diff --git a/test-network-k8s/config/org0/fabric-ecert-ca-server-config.yaml b/test-network-k8s/config/org0/fabric-ca-server-config.yaml similarity index 99% rename from test-network-k8s/config/org0/fabric-ecert-ca-server-config.yaml rename to test-network-k8s/config/org0/fabric-ca-server-config.yaml index eff91c34..d2c5fd9b 100644 --- a/test-network-k8s/config/org0/fabric-ecert-ca-server-config.yaml +++ b/test-network-k8s/config/org0/fabric-ca-server-config.yaml @@ -86,7 +86,7 @@ tls: ############################################################################# ca: # Name of this CA - name: org0-ecert-ca + name: org0-ca # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) @@ -320,8 +320,8 @@ csr: hosts: - localhost - 127.0.0.1 - - org0-ecert-ca - - org0-ecert-ca.test-network.svc.cluster.local + - org0-ca + - org0-ca.test-network.svc.cluster.local ca: expiry: 131400h pathlength: 1 diff --git a/test-network-k8s/config/org0/fabric-tls-ca-server-config.yaml b/test-network-k8s/config/org0/fabric-tls-ca-server-config.yaml deleted file mode 100644 index b574e72b..00000000 --- a/test-network-k8s/config/org0/fabric-tls-ca-server-config.yaml +++ /dev/null @@ -1,496 +0,0 @@ -############################################################################# -# This is a configuration file for the fabric-ca-server command. -# -# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES -# ------------------------------------------------ -# Each configuration element can be overridden via command line -# arguments or environment variables. The precedence for determining -# the value of each element is as follows: -# 1) command line argument -# Examples: -# a) --port 443 -# To set the listening port -# b) --ca.keyfile ../mykey.pem -# To set the "keyfile" element in the "ca" section below; -# note the '.' separator character. -# 2) environment variable -# Examples: -# a) FABRIC_CA_SERVER_PORT=443 -# To set the listening port -# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" -# To set the "keyfile" element in the "ca" section below; -# note the '_' separator character. -# 3) configuration file -# 4) default value (if there is one) -# All default values are shown beside each element below. -# -# FILE NAME ELEMENTS -# ------------------ -# The value of all fields whose name ends with "file" or "files" are -# name or names of other files. -# For example, see "tls.certfile" and "tls.clientauth.certfiles". -# The value of each of these fields can be a simple filename, a -# relative path, or an absolute path. If the value is not an -# absolute path, it is interpretted as being relative to the location -# of this configuration file. -# -############################################################################# - -# Version of config file -version: 1.5.2 - -# Server's listening port (default: 7054) -port: 443 - -# Cross-Origin Resource Sharing (CORS) -cors: - enabled: false - origins: - - "*" - -# Enables debug logging (default: false) -debug: false - -# Size limit of an acceptable CRL in bytes (default: 512000) -crlsizelimit: 512000 - -############################################################################# -# TLS section for the server's listening port -# -# The following types are supported for client authentication: NoClientCert, -# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, -# and RequireAndVerifyClientCert. -# -# Certfiles is a list of root certificate authorities that the server uses -# when verifying client certificates. -############################################################################# -tls: - # Enable TLS (default: false) - enabled: true - # TLS for the server's listening port - certfile: - keyfile: - clientauth: - type: noclientcert - certfiles: - -############################################################################# -# The CA section contains information related to the Certificate Authority -# including the name of the CA, which should be unique for all members -# of a blockchain network. It also includes the key and certificate files -# used when issuing enrollment certificates (ECerts) and transaction -# certificates (TCerts). -# The chainfile (if it exists) contains the certificate chain which -# should be trusted for this CA, where the 1st in the chain is always the -# root CA certificate. -############################################################################# -ca: - # Name of this CA - name: org0-tls-ca - # Key file (is only used to import a private key into BCCSP) - keyfile: - # Certificate file (default: ca-cert.pem) - certfile: - # Chain file - chainfile: - -############################################################################# -# The gencrl REST endpoint is used to generate a CRL that contains revoked -# certificates. This section contains configuration options that are used -# during gencrl request processing. -############################################################################# -crl: - # Specifies expiration for the generated CRL. The number of hours - # specified by this property is added to the UTC time, the resulting time - # is used to set the 'Next Update' date of the CRL. - expiry: 24h - -############################################################################# -# The registry section controls how the fabric-ca-server does two things: -# 1) authenticates enrollment requests which contain a username and password -# (also known as an enrollment ID and secret). -# 2) once authenticated, retrieves the identity's attribute names and -# values which the fabric-ca-server optionally puts into TCerts -# which it issues for transacting on the Hyperledger Fabric blockchain. -# These attributes are useful for making access control decisions in -# chaincode. -# There are two main configuration options: -# 1) The fabric-ca-server is the registry. -# This is true if "ldap.enabled" in the ldap section below is false. -# 2) An LDAP server is the registry, in which case the fabric-ca-server -# calls the LDAP server to perform these tasks. -# This is true if "ldap.enabled" in the ldap section below is true, -# which means this "registry" section is ignored. -############################################################################# -registry: - # Maximum number of times a password/secret can be reused for enrollment - # (default: -1, which means there is no limit) - maxenrollments: -1 - - # Contains identity information which is used when LDAP is disabled - identities: - - name: tlsadmin - pass: tlsadminpw - type: client - affiliation: "" - attrs: - hf.Registrar.Roles: "*" - hf.Registrar.DelegateRoles: "*" - hf.Revoker: true - hf.IntermediateCA: true - hf.GenCRL: true - hf.Registrar.Attributes: "*" - hf.AffiliationMgr: true - -############################################################################# -# Database section -# Supported types are: "sqlite3", "postgres", and "mysql". -# The datasource value depends on the type. -# If the type is "sqlite3", the datasource value is a file name to use -# as the database store. Since "sqlite3" is