diff --git a/test-network-k8s/kube/org0/org0-ecert-ca-tls-cert.yaml b/test-network-k8s/kube/org0/org0-ecert-ca-tls-cert.yaml new file mode 100644 index 00000000..b493f155 --- /dev/null +++ b/test-network-k8s/kube/org0/org0-ecert-ca-tls-cert.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org0-ecert-ca-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org0-ecert-ca + - org0-ecert-ca.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org0-ecert-ca-tls-cert + issuerRef: + name: org0-tls-cert-issuer \ No newline at end of file diff --git a/test-network-k8s/kube/org0/org0-ecert-ca.yaml b/test-network-k8s/kube/org0/org0-ecert-ca.yaml index 4e1960f5..f1b8b024 100644 --- a/test-network-k8s/kube/org0/org0-ecert-ca.yaml +++ b/test-network-k8s/kube/org0/org0-ecert-ca.yaml @@ -30,9 +30,9 @@ spec: - name: FABRIC_CA_SERVER_HOME value: "/var/hyperledger/fabric-ca-server" - name: FABRIC_CA_SERVER_TLS_CERTFILE - value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem" + value: "/var/hyperledger/fabric-ca-server/tls/tls.crt" - name: FABRIC_CA_SERVER_TLS_KEYFILE - value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem" + value: "/var/hyperledger/fabric-ca-server/tls/tls.key" - name: FABRIC_CA_CLIENT_HOME value: "/var/hyperledger/fabric-ca-client" ports: @@ -43,6 +43,9 @@ spec: - name: fabric-config mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml subPath: fabric-ecert-ca-server-config.yaml + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric-ca-server/tls + readOnly: true readinessProbe: tcpSocket: port: 443 @@ -55,6 +58,9 @@ spec: - name: fabric-config configMap: name: org0-config + - name: tls-cert-volume + secret: + secretName: org0-ecert-ca-tls-cert --- apiVersion: v1 diff --git a/test-network-k8s/kube/org0/org0-orderer1.yaml b/test-network-k8s/kube/org0/org0-orderer1.yaml index ce70b59a..dc1aef30 100644 --- a/test-network-k8s/kube/org0/org0-orderer1.yaml +++ b/test-network-k8s/kube/org0/org0-orderer1.yaml @@ -3,6 +3,28 @@ # # SPDX-License-Identifier: Apache-2.0 # + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org0-orderer1-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org0-orderer1 + - org0-orderer1.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org0-orderer1-tls-cert + issuerRef: + name: org0-tls-cert-issuer + --- apiVersion: v1 kind: ConfigMap @@ -16,9 +38,9 @@ data: ORDERER_GENERAL_LOCALMSPID: OrdererMSP ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp ORDERER_GENERAL_TLS_ENABLED: "true" - ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/signcerts/cert.pem - ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/cacerts/org0-tls-ca.pem - ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/server.key + ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric-ca-server/tls/tls.crt + ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric-ca-server/tls/ca.crt + ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric-ca-server/tls/tls.key ORDERER_GENERAL_BOOTSTRAPMETHOD: none ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer1 ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer1/etcdraft/wal @@ -57,6 +79,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric-ca-server/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -64,7 +89,9 @@ spec: - name: fabric-config configMap: name: org0-config - + - name: tls-cert-volume + secret: + secretName: org0-orderer1-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org0/org0-orderer2.yaml b/test-network-k8s/kube/org0/org0-orderer2.yaml index 0314416d..5fe71252 100644 --- a/test-network-k8s/kube/org0/org0-orderer2.yaml +++ b/test-network-k8s/kube/org0/org0-orderer2.yaml @@ -3,6 +3,27 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org0-orderer2-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org0-orderer2 + - org0-orderer2.