epistemophiliac/fabric-samples
1
0
Fork 0
mirror of https://github.com/hyperledger/fabric-samples.git synced 2026-06-22 09:35:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Run RCAADMIN registration on the host OS, not in k8s (#809)

Browse source 
* Run RCAADMIN registration on the host OS, not in k8s

Signed-off-by: Josh Kneubuhl <jkneubuh@us.ibm.com>

* Fix a typo that caused the log trailer to not exit cleanly on error

Signed-off-by: Josh Kneubuhl <jkneubuh@us.ibm.com>

* allow a node registration to have been previously created.  This allows for multiple 'network up' targets to be run.

Signed-off-by: Josh Kneubuhl <jkneubuh@us.ibm.com>
This commit is contained in:
jkneubuh 2022-08-05 08:17:05 -04:00 committed by GitHub
parent a1b7d20ebe
commit 9f9cec7195
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 46 additions and 90 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
test-network-k8s/network
View file

@ -50,16 +50,15 @@ context K8S_CHAINCODE_BUILDER_VERSION v0.6.0
context LOG_FILE network.log context LOG_FILE network.log
context DEBUG_FILE network-debug.log context DEBUG_FILE network-debug.log
context LOG_ERROR_LINE 1 context LOG_ERROR_LINES 2
context LOCAL_REGISTRY_NAME kind-registry context LOCAL_REGISTRY_NAME kind-registry
context LOCAL_REGISTRY_PORT 5000 context LOCAL_REGISTRY_PORT 5000
context STAGE_DOCKER_IMAGES false context STAGE_DOCKER_IMAGES false
context NGINX_HTTP_PORT 80 context NGINX_HTTP_PORT 80
context NGINX_HTTPS_PORT 443 context NGINX_HTTPS_PORT 443
# todo: more complicated config, as these bleed into the yaml descriptors (sed? kustomize? helm (no)? tkn? ansible?...) or other script locations context RCAADMIN_USER rcaadmin
context TLSADMIN_AUTH tlsadmin:tlsadminpw context RCAADMIN_PASS rcaadminpw
context RCAADMIN_AUTH rcaadmin:rcaadminpw
function print_help() { function print_help() {
set +x set +x

30
test-network-k8s/scripts/channel.sh
View file

@ -54,20 +54,14 @@ function register_org_admin() {
echo "Registering org admin $username" echo "Registering org admin $username"
cat <<EOF | kubectl -n $NS exec deploy/${ca_name} -i -- /bin/sh fabric-ca-client register \
--id.name ${id_name} \
set -x --id.secret ${id_secret} \
export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client --id.type ${type} \
export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric/config/tls/ca.crt --url https://${ca_name}.${DOMAIN} \
--tls.certfiles $TEMP_DIR/cas/${ca_name}/tlsca-cert.pem \
fabric-ca-client register \ --mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp \
--id.name ${id_name} \ --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
--id.secret ${id_secret} \
--id.type ${type} \
--url https://${ca_name} \
--mspdir /var/hyperledger/fabric-ca-client/${ca_name}/rcaadmin/msp \
--id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
EOF
} }
function enroll_org_admins() { function enroll_org_admins() {
@ -101,20 +95,12 @@ function enroll_org_admin() {
# Determine the CA information and TLS certificate # Determine the CA information and TLS certificate
CA_NAME=${org}-ca CA_NAME=${org}-ca
CA_DIR=${TEMP_DIR}/cas/${CA_NAME} CA_DIR=${TEMP_DIR}/cas/${CA_NAME}
mkdir -p ${CA_DIR}
CA_AUTH=${username}:${password} CA_AUTH=${username}:${password}
CA_HOST=${CA_NAME}.${DOMAIN} CA_HOST=${CA_NAME}.${DOMAIN}
CA_PORT=${NGINX_HTTPS_PORT} CA_PORT=${NGINX_HTTPS_PORT}
CA_URL=https://${CA_AUTH}@${CA_HOST}:${CA_PORT} CA_URL=https://${CA_AUTH}@${CA_HOST}:${CA_PORT}
# Read the CA's TLS certificate from the cert-manager CA secret
echo "retrieving ${org}-ca TLS root cert"
kubectl -n $NS get secret ${org}-ca-tls-cert -o json \
| jq -r .data.\"ca.crt\" \
| base64 -d \
> ${CA_DIR}/tlsca-cert.pem
# enroll the org admin # enroll the org admin
FABRIC_CA_CLIENT_HOME=${ORG_ADMIN_DIR} fabric-ca-client enroll \ FABRIC_CA_CLIENT_HOME=${ORG_ADMIN_DIR} fabric-ca-client enroll \
--url ${CA_URL} \ --url ${CA_URL} \