an embedded database, it -# may not be used if you want to run the fabric-ca-server in a cluster. -# To run the fabric-ca-server in a cluster, you must choose "postgres" -# or "mysql". -############################################################################# -db: - type: sqlite3 - datasource: fabric-ca-server.db - tls: - enabled: false - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# LDAP section -# If LDAP is enabled, the fabric-ca-server calls LDAP to: -# 1) authenticate enrollment ID and secret (i.e. username and password) -# for enrollment requests; -# 2) To retrieve identity attributes -############################################################################# -ldap: - # Enables or disables the LDAP client (default: false) - # If this is set to true, the "registry" section is ignored. - enabled: false - # The URL of the LDAP server - url: ldap://:@:/ - # TLS configuration for the client connection to the LDAP server - tls: - certfiles: - client: - certfile: - keyfile: - # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes - attribute: - # 'names' is an array of strings containing the LDAP attribute names which are - # requested from the LDAP server for an LDAP identity's entry - names: ['uid','member'] - # The 'converters' section is used to convert an LDAP entry to the value of - # a fabric CA attribute. - # For example, the following converts an LDAP 'uid' attribute - # whose value begins with 'revoker' to a fabric CA attribute - # named "hf.Revoker" with a value of "true" (because the boolean expression - # evaluates to true). - # converters: - # - name: hf.Revoker - # value: attr("uid") =~ "revoker*" - converters: - - name: - value: - # The 'maps' section contains named maps which may be referenced by the 'map' - # function in the 'converters' section to map LDAP responses to arbitrary values. - # For example, assume a user has an LDAP attribute named 'member' which has multiple - # values which are each a distinguished name (i.e. a DN). For simplicity, assume the - # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. - # Further assume the following configuration. - # converters: - # - name: hf.Registrar.Roles - # value: map(attr("member"),"groups") - # maps: - # groups: - # - name: dn1 - # value: peer - # - name: dn2 - # value: client - # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be - # "peer,client,dn3". This is because the value of 'attr("member")' is - # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of - # "group" replaces "dn1" with "peer" and "dn2" with "client". - maps: - groups: - - name: - value: - -############################################################################# -# Affiliations section. Fabric CA server can be bootstrapped with the -# affiliations specified in this section. Affiliations are specified as maps. -# For example: -# businessunit1: -# department1: -# - team1 -# businessunit2: -# - department2 -# - department3 -# -# Affiliations are hierarchical in nature. In the above example, -# department1 (used as businessunit1.department1) is the child of businessunit1. -# team1 (used as businessunit1.department1.team1) is the child of department1. -# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) -# are children of businessunit2. -# Note: Affiliations are case sensitive except for the non-leaf affiliations -# (like businessunit1, department1, businessunit2) that are specified in the configuration file, -# which are always stored in lower case. -############################################################################# -affiliations: - org1: - - department1 - - department2 - org2: - - department1 - -############################################################################# -# Signing section -# -# The "default" subsection is used to sign enrollment certificates; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -# -# The "ca" profile subsection is used to sign intermediate CA certificates; -# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. -# Note that "isca" is true, meaning that it issues a CA certificate. -# A maxpathlen of 0 means that the intermediate CA cannot issue other -# intermediate CA certificates, though it can still issue end entity certificates. -# (See RFC 5280, section 4.2.1.9) -# -# The "tls" profile subsection is used to sign TLS certificate requests; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -############################################################################# -signing: - default: - authremote: {} - caconstraint: {} - expiry: 8760h - usage: - - signing - - key encipherment - - server auth - - client auth - - key agreement - profiles: null - -########################################################################### -# Certificate Signing Request (CSR) section. -# This controls the creation of the root CA certificate. -# The expiration for the root CA certificate is configured with the -# "ca.expiry" field below, whose default value is "131400h" which is -# 15 years in hours. -# The pathlength field is used to limit CA certificate hierarchy as described -# in section 4.2.1.9 of RFC 5280. -# Examples: -# 1) No pathlength value means no limit is requested. -# 2) pathlength == 1 means a limit of 1 is requested which is the default for -# a root CA. This means the root CA can issue intermediate CA certificates, -# but these intermediate CAs may not in turn issue other CA certificates -# though they can still issue end entity certificates. -# 3) pathlength == 0 means a limit of 0 is requested; -# this is the default for an intermediate CA, which means it can not issue -# CA certificates though it can still issue end entity certificates. -########################################################################### -csr: - cn: fabric-ca-server - keyrequest: - algo: ecdsa - size: 256 - names: - - C: US - ST: "North Carolina" - L: - O: Hyperledger - OU: Fabric - hosts: - - localhost - - 127.0.0.1 - - org0-tls-ca - - org0-tls-ca.test-network.svc.cluster.local - ca: - expiry: 131400h - pathlength: 1 - -########################################################################### -# Each CA can issue both X509 enrollment certificate as well as Idemix -# Credential. This section specifies configuration for the issuer component -# that is responsible for issuing Idemix credentials. -########################################################################### -idemix: - # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an - # Idemix credential. The issuer will create a pool revocation handles of this specified size. When - # a credential is requested, issuer will get handle from the pool and assign it to the credential. - # Issuer will repopulate the pool with new handles when the last handle in the pool is used. - # A revocation handle and credential revocation information (CRI) are used to create non revocation proof - # by the prover to prove to the verifier that her credential is not revoked. - rhpoolsize: 1000 - - # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer - # and second step is send credential request that is constructed using the nonce to the isuser to - # request a credential. This configuration property specifies expiration for the nonces. By default is - # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). - nonceexpiration: 15s - - # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. - # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) - noncesweepinterval: 15m - -############################################################################# -# BCCSP (BlockChain Crypto Service Provider) section is used to select which -# crypto library implementation to use -############################################################################# -bccsp: - default: SW - sw: - hash: SHA2 - security: 256 - filekeystore: - # The directory used for the software file-based keystore - keystore: msp/keystore - -############################################################################# -# Multi CA section -# -# Each Fabric CA server contains one CA by default. This section is used -# to configure multiple CAs in a single server. -# -# 1) --cacount -# Automatically generate non-default CAs. The names of these -# additional CAs are "ca1", "ca2", ... "caN", where "N" is -# This is particularly useful in a development environment to quickly set up -# multiple CAs. Note that, this config option is not applicable to intermediate CA server -# i.e., Fabric CA server that is started with intermediate.parentserver.url config -# option (-u command line option) -# -# 2) --cafiles -# For each CA config file in the list, generate a separate signing CA. Each CA -# config file in this list MAY contain all of the same elements as are found in -# the server config file except port, debug, and tls sections. -# -# Examples: -# fabric-ca-server start -b admin:adminpw --cacount 2 -# -# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml -# --cafiles ca/ca2/fabric-ca-server-config.yaml -# -############################################################################# - -cacount: - -cafiles: - -############################################################################# -# Intermediate CA section -# -# The relationship between servers and CAs is as follows: -# 1) A single server process may contain or function as one or more CAs. -# This is configured by the "Multi CA section" above. -# 2) Each CA is either a root CA or an intermediate CA. -# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. -# -# This section pertains to configuration of #2 and #3. -# If the "intermediate.parentserver.url" property is set, -# then this is an intermediate CA with the specified parent -# CA. -# -# parentserver section -# url - The URL of the parent server -# caname - Name of the CA to enroll within the server -# -# enrollment section used to enroll intermediate CA with parent CA -# profile - Name of the signing profile to use in issuing the certificate -# label - Label to use in HSM operations -# -# tls section for secure socket connection -# certfiles - PEM-encoded list of trusted root certificate files -# client: -# certfile - PEM-encoded certificate file for when client authentication -# is enabled on server -# keyfile - PEM-encoded key file for when client authentication -# is enabled on server -############################################################################# -intermediate: - parentserver: - url: - caname: - - enrollment: - hosts: - profile: - label: - - tls: - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# CA configuration section -# -# Configure the number of incorrect password attempts are allowed for -# identities. By default, the value of 'passwordattempts' is 10, which -# means that 10 incorrect password attempts can be made before an identity get -# locked out. -############################################################################# -cfg: - identities: - passwordattempts: 10 - -############################################################################### -# -# Operations section -# -############################################################################### -operations: - # host and port for the operations server - listenAddress: 127.0.0.1:9444 - - # TLS configuration for the operations endpoint - tls: - # TLS enabled - enabled: false - - # path to PEM encoded server certificate for the operations server - cert: - file: - - # path to PEM encoded server key for the operations server - key: - file: - - # require client certificate authentication to access all resources - clientAuthRequired: false - - # paths to PEM encoded ca certificates to trust for client authentication - clientRootCAs: - files: [] - -############################################################################### -# -# Metrics section -# -############################################################################### -metrics: - # statsd, prometheus, or disabled - provider: disabled - - # statsd configuration - statsd: - # network type: tcp or udp - network: udp - - # statsd server address - address: 127.0.0.1:8125 - - # the interval at which locally cached counters and gauges are pushsed - # to statsd; timings are pushed immediately - writeInterval: 10s - - # prefix is prepended to all emitted statsd merics - prefix: server diff --git a/test-network-k8s/config/org2/fabric-ecert-ca-server-config.yaml b/test-network-k8s/config/org1/fabric-ca-server-config.yaml similarity index 99% rename from test-network-k8s/config/org2/fabric-ecert-ca-server-config.yaml rename to test-network-k8s/config/org1/fabric-ca-server-config.yaml index 23732ff8..ccce6f91 100644 --- a/test-network-k8s/config/org2/fabric-ecert-ca-server-config.yaml +++ b/test-network-k8s/config/org1/fabric-ca-server-config.yaml @@ -86,7 +86,7 @@ tls: ############################################################################# ca: # Name of this CA - name: org2-ecert-ca + name: org1-ca # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) @@ -320,8 +320,8 @@ csr: hosts: - localhost - 127.0.0.1 - - org2-ecert-ca - - org2-ecert-ca.test-network.svc.cluster.local + - org1-ca + - org1-ca.test-network.svc.cluster.local ca: expiry: 131400h pathlength: 1 diff --git a/test-network-k8s/config/org1/fabric-tls-ca-server-config.yaml b/test-network-k8s/config/org1/fabric-tls-ca-server-config.yaml deleted file mode 100644 index 23860537..00000000 --- a/test-network-k8s/config/org1/fabric-tls-ca-server-config.yaml +++ /dev/null @@ -1,496 +0,0 @@ -############################################################################# -# This is a configuration file for the fabric-ca-server command. -# -# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES -# ------------------------------------------------ -# Each configuration element can be overridden via command line -# arguments or environment variables. The precedence for determining -# the value of each element is as follows: -# 1) command line argument -# Examples: -# a) --port 443 -# To set the listening port -# b) --ca.keyfile ../mykey.pem -# To set the "keyfile" element in the "ca" section below; -# note the '.' separator character. -# 2) environment variable -# Examples: -# a) FABRIC_CA_SERVER_PORT=443 -# To set the listening port -# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" -# To set the "keyfile" element in the "ca" section below; -# note the '_' separator character. -# 3) configuration file -# 4) default value (if there is one) -# All default values are shown beside each element below. -# -# FILE NAME ELEMENTS -# ------------------ -# The value of all fields whose name ends with "file" or "files" are -# name or names of other files. -# For example, see "tls.certfile" and "tls.clientauth.certfiles". -# The value of each of these fields can be a simple filename, a -# relative path, or an absolute path. If the value is not an -# absolute path, it is interpretted as being relative to the location -# of this configuration file. -# -############################################################################# - -# Version of config file -version: 1.5.2 - -# Server's listening port (default: 7054) -port: 443 - -# Cross-Origin Resource Sharing (CORS) -cors: - enabled: false - origins: - - "*" - -# Enables debug logging (default: false) -debug: false - -# Size limit of an acceptable CRL in bytes (default: 512000) -crlsizelimit: 512000 - -############################################################################# -# TLS section for the server's listening port -# -# The following types are supported for client authentication: NoClientCert, -# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, -# and RequireAndVerifyClientCert. -# -# Certfiles is a list of root certificate authorities that the server uses -# when verifying client certificates. -############################################################################# -tls: - # Enable TLS (default: false) - enabled: true - # TLS for the server's listening port - certfile: - keyfile: - clientauth: - type: noclientcert - certfiles: - -############################################################################# -# The CA section contains information related to the Certificate Authority -# including the name of the CA, which should be unique for all members -# of a blockchain network. It also includes the key and certificate files -# used when issuing enrollment certificates (ECerts) and transaction -# certificates (TCerts). -# The chainfile (if it exists) contains the certificate chain which -# should be trusted for this CA, where the 1st in the chain is always the -# root CA certificate. -############################################################################# -ca: - # Name of this CA - name: org1-tls-ca - # Key file (is only used to import a private key into BCCSP) - keyfile: - # Certificate file (default: ca-cert.pem) - certfile: - # Chain file - chainfile: - -############################################################################# -# The gencrl REST endpoint is used to generate a CRL that contains revoked -# certificates. This section contains configuration options that are used -# during gencrl request processing. -############################################################################# -crl: - # Specifies expiration for the generated CRL. The number of hours - # specified by this property is added to the UTC time, the resulting time - # is used to set the 'Next Update' date of the CRL. - expiry: 24h - -############################################################################# -# The registry section controls how the fabric-ca-server does two things: -# 1) authenticates enrollment requests which contain a username and password -# (also known as an enrollment ID and secret). -# 2) once authenticated, retrieves the identity's attribute names and -# values which the fabric-ca-server optionally puts into TCerts -# which it issues for transacting on the Hyperledger Fabric blockchain. -# These attributes are useful for making access control decisions in -# chaincode. -# There are two main configuration options: -# 1) The fabric-ca-server is the registry. -# This is true if "ldap.enabled" in the ldap section below is false. -# 2) An LDAP server is the registry, in which case the fabric-ca-server -# calls the LDAP server to perform these tasks. -# This is true if "ldap.enabled" in the ldap section below is true, -# which means this "registry" section is ignored. -############################################################################# -registry: - # Maximum number of times a password/secret can be reused for enrollment - # (default: -1, which means there is no limit) - maxenrollments: -1 - - # Contains identity information which is used when LDAP is disabled - identities: - - name: tlsadmin - pass: tlsadminpw - type: client - affiliation: "" - attrs: - hf.Registrar.Roles: "*" - hf.Registrar.DelegateRoles: "*" - hf.Revoker: true - hf.IntermediateCA: true - hf.GenCRL: true - hf.Registrar.Attributes: "*" - hf.AffiliationMgr: true - -############################################################################# -# Database section -# Supported types are: "sqlite3", "postgres", and "mysql". -# The datasource value depends on the type. -# If the type is "sqlite3", the datasource value is a file name to use -# as the database store. Since "sqlite3" is an embedded database, it -# may not be used if you want to run the fabric-ca-server in a cluster. -# To run the fabric-ca-server in a cluster, you must choose "postgres" -# or "mysql". -############################################################################# -db: - type: sqlite3 - datasource: fabric-ca-server.db - tls: - enabled: false - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# LDAP section -# If LDAP is enabled, the fabric-ca-server calls LDAP to: -# 1) authenticate enrollment ID and secret (i.e. username and password) -# for enrollment requests; -# 2) To retrieve identity attributes -############################################################################# -ldap: - # Enables or disables the LDAP client (default: false) - # If this is set to true, the "registry" section is ignored. - enabled: false - # The URL of the LDAP server - url: ldap://:@:/ - # TLS configuration for the client connection to the LDAP server - tls: - certfiles: - client: - certfile: - keyfile: - # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes - attribute: - # 'names' is an array of strings containing the LDAP attribute names which are - # requested from the LDAP server for an LDAP identity's entry - names: ['uid','member'] - # The 'converters' section is used to convert an LDAP entry to the value of - # a fabric CA attribute. - # For example, the following converts an LDAP 'uid' attribute - # whose value begins with 'revoker' to a fabric CA attribute - # named "hf.Revoker" with a value of "true" (because the boolean expression - # evaluates to true). - # converters: - # - name: hf.Revoker - # value: attr("uid") =~ "revoker*" - converters: - - name: - value: - # The 'maps' section contains named maps which may be referenced by the 'map' - # function