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org0-orderer2-tls-cert + issuerRef: + name: org0-tls-cert-issuer + --- apiVersion: v1 kind: ConfigMap @@ -16,9 +37,9 @@ data: ORDERER_GENERAL_LOCALMSPID: OrdererMSP ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp ORDERER_GENERAL_TLS_ENABLED: "true" - ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/signcerts/cert.pem - ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/cacerts/org0-tls-ca.pem - ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/server.key + ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric-ca-server/tls/tls.crt + ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric-ca-server/tls/ca.crt + ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric-ca-server/tls/tls.key ORDERER_GENERAL_BOOTSTRAPMETHOD: none ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer2 ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer2/etcdraft/wal @@ -57,6 +78,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric-ca-server/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -64,7 +88,9 @@ spec: - name: fabric-config configMap: name: org0-config - + - name: tls-cert-volume + secret: + secretName: org0-orderer1-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org0/org0-orderer3.yaml b/test-network-k8s/kube/org0/org0-orderer3.yaml index cbca3739..e5133fa1 100644 --- a/test-network-k8s/kube/org0/org0-orderer3.yaml +++ b/test-network-k8s/kube/org0/org0-orderer3.yaml @@ -3,6 +3,27 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org0-orderer3-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org0-orderer3 + - org0-orderer3.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org0-orderer3-tls-cert + issuerRef: + name: org0-tls-cert-issuer + --- apiVersion: v1 kind: ConfigMap @@ -16,9 +37,9 @@ data: ORDERER_GENERAL_LOCALMSPID: OrdererMSP ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp ORDERER_GENERAL_TLS_ENABLED: "true" - ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/signcerts/cert.pem - ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/cacerts/org0-tls-ca.pem - ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/server.key + ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric-ca-server/tls/tls.crt + ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric-ca-server/tls/ca.crt + ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric-ca-server/tls/tls.key ORDERER_GENERAL_BOOTSTRAPMETHOD: none ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer3 ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer3/etcdraft/wal @@ -57,6 +78,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric-ca-server/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -64,7 +88,9 @@ spec: - name: fabric-config configMap: name: org0-config - + - name: tls-cert-volume + secret: + secretName: org0-orderer2-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org0/org0-tls-cert-issuer-secret.yaml b/test-network-k8s/kube/org0/org0-tls-cert-issuer-secret.yaml new file mode 100644 index 00000000..6cc74575 --- /dev/null +++ b/test-network-k8s/kube/org0/org0-tls-cert-issuer-secret.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: org0-tls-cert-issuer-secret +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNLRENDQWM2Z0F3SUJBZ0lVS051d2FFOVdNTmx6cXorSG5JVDVUa1VxTnJNd0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXSnlhV010ClkyRXRjMlZ5ZG1WeU1CNFhEVEl5TURFeE9ERTRNRGt3TUZvWERUTTNNREV4TkRFNE1Ea3dNRm93YURFTE1Ba0cKQTFVRUJoTUNWVk14RnpBVkJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbApjbXhsWkdkbGNqRVBNQTBHQTFVRUN4TUdSbUZpY21sak1Sa3dGd1lEVlFRREV4Qm1ZV0p5YVdNdFkyRXRjMlZ5CmRtVnlNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUV6dlB6YXh5Y2RaeFpFem00TFl1VVlLRm8KS3hKRlNtWkdRR1JmNE5GOXMxc2ZpcURwODlmSlV0aGNUSTlpSkQ1VEVSbTVjeEE0QTMwNHJCL2dwck5vaHFOVwpNRlF3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUV3SFFZRFZSME9CQllFCkZDWG5ZYUJxR0p1V3lGcEcrdi9yb0N3QmhKbG5NQThHQTFVZEVRUUlNQWFIQkg4QUFBRXdDZ1lJS29aSXpqMEUKQXdJRFNBQXdSUUloQUxzbnJtYmlhdDlrdzJua3FLbVJqVG1LVGNVNURFYXBtb2JmdUVWYndUWEdBaUFRb3JlTQpSOHVDWHVKMTNnUVc1aXEwbzdPOW00cEZOOVRkeEtwb2xmN1BQdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZ2ZDM21WUDVnWGtMa0M0UDAKbGoyZVVXVmQ4QVVjVVhKZnBiU2tWYUw4a2s2aFJBTkNBQVRPOC9OckhKeDFuRmtUT2JndGk1UmdvV2dyRWtWSwpaa1pBWkYvZzBYMnpXeCtLb09uejE4bFMyRnhNajJJa1BsTVJHYmx6RURnRGZUaXNIK0NtczJpRwotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg== diff --git a/test-network-k8s/kube/org0/org0-tls-cert-issuer.yaml b/test-network-k8s/kube/org0/org0-tls-cert-issuer.yaml new file mode 100644 index 00000000..8270710b --- /dev/null +++ b/test-network-k8s/kube/org0/org0-tls-cert-issuer.yaml @@ -0,0 +1,13 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: org0-tls-cert-issuer +spec: + ca: + secretName: org0-tls-cert-issuer-secret \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-ecert-ca-tls-cert.yaml b/test-network-k8s/kube/org1/org1-ecert-ca-tls-cert.yaml new file mode 100644 index 00000000..875a5649 --- /dev/null +++ b/test-network-k8s/kube/org1/org1-ecert-ca-tls-cert.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org1-ecert-ca-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org1-ecert-ca + - org1-ecert-ca.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org1-ecert-ca-tls-cert + issuerRef: + name: org1-tls-cert-issuer \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-ecert-ca.yaml b/test-network-k8s/kube/org1/org1-ecert-ca.yaml index c4a9f4e6..9c50747c 100644 --- a/test-network-k8s/kube/org1/org1-ecert-ca.yaml +++ b/test-network-k8s/kube/org1/org1-ecert-ca.yaml @@ -30,9 +30,9 @@ spec: - name: FABRIC_CA_SERVER_HOME value: "/var/hyperledger/fabric-ca-server" - name: FABRIC_CA_SERVER_TLS_CERTFILE - value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem" + value: "/var/hyperledger/fabric-ca-server/tls/tls.crt" - name: FABRIC_CA_SERVER_TLS_KEYFILE - value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem" + value: "/var/hyperledger/fabric-ca-server/tls/tls.key" - name: FABRIC_CA_CLIENT_HOME value: "/var/hyperledger/fabric-ca-client" ports: @@ -43,6 +43,9 @@ spec: - name: fabric-config mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml subPath: fabric-ecert-ca-server-config.yaml + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric-ca-server/tls + readOnly: true readinessProbe: tcpSocket: port: 443 @@ -55,7 +58,9 @@ spec: - name: fabric-config configMap: name: org1-config - + - name: tls-cert-volume + secret: + secretName: org1-ecert-ca-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org1/org1-peer1.yaml b/test-network-k8s/kube/org1/org1-peer1.yaml index 0b6376db..16dbf94d 100644 --- a/test-network-k8s/kube/org1/org1-peer1.yaml +++ b/test-network-k8s/kube/org1/org1-peer1.yaml @@ -3,6 +3,27 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org1-peer1-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org1-peer1 + - org1-peer1.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org1-peer1-tls-cert + issuerRef: + name: org1-tls-cert-issuer + --- apiVersion: v1 kind: ConfigMap @@ -12,9 +33,9 @@ data: FABRIC_CFG_PATH: /var/hyperledger/fabric/config FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" CORE_PEER_TLS_ENABLED: "true" - CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/signcerts/cert.pem - CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/keystore/server.key - CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/cacerts/org1-tls-ca.pem + CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric-ca-server/tls/tls.crt + CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric-ca-server/tls/tls.key + CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric-ca-server/tls/ca.crt CORE_PEER_ID: org1-peer1.org1.example.com CORE_PEER_ADDRESS: org1-peer1:7051 CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 @@ -29,6 +50,7 @@ data: CORE_PEER_FILESYSTEMPATH: /var/hyperledger/fabric/data/org1-peer1.org1.example.com CORE_LEDGER_SNAPSHOTS_ROOTDIR: /var/hyperledger/fabric/data/org1-peer1.org1.example.com/snapshots CHAINCODE_AS_A_SERVICE_BUILDER_CONFIG: "{\"peername\":\"org1peer1\"}" + --- apiVersion: apps/v1 kind: Deployment @@ -61,6 +83,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric-ca-server/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -68,7 +93,9 @@ spec: - name: fabric-config configMap: name: org1-config - + - name: tls-cert-volume + secret: + secretName: org1-peer1-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org1/org1-peer2.yaml b/test-network-k8s/kube/org1/org1-peer2.yaml index a4073385..06ed89d4 100644 --- a/test-network-k8s/kube/org1/org1-peer2.yaml +++ b/test-network-k8s/kube/org1/org1-peer2.yaml @@ -3,6 +3,28 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org1-peer2-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org1-peer2 + - org1-peer2.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org1-peer2-tls-cert + issuerRef: + name: org1-tls-cert-issuer + + --- apiVersion: v1 kind: ConfigMap @@ -12,9 +34,9 @@ data: FABRIC_CFG_PATH: /var/hyperledger/fabric/config FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" CORE_PEER_TLS_ENABLED: "true" - CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/signcerts/cert.pem - CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/keystore/server.key - CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/cacerts/org1-tls-ca.pem + CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric-ca-server/tls/tls.crt + CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric-ca-server/tls/tls.key + CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric-ca-server/tls/ca.crt CORE_PEER_ID: org1-peer2.org1.example.com CORE_PEER_ADDRESS: org1-peer2:7051 CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 @@ -61,7 +83,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config - + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric-ca-server/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -69,7 +93,9 @@ spec: - name: fabric-config configMap: name: org1-config - + - name: tls-cert-volume + secret: + secretName: org1-peer2-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org1/org1-tls-cert-issuer-secret.yaml b/test-network-k8s/kube/org1/org1-tls-cert-issuer-secret.yaml new file mode 100644 index 00000000..cf438c98 --- /dev/null +++ b/test-network-k8s/kube/org1/org1-tls-cert-issuer-secret.yaml @@ -0,0 +1,13 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: Secret +metadata: + name: org1-tls-cert-issuer-secret +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNLRENDQWM2Z0F3SUJBZ0lVZUZhVWpkQzNXUnlNdHU0TExaM2hlQmIyVG5Jd0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXSnlhV010ClkyRXRjMlZ5ZG1WeU1CNFhEVEl5TURFeE9ERTRNRGt3TUZvWERUTTNNREV4TkRFNE1Ea3dNRm93YURFTE1Ba0cKQTFVRUJoTUNWVk14RnpBVkJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbApjbXhsWkdkbGNqRVBNQTBHQTFVRUN4TUdSbUZpY21sak1Sa3dGd1lEVlFRREV4Qm1ZV0p5YVdNdFkyRXRjMlZ5CmRtVnlNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVLdHBid0RMNStwcWV1bUNxUlAxN0ltT1gKSytxclViMTAyTU9XeE1iaDBKbExHdm1DS05DeFhjNnFNSnMvSE1uakJyaWZ2VlZUdW4xbzB4U2FGVU5wVHFOVwpNRlF3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUV3SFFZRFZSME9CQllFCkZMUU4zVk1zRkU4SEMrZUZJZ2E5VkNTZUpqNVdNQThHQTFVZEVRUUlNQWFIQkg4QUFBRXdDZ1lJS29aSXpqMEUKQXdJRFNBQXdSUUloQU8vNGttZm5MWml2c05BZ1hRQzFYUHQrS2NyOGJGUGlRbmhzNWo5SUNJdFVBaUIrei9uZgpjdURvcjRqUFdMSjNVL1NZYnVkK1g4NEt1UzFseVNTME9Pbmpndz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCg== + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZzFhdXpCUk9nT1dxc3FwL1UKYlp3M2dtSk5sZlhOS3FMc2NCWUZzdmdhdWZLaFJBTkNBQVFxMmx2QU12bjZtcDY2WUtwRS9Yc2lZNWNyNnF0Ugp2WFRZdzViRXh1SFFtVXNhK1lJbzBMRmR6cW93bXo4Y3llTUd1Sis5VlZPNmZXalRGSm9WUTJsTwotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0t diff --git a/test-network-k8s/kube/org1/org1-tls-cert-issuer.yaml b/test-network-k8s/kube/org1/org1-tls-cert-issuer.yaml new file mode 100644 index 00000000..9c972455 --- /dev/null +++ b/test-network-k8s/kube/org1/org1-tls-cert-issuer.yaml @@ -0,0 +1,13 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: org1-tls-cert-issuer +spec: + ca: + secretName: org1-tls-cert-issuer-secret \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-ecert-ca-tls-cert.yaml b/test-network-k8s/kube/org2/org2-ecert-ca-tls-cert.yaml new file mode 100644 index 00000000..7321ab84 --- /dev/null +++ b/test-network-k8s/kube/org2/org2-ecert-ca-tls-cert.