29
test-network-k8s/scripts/fabric_CAs.sh
View file

@ -45,25 +45,32 @@ function init_tls_cert_issuers() {
function enroll_bootstrap_ECert_CA_user() { function enroll_bootstrap_ECert_CA_user() {
local org=$1 local org=$1
local auth=$2
local ecert_ca=${org}-ca
echo 'set -x # Determine the CA information and TLS certificate
CA_NAME=${org}-ca
CA_DIR=${TEMP_DIR}/cas/${CA_NAME}
mkdir -p ${CA_DIR}
# Read the CA's TLS certificate from the cert-manager CA secret
echo "retrieving ${CA_NAME} TLS root cert"
kubectl -n $NS get secret ${CA_NAME}-tls-cert -o json \
| jq -r .data.\"ca.crt\" \
| base64 -d \
> ${CA_DIR}/tlsca-cert.pem
# Enroll the root CA user
fabric-ca-client enroll \ fabric-ca-client enroll \
--url https://'${auth}'@'${ecert_ca}' \ --url https://${RCAADMIN_USER}:${RCAADMIN_PASS}@${CA_NAME}.${DOMAIN}:${NGINX_HTTPS_PORT} \
--tls.certfiles /var/hyperledger/fabric/config/tls/ca.crt \ --tls.certfiles $TEMP_DIR/cas/${CA_NAME}/tlsca-cert.pem \
--mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp --mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp
' | exec kubectl -n $NS exec deploy/${ecert_ca} -i -- /bin/sh
} }
function enroll_bootstrap_ECert_CA_users() { function enroll_bootstrap_ECert_CA_users() {
push_fn "Enrolling bootstrap ECert CA users" push_fn "Enrolling bootstrap ECert CA users"
enroll_bootstrap_ECert_CA_user org0 $RCAADMIN_AUTH enroll_bootstrap_ECert_CA_user org0
enroll_bootstrap_ECert_CA_user org1 $RCAADMIN_AUTH enroll_bootstrap_ECert_CA_user org1
enroll_bootstrap_ECert_CA_user org2 $RCAADMIN_AUTH enroll_bootstrap_ECert_CA_user org2
pop_fn pop_fn
} }

70
test-network-k8s/scripts/test_network.sh
View file

@ -35,23 +35,6 @@ function launch_peers() {
pop_fn pop_fn
} }
# todo: enroll org admin LOCALLY from the host OS
# fabric-ca-client register --id.name org1-admin --id.secret org1adminpw --id.type admin --url https://org1-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
# fabric-ca-client enroll --url https://org1-admin:org1adminpw@org1-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
# cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/server.key
# cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml
# fabric-ca-client register --id.name org1-admin --id.secret org1adminpw --id.type admin --url https://org1-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
# fabric-ca-client enroll --url https://org1-admin:org1adminpw@org1-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
# cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/server.key
# cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml
# fabric-ca-client register --id.name org2-admin --id.secret org2adminpw --id.type admin --url https://org2-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
# fabric-ca-client enroll --url https://org2-admin:org2adminpw@org2-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp
# cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/server.key
# cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/config.yaml
# Each network node needs a registration, enrollment, and MSP config.yaml # Each network node needs a registration, enrollment, and MSP config.yaml
function create_node_local_MSP() { function create_node_local_MSP() {
local node_type=$1 local node_type=$1
@ -62,20 +45,29 @@ function create_node_local_MSP() {
local id_secret=${node_type}pw local id_secret=${node_type}pw
local ca_name=${org}-ca local ca_name=${org}-ca
# Register the node admin
rc=0
fabric-ca-client register \
--id.name ${id_name} \
--id.secret ${id_secret} \
--id.type ${node_type} \
--url https://${ca_name}.${DOMAIN} \
--tls.certfiles $TEMP_DIR/cas/${ca_name}/tlsca-cert.pem \
--mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp \
|| rc=$? # trap error code from registration without exiting the network driver script"
if [ $rc -eq 1 ]; then
echo "CA admin was (probably) previously registered - continuing"
fi
# Enroll the node admin user from within k8s. This will leave the certificates available on a volume share in the
# cluster for access by the nodes when launching in a container.
cat <<EOF | kubectl -n $NS exec deploy/${ca_name} -i -- /bin/sh cat <<EOF | kubectl -n $NS exec deploy/${ca_name} -i -- /bin/sh
set -x set -x
export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client export FABRIC_CA_CLIENT_HOME=/var/hyperledger/fabric-ca-client
export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric/config/tls/ca.crt export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric/config/tls/ca.crt
# Each identity in the network needs a registration and enrollment.
fabric-ca-client register \
--id.name ${id_name} \
--id.secret ${id_secret} \
--id.type ${node_type} \
--url https://${ca_name} \
--mspdir /var/hyperledger/fabric-ca-client/${ca_name}/rcaadmin/msp
fabric-ca-client enroll \ fabric-ca-client enroll \
--url https://${id_name}:${id_secret}@${ca_name} \ --url https://${id_name}:${id_secret}@${ca_name} \
--csr.hosts ${csr_hosts} \ --csr.hosts ${csr_hosts} \
@ -130,32 +122,6 @@ function create_local_MSP() {
pop_fn pop_fn
} }
#
## TLS certificates are isused by the CA's Issuer, stored in a Kube secret, and mounted into the pod at /var/hyperledger/fabric/config/tls.
## For consistency with the Fabric-CA guide, his function copies the orderer's TLS certs into the traditional Fabric MSP / folder structure.
#function extract_orderer_tls_cert() {
# local orderer=$1
#
# echo 'set -x
#
# mkdir -p /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/'${orderer}'.org0.example.com/tls/signcerts/
#
# cp \
# var/hyperledger/fabric/config/tls/tls.crt \
# /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/'${orderer}'.org0.example.com/tls/signcerts/cert.pem
#
# ' | exec kubectl -n $NS exec deploy/${orderer} -i -c main -- /bin/sh
#}
#
#function extract_orderer_tls_certs() {
# push_fn "Extracting orderer TLS certs to local MSP folder"
#
# extract_orderer_tls_cert org0-orderer1
# extract_orderer_tls_cert org0-orderer2
# extract_orderer_tls_cert org0-orderer3
#
# pop_fn
#}
function network_up() { function network_up() {
@ -182,8 +148,6 @@ function network_up() {
launch_orderers launch_orderers
launch_peers launch_peers
# extract_orderer_tls_certs
} }
function stop_services() { function stop_services() {