From 9f9cec7195c28a2857715bbbcb79667884ad942b Mon Sep 17 00:00:00 2001 From: jkneubuh <86427252+jkneubuh@users.noreply.github.com> Date: Fri, 5 Aug 2022 08:17:05 -0400 Subject: [PATCH] Run RCAADMIN registration on the host OS, not in k8s (#809) * Run RCAADMIN registration on the host OS, not in k8s Signed-off-by: Josh Kneubuhl * Fix a typo that caused the log trailer to not exit cleanly on error Signed-off-by: Josh Kneubuhl * allow a node registration to have been previously created. This allows for multiple 'network up' targets to be run. Signed-off-by: Josh Kneubuhl --- test-network-k8s/network | 7 +-- test-network-k8s/scripts/channel.sh | 30 +++------- test-network-k8s/scripts/fabric_CAs.sh | 29 ++++++---- test-network-k8s/scripts/test_network.sh | 70 ++++++------------------ 4 files changed, 46 insertions(+), 90 deletions(-) diff --git a/test-network-k8s/network b/test-network-k8s/network index 6fc280e9..c1dd8559 100755 --- a/test-network-k8s/network +++ b/test-network-k8s/network @@ -50,16 +50,15 @@ context K8S_CHAINCODE_BUILDER_VERSION v0.6.0 context LOG_FILE network.log context DEBUG_FILE network-debug.log -context LOG_ERROR_LINE 1 +context LOG_ERROR_LINES 2 context LOCAL_REGISTRY_NAME kind-registry context LOCAL_REGISTRY_PORT 5000 context STAGE_DOCKER_IMAGES false context NGINX_HTTP_PORT 80 context NGINX_HTTPS_PORT 443 -# todo: more complicated config, as these bleed into the yaml descriptors (sed? kustomize? helm (no)? tkn? ansible?...) or other script locations -context TLSADMIN_AUTH tlsadmin:tlsadminpw -context RCAADMIN_AUTH rcaadmin:rcaadminpw +context RCAADMIN_USER rcaadmin +context RCAADMIN_PASS rcaadminpw function print_help() { set +x diff --git a/test-network-k8s/scripts/channel.sh b/test-network-k8s/scripts/channel.sh index 38bd86b4..080d4632 100644 --- a/test-network-k8s/scripts/channel.sh +++ b/test-network-k8s/scripts/channel.sh @@ -54,20 +54,14 @@ function register_org_admin() { echo "Registering org admin $username" - cat < ${CA_DIR}/tlsca-cert.pem - # enroll the org admin FABRIC_CA_CLIENT_HOME=${ORG_ADMIN_DIR} fabric-ca-client enroll \ --url ${CA_URL} \ diff --git a/test-network-k8s/scripts/fabric_CAs.sh b/test-network-k8s/scripts/fabric_CAs.sh index fd31b555..a47b96b4 100755 --- a/test-network-k8s/scripts/fabric_CAs.sh +++ b/test-network-k8s/scripts/fabric_CAs.sh @@ -45,25 +45,32 @@ function init_tls_cert_issuers() { function enroll_bootstrap_ECert_CA_user() { local org=$1 - local auth=$2 - local ecert_ca=${org}-ca - echo 'set -x + # Determine the CA information and TLS certificate + CA_NAME=${org}-ca + CA_DIR=${TEMP_DIR}/cas/${CA_NAME} + mkdir -p ${CA_DIR} + # Read the CA's TLS certificate from the cert-manager CA secret + echo "retrieving ${CA_NAME} TLS root cert" + kubectl -n $NS get secret ${CA_NAME}-tls-cert -o json \ + | jq -r .data.\"ca.crt\" \ + | base64 -d \ + > ${CA_DIR}/tlsca-cert.pem + + # Enroll the root CA user fabric-ca-client enroll \ - --url https://'${auth}'@'${ecert_ca}' \ - --tls.certfiles /var/hyperledger/fabric/config/tls/ca.crt \ - --mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp - - ' | exec kubectl -n $NS exec deploy/${ecert_ca} -i -- /bin/sh + --url https://${RCAADMIN_USER}:${RCAADMIN_PASS}@${CA_NAME}.${DOMAIN}:${NGINX_HTTPS_PORT} \ + --tls.certfiles $TEMP_DIR/cas/${CA_NAME}/tlsca-cert.pem \ + --mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp } function enroll_bootstrap_ECert_CA_users() { push_fn "Enrolling bootstrap ECert CA users" - enroll_bootstrap_ECert_CA_user org0 $RCAADMIN_AUTH - enroll_bootstrap_ECert_CA_user org1 $RCAADMIN_AUTH - enroll_bootstrap_ECert_CA_user org2 $RCAADMIN_AUTH + enroll_bootstrap_ECert_CA_user org0 + enroll_bootstrap_ECert_CA_user org1 + enroll_bootstrap_ECert_CA_user org2 pop_fn } \ No newline at end of file diff --git a/test-network-k8s/scripts/test_network.sh b/test-network-k8s/scripts/test_network.sh index 94aad931..b50b4b8a 100755 --- a/test-network-k8s/scripts/test_network.sh +++ b/test-network-k8s/scripts/test_network.sh @@ -35,23 +35,6 @@ function launch_peers() { pop_fn } -# todo: enroll org admin LOCALLY from the host OS -# fabric-ca-client register --id.name org1-admin --id.secret org1adminpw --id.type admin --url https://org1-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -# fabric-ca-client enroll --url https://org1-admin:org1adminpw@org1-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp -# cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/server.key -# cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml - -# fabric-ca-client register --id.name org1-admin --id.secret org1adminpw --id.type admin --url https://org1-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -# fabric-ca-client enroll --url https://org1-admin:org1adminpw@org1-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp -# cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/server.key -# cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml - -# fabric-ca-client register --id.name org2-admin --id.secret org2adminpw --id.type admin --url https://org2-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -# fabric-ca-client enroll --url https://org2-admin:org2adminpw@org2-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp -# cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/server.key -# cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/config.yaml - - # Each network node needs a registration, enrollment, and MSP config.yaml function create_node_local_MSP() { local node_type=$1 @@ -62,20 +45,29 @@ function create_node_local_MSP() { local id_secret=${node_type}pw local ca_name=${org}-ca + # Register the node admin + rc=0 + fabric-ca-client register \ + --id.name ${id_name} \ + --id.secret ${id_secret} \ + --id.type ${node_type} \ + --url https://${ca_name}.${DOMAIN} \ + --tls.certfiles $TEMP_DIR/cas/${ca_name}/tlsca-cert.pem \ + --mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp \ + || rc=$? # trap error code from registration without exiting the network driver script" + + if [ $rc -eq 1 ]; then + echo "CA admin was (probably) previously registered - continuing" + fi + + # Enroll the node admin user from within k8s. This will leave the certificates available on a volume share in the + # cluster for access by the nodes when launching in a container. cat <