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org2-ecert-ca-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org2-ecert-ca + - org2-ecert-ca.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org2-ecert-ca-tls-cert + issuerRef: + name: org2-tls-cert-issuer \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-ecert-ca.yaml b/test-network-k8s/kube/org2/org2-ecert-ca.yaml index 216b53be..5d568ffd 100644 --- a/test-network-k8s/kube/org2/org2-ecert-ca.yaml +++ b/test-network-k8s/kube/org2/org2-ecert-ca.yaml @@ -30,9 +30,9 @@ spec: - name: FABRIC_CA_SERVER_HOME value: "/var/hyperledger/fabric-ca-server" - name: FABRIC_CA_SERVER_TLS_CERTFILE - value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem" + value: "/var/hyperledger/fabric-ca-server/tls/tls.crt" - name: FABRIC_CA_SERVER_TLS_KEYFILE - value: "/var/hyperledger/fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem" + value: "/var/hyperledger/fabric-ca-server/tls/tls.key" - name: FABRIC_CA_CLIENT_HOME value: "/var/hyperledger/fabric-ca-client" ports: @@ -43,6 +43,9 @@ spec: - name: fabric-config mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml subPath: fabric-ecert-ca-server-config.yaml + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric-ca-server/tls + readOnly: true readinessProbe: tcpSocket: port: 443 @@ -55,7 +58,9 @@ spec: - name: fabric-config configMap: name: org2-config - + - name: tls-cert-volume + secret: + secretName: org2-ecert-ca-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org2/org2-peer1.yaml b/test-network-k8s/kube/org2/org2-peer1.yaml index 112b98f1..b745e4da 100644 --- a/test-network-k8s/kube/org2/org2-peer1.yaml +++ b/test-network-k8s/kube/org2/org2-peer1.yaml @@ -3,6 +3,27 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org2-peer1-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org2-peer1 + - org2-peer1.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org2-peer1-tls-cert + issuerRef: + name: org2-tls-cert-issuer + --- apiVersion: v1 kind: ConfigMap @@ -12,9 +33,9 @@ data: FABRIC_CFG_PATH: /var/hyperledger/fabric/config FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" CORE_PEER_TLS_ENABLED: "true" - CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/signcerts/cert.pem - CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/keystore/server.key - CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/cacerts/org2-tls-ca.pem + CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric-ca-server/tls/tls.crt + CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric-ca-server/tls/tls.key + CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric-ca-server/tls/ca.crt CORE_PEER_ID: org2-peer1.org2.example.com CORE_PEER_ADDRESS: org2-peer1:7051 CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 @@ -61,6 +82,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric-ca-server/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -68,7 +92,9 @@ spec: - name: fabric-config configMap: name: org2-config - + - name: tls-cert-volume + secret: + secretName: org2-peer1-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org2/org2-peer2.yaml b/test-network-k8s/kube/org2/org2-peer2.yaml index 2cd30175..4bc8edae 100644 --- a/test-network-k8s/kube/org2/org2-peer2.yaml +++ b/test-network-k8s/kube/org2/org2-peer2.yaml @@ -3,6 +3,27 @@ # # SPDX-License-Identifier: Apache-2.0 # +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: org2-peer2-tls-cert + namespace: test-network +spec: + isCA: false + privateKey: + algorithm: ECDSA + size: 256 + dnsNames: + - localhost + - org2-peer2 + - org2-peer2.test-network.svc.cluster.local + ipAddresses: + - 127.0.0.1 + secretName: org2-peer2-tls-cert + issuerRef: + name: org2-tls-cert-issuer + --- apiVersion: v1 kind: ConfigMap @@ -12,9 +33,9 @@ data: FABRIC_CFG_PATH: /var/hyperledger/fabric/config