 $peer_pem $ca_pem)" > build/fabric-rest-sample-config/HLF_CONNECTION_PROFILE_ORG1 peer_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/org2-tls-ca.pem - ca_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/cacerts/org2-ecert-ca.pem + ca_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/cacerts/org2-ca.pem echo "$(json_ccp 2 $peer_pem $ca_pem)" > build/fabric-rest-sample-config/HLF_CONNECTION_PROFILE_ORG2 diff --git a/test-network-k8s/scripts/test_network.sh b/test-network-k8s/scripts/test_network.sh index e938ba00..ee2faf09 100755 --- a/test-network-k8s/scripts/test_network.sh +++ b/test-network-k8s/scripts/test_network.sh @@ -5,9 +5,6 @@ # SPDX-License-Identifier: Apache-2.0 # -# todo: oof this is rough. - - function launch() { local yaml=$1 cat ${yaml} \ @@ -49,79 +46,54 @@ function launch_peers() { function create_org0_local_MSP() { echo 'set -x export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client - export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem + export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric/config/tls/ca.crt # Each identity in the network needs a registration and enrollment. - fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org0-admin --id.secret org0adminpw --id.type admin --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" + fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp + fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp + fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp + fabric-ca-client register --id.name org0-admin --id.secret org0adminpw --id.type admin --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" - fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-ecert-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp - fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-ecert-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp - fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ecert-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp - fabric-ca-client enroll --url https://org0-admin:org0adminpw@org0-ecert-ca --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/users/Admin@org0.example.com/msp - - # Each node in the network needs a TLS registration and enrollment. - fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - - fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-tls-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls - fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-tls-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls - fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-tls-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls - - # Copy the TLS signing keys to a fixed path for convenience when starting the orderers. - cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/server.key - cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/server.key - cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/server.key + fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp + fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp + fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp + fabric-ca-client enroll --url https://org0-admin:org0adminpw@org0-ca --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/users/Admin@org0.example.com/msp # Create an MSP config.yaml (why is this not generated by the enrollment by fabric-ca-client?) echo "NodeOUs: Enable: true ClientOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp/config.yaml - ' | exec kubectl -n $NS exec deploy/org0-ecert-ca -i -- /bin/sh + ' | exec kubectl -n $NS exec deploy/org0-ca -i -- /bin/sh } function create_org1_local_MSP() { echo 'set -x export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client - export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem + export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric/config/tls/ca.crt # Each identity in the network needs a registration and enrollment. - fabric-ca-client register --id.name org1-peer1 --id.secret peerpw --id.type peer --url https://org1-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org1-peer2 --id.secret peerpw --id.type peer --url https://org1-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org1-admin --id.secret org1adminpw --id.type admin --url https://org1-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ecert-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" + fabric-ca-client register --id.name org1-peer1 --id.secret peerpw --id.type peer --url https://org1-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ca/rcaadmin/msp + fabric-ca-client register --id.name org1-peer2 --id.secret peerpw --id.type peer --url https://org1-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ca/rcaadmin/msp + fabric-ca-client register --id.name org1-admin --id.secret org1adminpw --id.type admin --url https://org1-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" - fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-ecert-ca --csr.hosts org1-peer1,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp - fabric-ca-client enroll --url https://org1-peer2:peerpw@org1-ecert-ca --csr.hosts org1-peer2,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp - fabric-ca-client enroll --url https://org1-admin:org1adminpw@org1-ecert-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp - - # Each node in the network needs a TLS registration and enrollment. - fabric-ca-client register --id.name org1-peer1 --id.secret peerpw --id.type peer --url https://org1-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - fabric-ca-client register --id.name org1-peer2 --id.secret peerpw --id.type peer --url https://org1-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - - fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-tls-ca --csr.hosts org1-peer1 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls - fabric-ca-client enroll --url https://org1-peer2:peerpw@org1-tls-ca --csr.hosts org1-peer2 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls - - # Copy the TLS signing keys to a fixed path for convenience when launching the peers - cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/keystore/server.key - cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/keystore/server.key + fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-ca --csr.hosts org1-peer1,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp + fabric-ca-client enroll --url https://org1-peer2:peerpw@org1-ca --csr.hosts org1-peer2,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp + fabric-ca-client enroll --url https://org1-admin:org1adminpw@org1-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/server.key @@ -129,49 +101,38 @@ function create_org1_local_MSP() { echo "NodeOUs: Enable: true ClientOUIdentifier: - Certificate: cacerts/org1-ecert-ca.pem + Certificate: cacerts/org1-ca.