Fix KIND cluster creation for test-network-k8s (#1375)

This PR replaces deprecated containerd registry.mirrors configuration with
config_path mode and hosts.toml, required for containerd 2.x
(KIND v0.27.0+). The old configuration prevents the CRI plugin
from loading, causing kubelet to fail on startup.

Also, this fixes CA enrollment in create_node_local_MSP() to specify
port 443 explicitly, and other minor issues, including removing
redundant throws from Java close() methods.

Signed-off-by: Tatsuya Sato <tatsuya.sato.so@hitachi.com>
Co-authored-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>

.github/workflows/test-network-k8s.yaml

@@ -22,11 +22,18 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
       - name: Test the network
+        id: run-test
         working-directory: test-network-k8s
         run: ../ci/scripts/run-k8s-test-network-basic.sh
         env:
           CLIENT_LANGUAGE: typescript
           CHAINCODE_LANGUAGE: java
+      - name: Upload failure logs
+        if: ${{ failure() && steps.run-test.conclusion == 'failure' }}
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: ${{ github.job }}-logs
+          path: test-network-k8s/network-debug.log
 
   ccaas-external:
     runs-on: ${{ github.repository == 'hyperledger/fabric-samples' && 'fabric-ubuntu-22.04' || 'ubuntu-22.04' }}
@@ -34,11 +41,18 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
       - name: Test the network
+        id: run-test
         working-directory: test-network-k8s
         run: ../ci/scripts/run-k8s-test-network-basic.sh
         env:
           CLIENT_LANGUAGE: typescript
           CHAINCODE_LANGUAGE: external
+      - name: Upload failure logs
+        if: ${{ failure() && steps.run-test.conclusion == 'failure' }}
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: ${{ github.job }}-logs
+          path: test-network-k8s/network-debug.log
 
   k8s-builder:
     runs-on: ${{ github.repository == 'hyperledger/fabric-samples' && 'fabric-ubuntu-22.04' || 'ubuntu-22.04' }}
@@ -46,12 +60,19 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
       - name: Test the network
+        id: run-test
         working-directory: test-network-k8s
         run: ../ci/scripts/run-k8s-test-network-basic.sh
         env:
           CHAINCODE_NAME: basic
           CHAINCODE_LANGUAGE: java
           CHAINCODE_BUILDER: k8s
+      - name: Upload failure logs
+        if: ${{ failure() && steps.run-test.conclusion == 'failure' }}
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: ${{ github.job }}-logs
+          path: test-network-k8s/network-debug.log
 
   multi-namespace:
     runs-on: ${{ github.repository == 'hyperledger/fabric-samples' && 'fabric-ubuntu-22.04' || 'ubuntu-22.04' }}
@@ -59,6 +80,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
       - name: Test the network
+        id: run-test
         working-directory: test-network-k8s
         run: ../ci/scripts/run-k8s-test-network-basic.sh
         env:
@@ -68,6 +90,12 @@ jobs:
           CHAINCODE_NAME: basic
           CHAINCODE_LANGUAGE: java
           CHAINCODE_BUILDER: k8s
+      - name: Upload failure logs
+        if: ${{ failure() && steps.run-test.conclusion == 'failure' }}
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: ${{ github.job }}-logs
+          path: test-network-k8s/network-debug.log
 
   bft-orderer:
     runs-on: ${{ github.repository == 'hyperledger/fabric-samples' && 'fabric-ubuntu-22.04' || 'ubuntu-22.04' }}
@@ -78,6 +106,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
       - name: Test the network
+        id: run-test
         working-directory: test-network-k8s
         run: ../ci/scripts/run-k8s-test-network-basic.sh
         env:
@@ -87,3 +116,9 @@ jobs:
           # To test BFT Orderers, Fabric v3.x is explicitly specified here.
           FABRIC_VERSION: '3.1'
           ORDERER_TYPE: bft
+      - name: Upload failure logs
+        if: ${{ failure() && steps.run-test.conclusion == 'failure' }}
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: ${{ github.job }}-logs
+          path: test-network-k8s/network-debug.log

asset-transfer-basic/chaincode-java/src/test/java/org/hyperledger/fabric/samples/assettransfer/AssetTransferTest.java