FABRIC_LOGGING_SPEC: "debug:cauthdsl,policies,msp,grpc,peer.gossip.mcs,gossip,leveldbhelper=info" CORE_PEER_TLS_ENABLED: "true" - CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/signcerts/cert.pem - CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/keystore/server.key - CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/cacerts/org2-tls-ca.pem + CORE_PEER_TLS_CERT_FILE: /var/hyperledger/fabric-ca-server/tls/tls.crt + CORE_PEER_TLS_KEY_FILE: /var/hyperledger/fabric-ca-server/tls/tls.key + CORE_PEER_TLS_ROOTCERT_FILE: /var/hyperledger/fabric-ca-server/tls/ca.crt CORE_PEER_ID: org2-peer2.org2.example.com CORE_PEER_ADDRESS: org2-peer2:7051 CORE_PEER_LISTENADDRESS: 0.0.0.0:7051 @@ -61,7 +82,9 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric/config - + - name: tls-cert-volume + mountPath: /var/hyperledger/fabric-ca-server/tls + readOnly: true volumes: - name: fabric-volume persistentVolumeClaim: @@ -69,7 +92,9 @@ spec: - name: fabric-config configMap: name: org2-config - + - name: tls-cert-volume + secret: + secretName: org2-peer2-tls-cert --- apiVersion: v1 kind: Service diff --git a/test-network-k8s/kube/org2/org2-tls-cert-issuer-secret.yaml b/test-network-k8s/kube/org2/org2-tls-cert-issuer-secret.yaml new file mode 100644 index 00000000..3d9f2cdf --- /dev/null +++ b/test-network-k8s/kube/org2/org2-tls-cert-issuer-secret.yaml @@ -0,0 +1,13 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: v1 +kind: Secret +metadata: + name: org2-tls-cert-issuer-secret +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNKekNDQWM2Z0F3SUJBZ0lVTVdkYlZ1RGFJU1BIQnQrVE1ENlNkN21URmowd0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXSnlhV010ClkyRXRjMlZ5ZG1WeU1CNFhEVEl5TURFeE9ERTRNRGt3TUZvWERUTTNNREV4TkRFNE1Ea3dNRm93YURFTE1Ba0cKQTFVRUJoTUNWVk14RnpBVkJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbApjbXhsWkdkbGNqRVBNQTBHQTFVRUN4TUdSbUZpY21sak1Sa3dGd1lEVlFRREV4Qm1ZV0p5YVdNdFkyRXRjMlZ5CmRtVnlNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVWWWNvQ2p4VXFFS1RaVThxOHJBd0c3RVMKa0Z4V3lmSjVyZGhHRktESWI1R1ZkR0lQc0NtSU03bS9TTFRQMGlCWkdTb2IwRUVJZENKMzZQWW9ldVY3NDZOVwpNRlF3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUV3SFFZRFZSME9CQllFCkZHUlc5elBYa3V3cVdyYnBscVdYUTc5Zm5wdlVNQThHQTFVZEVRUUlNQWFIQkg4QUFBRXdDZ1lJS29aSXpqMEUKQXdJRFJ3QXdSQUlnQ1FJM3ZwVjYrN0JCL0czem9xeHNVeUtwN2ZUMlFIVTczeExBSjNMN0RXZ0NJRTB4L0xuTgpkN0U0a1BWVFFjN05hdGtSUWlzNUQ3L0djaXc4TGozaXJDL2YKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoK + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZ0pnWlhOajREOWpKcVVlbzgKT3JoS2ZNVWNrenE5RTM4M29jSW15aDhPQlNHaFJBTkNBQVJWaHlnS1BGU29RcE5sVHlyeXNEQWJzUktRWEZiSgo4bm10MkVZVW9NaHZrWlYwWWcrd0tZZ3p1YjlJdE0vU0lGa1pLaHZRUVFoMEluZm85aWg2NVh2agotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg== diff --git a/test-network-k8s/kube/org2/org2-tls-cert-issuer.yaml b/test-network-k8s/kube/org2/org2-tls-cert-issuer.yaml new file mode 100644 index 00000000..f3e123a6 --- /dev/null +++ b/test-network-k8s/kube/org2/org2-tls-cert-issuer.yaml @@ -0,0 +1,13 @@ +# +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: org2-tls-cert-issuer +spec: + ca: + secretName: org2-tls-cert-issuer-secret \ No newline at end of file diff --git a/test-network-k8s/scripts/fabric_CAs.sh b/test-network-k8s/scripts/fabric_CAs.sh index a0ee760f..6e3776cf 100755 --- a/test-network-k8s/scripts/fabric_CAs.sh +++ b/test-network-k8s/scripts/fabric_CAs.sh @@ -47,6 +47,46 @@ function launch_ECert_CAs() { pop_fn } +# experimental: create TLS CA issuers using cert-manager for each org. +function init_tls_cert_issuers() { + push_fn "Initializing TLS certificate issuers" + + # todo: secret needs to be created before the issuer - the lag will cause an error on the first init for the issuer. + kubectl -n $NS delete -f kube/org0/org0-tls-cert-issuer-secret.yaml || true + kubectl -n $NS delete -f kube/org1/org1-tls-cert-issuer-secret.yaml || true + kubectl -n $NS delete -f kube/org2/org2-tls-cert-issuer-secret.yaml || true + + kubectl -n $NS create -f