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: - Certificate: cacerts/org1-ecert-ca.pem + Certificate: cacerts/org1-ca.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: - Certificate: cacerts/org1-ecert-ca.pem + Certificate: cacerts/org1-ca.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: - Certificate: cacerts/org1-ecert-ca.pem + Certificate: cacerts/org1-ca.pem OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml - ' | exec kubectl -n $NS exec deploy/org1-ecert-ca -i -- /bin/sh + ' | exec kubectl -n $NS exec deploy/org1-ca -i -- /bin/sh } function create_org2_local_MSP() { echo 'set -x export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client - export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem + export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric/config/tls/ca.crt # Each identity in the network needs a registration and enrollment. - fabric-ca-client register --id.name org2-peer1 --id.secret peerpw --id.type peer --url https://org2-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org2-peer2 --id.secret peerpw --id.type peer --url https://org2-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org2-admin --id.secret org2adminpw --id.type admin --url https://org2-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ecert-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" + fabric-ca-client register --id.name org2-peer1 --id.secret peerpw --id.type peer --url https://org2-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ca/rcaadmin/msp + fabric-ca-client register --id.name org2-peer2 --id.secret peerpw --id.type peer --url https://org2-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ca/rcaadmin/msp + fabric-ca-client register --id.name org2-admin --id.secret org2adminpw --id.type admin --url https://org2-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" - fabric-ca-client enroll --url https://org2-peer1:peerpw@org2-ecert-ca --csr.hosts org2-peer1,org2-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp - fabric-ca-client enroll --url https://org2-peer2:peerpw@org2-ecert-ca --csr.hosts org2-peer2,org2-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp - fabric-ca-client enroll --url https://org2-admin:org2adminpw@org2-ecert-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp - - # Each node in the network needs a TLS registration and enrollment. - fabric-ca-client register --id.name org2-peer1 --id.secret peerpw --id.type peer --url https://org2-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - fabric-ca-client register --id.name org2-peer2 --id.secret peerpw --id.type peer --url https://org2-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - - fabric-ca-client enroll --url https://org2-peer1:peerpw@org2-tls-ca --csr.hosts org2-peer1 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls - fabric-ca-client enroll --url https://org2-peer2:peerpw@org2-tls-ca --csr.hosts org2-peer2 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls - - # Copy the TLS signing keys to a fixed path for convenience when launching the peers - cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/keystore/server.key - cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/keystore/server.key + fabric-ca-client enroll --url https://org2-peer1:peerpw@org2-ca --csr.hosts org2-peer1,org2-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp + fabric-ca-client enroll --url https://org2-peer2:peerpw@org2-ca --csr.hosts org2-peer2,org2-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp + fabric-ca-client enroll --url https://org2-admin:org2adminpw@org2-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/server.key @@ -179,21 +140,21 @@ function create_org2_local_MSP() { echo "NodeOUs: Enable: true ClientOUIdentifier: - Certificate: cacerts/org2-ecert-ca.pem + Certificate: cacerts/org2-ca.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: - Certificate: cacerts/org2-ecert-ca.pem + Certificate: cacerts/org2-ca.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: - Certificate: cacerts/org2-ecert-ca.pem + Certificate: cacerts/org2-ca.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: - Certificate: cacerts/org2-ecert-ca.pem + Certificate: cacerts/org2-ca.pem OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/config.yaml - ' | exec kubectl -n $NS exec deploy/org2-ecert-ca -i -- /bin/sh + ' | exec kubectl -n $NS exec deploy/org2-ca -i -- /bin/sh } function create_local_MSP() { @@ -206,6 +167,32 @@ function create_local_MSP() { pop_fn } +# TLS certificates are isused by the CA's Issuer, stored in a Kube secret, and mounted into the pod at /var/hyperledger/fabric/config/tls. +# For consistency with the Fabric-CA guide, his function copies the orderer's TLS certs into the traditional Fabric MSP / folder structure. +function extract_orderer_tls_cert() { + local orderer=$1 + + echo 'set -x + + mkdir -p /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/'${orderer}'.org0.example.com/tls/signcerts/ + + cp \ + var/hyperledger/fabric/config/tls/tls.crt \ + /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/'${orderer}'.org0.example.com/tls/signcerts/cert.pem + + ' | exec kubectl -n $NS exec deploy/${orderer} -i -c main -- /bin/sh +} + +function extract_orderer_tls_certs() { + push_fn "Extracting orderer TLS certs to local MSP folder" + + extract_orderer_tls_cert org0-orderer1 + extract_orderer_tls_cert org0-orderer2 + extract_orderer_tls_cert org0-orderer3 + + pop_fn +} + function network_up() { # Kube config @@ -214,18 +201,19 @@ function network_up() { load_org_config # Network TLS CAs - launch_TLS_CAs - enroll_bootstrap_TLS_CA_users + init_tls_cert_issuers # Network ECert CAs - register_enroll_ECert_CA_bootstrap_users launch_ECert_CAs enroll_bootstrap_ECert_CA_users # Test Network create_local_MSP + launch_orderers launch_peers + + extract_orderer_tls_certs } function stop_services() { @@ -240,6 +228,8 @@ function stop_services() { kubectl -n $NS delete pod --all kubectl -n $NS delete service --all kubectl -n $NS delete configmap --all + kubectl -n $NS delete cert --all + kubectl -n $NS delete issuer --all kubectl -n $NS delete secret --all pop_fn