@@ -83,7 +83,7 @@ public final class AssetTransferTest {
         }
 
         @Override
-        public void close() throws Exception {
+        public void close() {
             // do nothing
         }
 

asset-transfer-events/application-gateway-java/src/main/java/App.java

@@ -169,7 +169,7 @@ public final class App implements AutoCloseable {
     }
 
     @Override
-    public void close() throws Exception {
+    public void close() {
         executor.shutdownNow();
     }
 }

test-network-k8s/scripts/kind.sh

@@ -43,16 +43,32 @@ nodes:
 #networking:
 #  kubeProxyMode: "ipvs"
 
-# create a cluster with the local registry enabled in containerd
+# Create a cluster with the local registry enabled in containerd.
+# KIND v0.27.0+ uses containerd 2.x, which requires config_path mode
+# instead of the deprecated registry.mirrors configuration.
+# See: https://github.com/kubernetes-sigs/kind/releases/tag/v0.27.0
+# See: https://github.com/containerd/containerd/blob/main/docs/hosts.md
 containerdConfigPatches:
 - |-
-  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:${reg_port}"]
-    endpoint = ["http://${reg_name}:${reg_port}"]
+  [plugins."io.containerd.grpc.v1.cri".registry]
+    config_path = "/etc/containerd/certs.d"
 
 EOF
 
+  # Configure registry for containerd 2.x using config_path mode
+  for node in $(kind get nodes --name $CLUSTER_NAME);
+  do
+    docker exec "$node" mkdir -p "/etc/containerd/certs.d/localhost:${reg_port}"
+    docker exec "$node" sh -c "cat > /etc/containerd/certs.d/localhost:${reg_port}/hosts.toml <<EOT
+server = \"http://localhost:${reg_port}\"
+
+[host.\"http://${reg_name}:${reg_port}\"]
+  capabilities = [\"pull\", \"resolve\", \"push\"]
+EOT"
+  done
+
   # workaround for https://github.com/hyperledger/fabric-samples/issues/550 - pods can not resolve external DNS
-  for node in $(kind get nodes);
+  for node in $(kind get nodes --name $CLUSTER_NAME);
   do
     docker exec "$node" sysctl net.ipv4.conf.all.route_localnet=1;
   done

test-network-k8s/scripts/test_network.sh

@@ -74,11 +74,17 @@ function create_node_local_MSP() {
   export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client
   export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric/config/tls/ca.crt
 
+  # Enroll from inside the CA pod. Must specify port 443 explicitly.
+  # CA server listens on port 443, but fabric-ca-client defaults to 7054 when port is omitted in the URL.
   fabric-ca-client enroll \
-    --url https://${id_name}:${id_secret}@${ca_name} \
+    --url https://${id_name}:${id_secret}@${ca_name}:443 \
     --csr.hosts ${csr_hosts} \
     --mspdir /var/hyperledger/fabric/organizations/${node_type}Organizations/${org}.example.com/${node_type}s/${id_name}.${org}.example.com/msp
 
+  # Copy CA cert to expected filename (fabric-ca-client saves it as <hostname>-<port>.pem)
+  cp /var/hyperledger/fabric/organizations/${node_type}Organizations/${org}.example.com/${node_type}s/${id_name}.${org}.example.com/msp/cacerts/*.pem \
+     /var/hyperledger/fabric/organizations/${node_type}Organizations/${org}.example.com/${node_type}s/${id_name}.${org}.example.com/msp/cacerts/${org}-ca.pem
+
   # Create local MSP config.yaml
   echo "NodeOUs:
     Enable: true

token-erc-721/chaincode-java/src/test/java/org/hyperledger/fabric/samples/erc721/ERC721TokenContractTest.java

@@ -70,7 +70,7 @@ public class ERC721TokenContractTest {
     }
 
     @Override
-    public void close() throws Exception {
+    public void close() {
       // do nothing
     }
   }