kube/org0/org0-tls-cert-issuer-secret.yaml + kubectl -n $NS create -f kube/org1/org1-tls-cert-issuer-secret.yaml + kubectl -n $NS create -f kube/org2/org2-tls-cert-issuer-secret.yaml + + # todo: find a better way to wait for the secret to be created. + # sleep 10 + + kubectl -n $NS apply -f kube/org0/org0-tls-cert-issuer.yaml + kubectl -n $NS apply -f kube/org1/org1-tls-cert-issuer.yaml + kubectl -n $NS apply -f kube/org2/org2-tls-cert-issuer.yaml + + kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org0-tls-cert-issuer + kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org1-tls-cert-issuer + kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org2-tls-cert-issuer + + pop_fn +} + +# use cert-manager to issue ECDSA TLS certificates for the ecert CA. Replaces the bootstrap ecert user enrollment in the TLS CA +function issue_ECert_CA_tls_certs() { + + kubectl -n $NS apply -f kube/org0/org0-ecert-ca-tls-cert.yaml + kubectl -n $NS apply -f kube/org1/org1-ecert-ca-tls-cert.yaml + kubectl -n $NS apply -f kube/org2/org2-ecert-ca-tls-cert.yaml + + kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org0-ecert-ca-tls-cert + kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org1-ecert-ca-tls-cert + kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org2-ecert-ca-tls-cert +} + + # Enroll bootstrap user with TLS CA # https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-bootstrap-user-with-tls-ca function enroll_bootstrap_TLS_CA_user() { @@ -128,7 +168,7 @@ function enroll_bootstrap_ECert_CA_user() { fabric-ca-client enroll \ --url https://'${auth}'@'${ecert_ca}' \ - --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ + --tls.certfiles /var/hyperledger/fabric-ca-server/tls/ca.crt \ --mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp ' | exec kubectl -n $NS exec deploy/${ecert_ca} -i -- /bin/sh diff --git a/test-network-k8s/scripts/test_network.sh b/test-network-k8s/scripts/test_network.sh index e938ba00..805fd7c3 100755 --- a/test-network-k8s/scripts/test_network.sh +++ b/test-network-k8s/scripts/test_network.sh @@ -49,7 +49,7 @@ function launch_peers() { function create_org0_local_MSP() { echo 'set -x export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client - export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem + export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric-ca-server/tls/ca.crt # Each identity in the network needs a registration and enrollment. fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp @@ -62,20 +62,6 @@ function create_org0_local_MSP() { fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ecert-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp fabric-ca-client enroll --url https://org0-admin:org0adminpw@org0-ecert-ca --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/users/Admin@org0.example.com/msp - # Each node in the network needs a TLS registration and enrollment. - fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - - fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-tls-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls - fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-tls-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls - fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-tls-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls - - # Copy the TLS signing keys to a fixed path for convenience when starting the orderers. - cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/server.key - cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/server.key - cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/server.key - # Create an MSP config.yaml (why is this not generated by the enrollment by fabric-ca-client?) echo "NodeOUs: Enable: true @@ -101,7 +87,7 @@ function create_org1_local_MSP() { echo 'set -x export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client - export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem + export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric-ca-server/tls/ca.crt # Each identity in the network needs a registration and enrollment. fabric-ca-client register --id.name org1-peer1 --id.secret peerpw --id.type peer --url https://org1-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ecert-ca/rcaadmin/msp @@ -112,17 +98,6 @@ function create_org1_local_MSP() { fabric-ca-client enroll --url https://org1-peer2:peerpw@org1-ecert-ca --csr.hosts org1-peer2,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp fabric-ca-client enroll --url https://org1-admin:org1adminpw@org1-ecert-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp - # Each node in the network needs a TLS registration and enrollment. - fabric-ca-client register --id.name org1-peer1 --id.secret peerpw --id.type peer --url https://org1-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - fabric-ca-client register --id.name org1-peer2 --id.secret peerpw --id.type peer --url https://org1-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - - fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-tls-ca --csr.hosts org1-peer1 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls - fabric-ca-client enroll --url https://org1-peer2:peerpw@org1-tls-ca --csr.hosts org1-peer2 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls - - # Copy the TLS signing keys to a fixed path for convenience when launching the peers - cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/tls/keystore/server.key - cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/tls/keystore/server.key - cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/server.key # Create local MSP config.yaml @@ -151,7 +126,7 @@ function create_org1_local_MSP() { function create_org2_local_MSP() { echo 'set -x export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client - export FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem + export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric-ca-server/tls/ca.crt # Each identity in the network needs a registration and enrollment. fabric-ca-client register --id.name org2-peer1 --id.secret peerpw --id.type peer --url https://org2-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ecert-ca/rcaadmin/msp @@ -162,17 +137,6 @@ function create_org2_local_MSP() { fabric-ca-client enroll --url https://org2-peer2:peerpw@org2-ecert-ca --csr.hosts org2-peer2,org2-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp fabric-ca-client enroll --url https://org2-admin:org2adminpw@org2-ecert-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp - # Each node in the network needs a TLS registration and enrollment. - fabric-ca-client register --id.name org2-peer1 --id.secret peerpw --id.type peer --url https://org2-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - fabric-ca-client register --id.name org2-peer2 --id.secret peerpw --id.type peer --url https://org2-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - - fabric-ca-client enroll --url https://org2-peer1:peerpw@org2-tls-ca --csr.hosts org2-peer1 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls - fabric-ca-client enroll --url https://org2-peer2:peerpw@org2-tls-ca --csr.hosts org2-peer2 --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls - - # Copy the TLS signing keys to a fixed path for convenience when launching the peers - cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/tls/keystore/server.key - cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/tls/keystore/server.key - cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/server.key # Create local MSP config.yaml @@ -214,16 +178,19 @@ function network_up() { load_org_config # Network TLS CAs - launch_TLS_CAs - enroll_bootstrap_TLS_CA_users +# launch_TLS_CAs +# enroll_bootstrap_TLS_CA_users + init_tls_cert_issuers # Network ECert CAs - register_enroll_ECert_CA_bootstrap_users + #register_enroll_ECert_CA_bootstrap_users + issue_ECert_CA_tls_certs launch_ECert_CAs enroll_bootstrap_ECert_CA_users # Test Network create_local_MSP + launch_orderers launch_peers }