in the 'converters' section to map LDAP responses to arbitrary values. - # For example, assume a user has an LDAP attribute named 'member' which has multiple - # values which are each a distinguished name (i.e. a DN). For simplicity, assume the - # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. - # Further assume the following configuration. - # converters: - # - name: hf.Registrar.Roles - # value: map(attr("member"),"groups") - # maps: - # groups: - # - name: dn1 - # value: peer - # - name: dn2 - # value: client - # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be - # "peer,client,dn3". This is because the value of 'attr("member")' is - # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of - # "group" replaces "dn1" with "peer" and "dn2" with "client". - maps: - groups: - - name: - value: - -############################################################################# -# Affiliations section. Fabric CA server can be bootstrapped with the -# affiliations specified in this section. Affiliations are specified as maps. -# For example: -# businessunit1: -# department1: -# - team1 -# businessunit2: -# - department2 -# - department3 -# -# Affiliations are hierarchical in nature. In the above example, -# department1 (used as businessunit1.department1) is the child of businessunit1. -# team1 (used as businessunit1.department1.team1) is the child of department1. -# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) -# are children of businessunit2. -# Note: Affiliations are case sensitive except for the non-leaf affiliations -# (like businessunit1, department1, businessunit2) that are specified in the configuration file, -# which are always stored in lower case. -############################################################################# -affiliations: - org1: - - department1 - - department2 - org2: - - department1 - -############################################################################# -# Signing section -# -# The "default" subsection is used to sign enrollment certificates; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -# -# The "ca" profile subsection is used to sign intermediate CA certificates; -# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. -# Note that "isca" is true, meaning that it issues a CA certificate. -# A maxpathlen of 0 means that the intermediate CA cannot issue other -# intermediate CA certificates, though it can still issue end entity certificates. -# (See RFC 5280, section 4.2.1.9) -# -# The "tls" profile subsection is used to sign TLS certificate requests; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -############################################################################# -signing: - default: - authremote: {} - caconstraint: {} - expiry: 8760h - usage: - - signing - - key encipherment - - server auth - - client auth - - key agreement - profiles: null - -########################################################################### -# Certificate Signing Request (CSR) section. -# This controls the creation of the root CA certificate. -# The expiration for the root CA certificate is configured with the -# "ca.expiry" field below, whose default value is "131400h" which is -# 15 years in hours. -# The pathlength field is used to limit CA certificate hierarchy as described -# in section 4.2.1.9 of RFC 5280. -# Examples: -# 1) No pathlength value means no limit is requested. -# 2) pathlength == 1 means a limit of 1 is requested which is the default for -# a root CA. This means the root CA can issue intermediate CA certificates, -# but these intermediate CAs may not in turn issue other CA certificates -# though they can still issue end entity certificates. -# 3) pathlength == 0 means a limit of 0 is requested; -# this is the default for an intermediate CA, which means it can not issue -# CA certificates though it can still issue end entity certificates. -########################################################################### -csr: - cn: fabric-ca-server - keyrequest: - algo: ecdsa - size: 256 - names: - - C: US - ST: "North Carolina" - L: - O: Hyperledger - OU: Fabric - hosts: - - localhost - - 127.0.0.1 - - org1-tls-ca - - org1-tls-ca.test-network.svc.cluster.local - ca: - expiry: 131400h - pathlength: 1 - -########################################################################### -# Each CA can issue both X509 enrollment certificate as well as Idemix -# Credential. This section specifies configuration for the issuer component -# that is responsible for issuing Idemix credentials. -########################################################################### -idemix: - # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an - # Idemix credential. The issuer will create a pool revocation handles of this specified size. When - # a credential is requested, issuer will get handle from the pool and assign it to the credential. - # Issuer will repopulate the pool with new handles when the last handle in the pool is used. - # A revocation handle and credential revocation information (CRI) are used to create non revocation proof - # by the prover to prove to the verifier that her credential is not revoked. - rhpoolsize: 1000 - - # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer - # and second step is send credential request that is constructed using the nonce to the isuser to - # request a credential. This configuration property specifies expiration for the nonces. By default is - # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). - nonceexpiration: 15s - - # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. - # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) - noncesweepinterval: 15m - -############################################################################# -# BCCSP (BlockChain Crypto Service Provider) section is used to select which -# crypto library implementation to use -############################################################################# -bccsp: - default: SW - sw: - hash: SHA2 - security: 256 - filekeystore: - # The directory used for the software file-based keystore - keystore: msp/keystore - -############################################################################# -# Multi CA section -# -# Each Fabric CA server contains one CA by default. This section is used -# to configure multiple CAs in a single server. -# -# 1) --cacount -# Automatically generate non-default CAs. The names of these -# additional CAs are "ca1", "ca2", ... "caN", where "N" is -# This is particularly useful in a development environment to quickly set up -# multiple CAs. Note that, this config option is not applicable to intermediate CA server -# i.e., Fabric CA server that is started with intermediate.parentserver.url config -# option (-u command line option) -# -# 2) --cafiles -# For each CA config file in the list, generate a separate signing CA. Each CA -# config file in this list MAY contain all of the same elements as are found in -# the server config file except port, debug, and tls sections. -# -# Examples: -# fabric-ca-server start -b admin:adminpw --cacount 2 -# -# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml -# --cafiles ca/ca2/fabric-ca-server-config.yaml -# -############################################################################# - -cacount: - -cafiles: - -############################################################################# -# Intermediate CA section -# -# The relationship between servers and CAs is as follows: -# 1) A single server process may contain or function as one or more CAs. -# This is configured by the "Multi CA section" above. -# 2) Each CA is either a root CA or an intermediate CA. -# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. -# -# This section pertains to configuration of #2 and #3. -# If the "intermediate.parentserver.url" property is set, -# then this is an intermediate CA with the specified parent -# CA. -# -# parentserver section -# url - The URL of the parent server -# caname - Name of the CA to enroll within the server -# -# enrollment section used to enroll intermediate CA with parent CA -# profile - Name of the signing profile to use in issuing the certificate -# label - Label to use in HSM operations -# -# tls section for secure socket connection -# certfiles - PEM-encoded list of trusted root certificate files -# client: -# certfile - PEM-encoded certificate file for when client authentication -# is enabled on server -# keyfile - PEM-encoded key file for when client authentication -# is enabled on server -############################################################################# -intermediate: - parentserver: - url: - caname: - - enrollment: - hosts: - profile: - label: - - tls: - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# CA configuration section -# -# Configure the number of incorrect password attempts are allowed for -# identities. By default, the value of 'passwordattempts' is 10, which -# means that 10 incorrect password attempts can be made before an identity get -# locked out. -############################################################################# -cfg: - identities: - passwordattempts: 10 - -############################################################################### -# -# Operations section -# -############################################################################### -operations: - # host and port for the operations server - listenAddress: 127.0.0.1:9444 - - # TLS configuration for the operations endpoint - tls: - # TLS enabled - enabled: false - - # path to PEM encoded server certificate for the operations server - cert: - file: - - # path to PEM encoded server key for the operations server - key: - file: - - # require client certificate authentication to access all resources - clientAuthRequired: false - - # paths to PEM encoded ca certificates to trust for client authentication - clientRootCAs: - files: [] - -############################################################################### -# -# Metrics section -# -############################################################################### -metrics: - # statsd, prometheus, or disabled - provider: disabled - - # statsd configuration - statsd: - # network type: tcp or udp - network: udp - - # statsd server address - address: 127.0.0.1:8125 - - # the interval at which locally cached counters and gauges are pushsed - # to statsd; timings are pushed immediately - writeInterval: 10s - - # prefix is prepended to all emitted statsd merics - prefix: server diff --git a/test-network-k8s/config/org1/fabric-ecert-ca-server-config.yaml b/test-network-k8s/config/org2/fabric-ca-server-config.yaml similarity index 99% rename from test-network-k8s/config/org1/fabric-ecert-ca-server-config.yaml rename to test-network-k8s/config/org2/fabric-ca-server-config.yaml index f1ed9da4..992315f0 100644 --- a/test-network-k8s/config/org1/fabric-ecert-ca-server-config.yaml +++ b/test-network-k8s/config/org2/fabric-ca-server-config.yaml @@ -86,7 +86,7 @@ tls: ############################################################################# ca: # Name of this CA - name: org1-ecert-ca + name: org2-ca # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) @@ -320,8 +320,8 @@ csr: hosts: - localhost - 127.0.0.1 - - org1-ecert-ca - - org1-ecert-ca.test-network.svc.cluster.local + - org2-ca + - org2-ca.test-network.svc.cluster.local ca: expiry: 131400h pathlength: 1 diff --git a/test-network-k8s/config/org2/fabric-tls-ca-server-config.yaml b/test-network-k8s/config/org2/fabric-tls-ca-server-config.yaml deleted file mode 100644 index 74879302..00000000 --- a/test-network-k8s/config/org2/fabric-tls-ca-server-config.yaml +++ /dev/null @@ -1,496 +0,0 @@ -############################################################################# -# This is a configuration file for the fabric-ca-server command. -# -# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES -# ------------------------------------------------ -# Each configuration element can be overridden via command line -# arguments or environment variables. The precedence for determining -# the value of each element is as follows: -# 1) command line argument -# Examples: -# a) --port 443 -# To set the listening port -# b) --ca.keyfile ../mykey.pem -# To set the "keyfile" element in the "ca" section below; -# note the '.' separator character. -# 2) environment variable -# Examples: -# a) FABRIC_CA_SERVER_PORT=443 -# To set the listening port -# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" -# To set the "keyfile" element in the "ca" section below; -# note the '_' separator character. -# 3) configuration file -# 4) default value (if there is one) -# All default values are shown beside each element below. -# -# FILE NAME ELEMENTS -# ------------------ -# The value of all fields whose name ends with "file" or "files" are -# name or names of other files. -# For example, see "tls.certfile" and "tls.clientauth.certfiles". -# The value of each of these fields can be a simple filename, a -# relative path, or an absolute path. If the value is not an -# absolute path, it is interpretted as being relative to the location -# of this configuration file. -# -############################################################################# - -# Version of config file -version: 1.5.2 - -# Server's listening port (default: 7054) -port: 443 - -# Cross-Origin Resource Sharing (CORS) -cors: - enabled: false - origins: - - "*" - -# Enables debug logging (default: false) -debug: false - -# Size limit of an acceptable CRL in bytes (default: 512000) -crlsizelimit: 512000 - -############################################################################# -# TLS section for the server's listening port -# -# The following types are supported for client authentication: NoClientCert, -# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, -# and RequireAndVerifyClientCert. -# -# Certfiles is a list of root certificate authorities that the server uses -# when verifying client certificates. -############################################################################# -tls: - # Enable TLS (default: false) - enabled: true - # TLS for the server's listening port - certfile: - keyfile: - clientauth: - type: noclientcert - certfiles: - -############################################################################# -# The CA section contains information related to the Certificate Authority -# including the name of the CA, which should be unique for all members -# of a blockchain network. It also includes the key and certificate files -# used when issuing enrollment certificates (ECerts) and transaction -# certificates (TCerts). -# The chainfile (if it exists) contains the certificate chain which -# should be trusted for this CA, where the 1st in the chain is always the -# root CA certificate. -############################################################################# -ca: - # Name of this CA - name: org2-tls-ca - # Key file (is only used to import a private key into BCCSP) - keyfile: - # Certificate file (default: ca-cert.pem) - certfile: - # Chain file - chainfile: - -############################################################################# -# The gencrl REST endpoint is used to generate a CRL that contains revoked -# certificates. This section contains configuration options that are used -# during gencrl request processing. -############################################################################# -crl: - # Specifies expiration for the generated CRL. The number of hours - # specified by this property is added to the UTC time, the resulting time - # is used to set the 'Next Update' date of the CRL. - expiry: 24h - -############################################################################# -# The registry section controls how the fabric-ca-server does two things: -# 1) authenticates enrollment requests which contain a username and password -# (also known as an enrollment ID and secret). -# 2) once authenticated, retrieves the identity's attribute names and -# values which the fabric-ca-server optionally puts into TCerts -# which it issues for transacting on the Hyperledger Fabric blockchain. -# These attributes are useful for making access control decisions in -# chaincode. -# There are two main configuration options: -# 1) The fabric-ca-server is the registry. -# This is true if "ldap.enabled" in the ldap section below is false. -# 2) An LDAP server is the registry, in which case the fabric-ca-server -# calls the LDAP server to perform these tasks. -# This is true if "ldap.enabled" in the ldap section below is true, -# which means this "registry" section is ignored. -############################################################################# -registry: - # Maximum number of times a password/secret can be reused for enrollment - # (default: -1, which means there is no limit) - maxenrollments: -1 - - # Contains identity information which is used when LDAP is disabled - identities: - - name: tlsadmin - pass: tlsadminpw - type: client - affiliation: "" - attrs: - hf.Registrar.Roles: "*" - hf.Registrar.DelegateRoles: "*" - hf.Revoker: true - hf.IntermediateCA: true - hf.GenCRL: true - hf.Registrar.Attributes: "*" - hf.AffiliationMgr: true - -############################################################################# -# Database section -# Supported types are: "sqlite3", "postgres", and "mysql". -# The datasource value depends on the type. -# If the type is "sqlite3", the datasource value is a file name to use -# as the database store. Since "sqlite3" is an embedded database, it -# may not be used if you want to run the fabric-ca-server in a cluster. -# To run the fabric-ca-server in a cluster, you must choose "postgres" -# or "mysql". -############################################################################# -db: - type: sqlite3 - datasource: fabric-ca-server.db - tls: - enabled: false - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# LDAP section -# If LDAP is enabled, the fabric-ca-server calls LDAP to: -# 1) authenticate enrollment ID and secret (i.e. username and password) -# for enrollment requests; -# 2) To retrieve identity attributes -############################################################################# -ldap: - # Enables or disables the LDAP client (default: false) - # If this is set to true, the "registry" section is ignored. - enabled: false - # The URL of the LDAP server - url: ldap://:@:/ - # TLS configuration for the client connection to the LDAP server - tls: - certfiles: - client: - certfile: - keyfile: - # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes - attribute: - # 'names' is an array of strings containing the LDAP attribute names which are - # requested from the LDAP server for an LDAP identity's entry - names: ['uid','member'] - # The 'converters' section is used to convert an LDAP entry to the value of - # a fabric CA attribute. - # For example, the following converts an LDAP 'uid' attribute - # whose value begins with 'revoker' to a fabric CA attribute - # named "hf.Revoker" with a value of "true" (because the boolean expression - # evaluates to true). - # converters: - # - name: hf.Revoker - # value: attr("uid") =~ "revoker*" - converters: - - name: - value: - # The 'maps' section contains named maps which may be referenced by the 'map' - # function in the 'converters' section to map LDAP responses to arbitrary values. - # For example, assume a user has an LDAP attribute named 'member' which has multiple - # values which are each a distinguished name (i.e. a DN). For simplicity, assume the - # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. - # Further assume the following configuration. - # converters: - # - name: hf.Registrar.Roles - # value: map(attr("member"),"groups") - # maps: - # groups: - # - name: dn1 - # value: peer - # - name: dn2 - # value: client - # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be - # "peer,client,dn3". This is because the value of 'attr("member")' is - # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of - # "group" replaces "dn1" with "peer" and "dn2" with "client". - maps: - groups: - - name: - value: - -############################################################################# -# Affiliations section. Fabric CA server can be bootstrapped with the -# affiliations specified in this section. Affiliations are specified as maps. -# For example: -# businessunit1: -# department1: -# - team1 -# businessunit2: -# - department2 -# - department3 -# -# Affiliations are hierarchical in nature. In the above example, -# department1 (used as businessunit1.department1) is the child of businessunit1. -# team1 (used as businessunit1.department1.team1) is the child of department1. -# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) -# are children of businessunit2. -# Note: Affiliations are case sensitive except for the non-leaf affiliations -# (like businessunit1, department1, businessunit2) that are specified in the configuration file, -# which are always stored in lower case. -############################################################################# -affiliations: - org1: - - department1 - - department2 - org2: - - department1 - -############################################################################# -# Signing section -# -# The "default" subsection is used to sign enrollment certificates; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -# -# The "ca" profile subsection is used to sign intermediate CA certificates; -# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. -# Note that "isca" is true, meaning that it issues a CA certificate. -# A maxpathlen of 0 means that the intermediate CA cannot issue other -# intermediate CA certificates, though it can still issue end entity certificates. -# (See RFC 5280, section 4.2.1.9) -# -# The "tls" profile subsection is used to sign TLS certificate requests; -# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. -############################################################################# -signing: - default: - authremote: {} - caconstraint: {} - expiry: 8760h - usage: - - signing - - key encipherment - - server auth - - client auth - - key agreement - profiles: null - -########################################################################### -# Certificate Signing Request (CSR) section. -# This controls the creation of the root CA certificate. -# The expiration for the root CA certificate is configured with the -# "ca.expiry" field below, whose default value is "131400h" which is -# 15 years in hours. -# The pathlength field is used to limit CA certificate hierarchy as described -# in section 4.2.1.9 of RFC 5280. -# Examples: -# 1) No pathlength value means no limit is requested. -# 2) pathlength == 1 means a limit of 1 is requested which is the default for -# a root CA. This means the root CA can issue intermediate CA certificates, -# but these intermediate CAs may not in turn issue other CA certificates -# though they can still issue end entity certificates. -# 3) pathlength == 0 means a limit of 0 is requested; -# this is the default for an intermediate CA, which means it can not issue -# CA certificates though it can still issue end entity certificates. -########################################################################### -csr: - cn: fabric-ca-server - keyrequest: - algo: ecdsa - size: 256 - names: - - C: US - ST: "North Carolina" - L: - O: Hyperledger - OU: Fabric - hosts: - - localhost - - 127.0.0.1 - - org2-tls-ca - - org2-tls-ca.test-network.svc.cluster.local - ca: - expiry: 131400h - pathlength: 1 - -########################################################################### -# Each CA can issue both X509 enrollment certificate as well as Idemix -# Credential. This section specifies configuration for the issuer component -# that is responsible for issuing Idemix credentials. -########################################################################### -idemix: - # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an - # Idemix credential. The issuer will create a pool revocation handles of this specified size. When - # a credential is requested, issuer will get handle from the pool and assign it to the credential. - # Issuer will repopulate the pool with new handles when the last handle in the pool is used. - # A revocation handle and credential revocation information (CRI) are used to create non revocation proof - # by the prover to prove to the verifier that her credential is not revoked. - rhpoolsize: 1000 - - # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer - # and second step is send credential request that is constructed using the nonce to the isuser to - # request a credential. This configuration property specifies expiration for the nonces. By default is - # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). - nonceexpiration: 15s - - # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. - # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) - noncesweepinterval: 15m - -############################################################################# -# BCCSP (BlockChain Crypto Service Provider) section is used to select which -# crypto library implementation to use -############################################################################# -bccsp: - default: SW - sw: - hash: SHA2 - security: 256 - filekeystore: - # The directory used for the software file-based keystore - keystore: msp/keystore - -############################################################################# -# Multi CA section -# -# Each Fabric CA server contains one CA by default. This section is used -# to configure multiple CAs in a single server. -# -# 1) --cacount -# Automatically generate non-default CAs. The names of these -# additional CAs are "ca1", "ca2", ... "caN", where "N" is -# This is particularly useful in a development environment to quickly set up -# multiple CAs. Note that, this config option is not applicable to intermediate CA server -# i.e., Fabric CA server that is started with intermediate.parentserver.url config -# option (-u command line option) -# -# 2) --cafiles -# For each CA config file in the list, generate a separate signing CA. Each CA -# config file in this list MAY contain all of the same elements as are found in -# the server config file except port, debug, and tls sections. -# -# Examples: -# fabric-ca-server start -b admin:adminpw --cacount 2 -# -# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml -# --cafiles ca/ca2/fabric-ca-server-config.yaml -# -############################################################################# - -cacount: - -cafiles: - -############################################################################# -# Intermediate CA section -# -# The relationship between servers and CAs is as follows: -# 1) A single server process may contain or function as one or more CAs. -# This is configured by the "Multi CA section" above. -# 2) Each CA is either a root CA or an intermediate CA. -# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. -# -# This section pertains to configuration of #2 and #3. -# If the "intermediate.parentserver.url" property is set, -# then this is an intermediate CA with the specified parent -# CA. -# -# parentserver section -# url - The URL of the parent server -# caname - Name of the CA to enroll within the server -# -# enrollment section used to enroll intermediate CA with parent CA -# profile - Name of the signing profile to use in issuing the certificate -# label - Label to use in HSM operations -# -# tls section for secure socket connection -# certfiles - PEM-encoded list of trusted root certificate files -# client: -# certfile - PEM-encoded certificate file for when client authentication -# is enabled on server -# keyfile - PEM-encoded key file for when client authentication -# is enabled on server -############################################################################# -intermediate: - parentserver: - url: - caname: - - enrollment: - hosts: - profile: - label: - - tls: - certfiles: - client: - certfile: - keyfile: - -############################################################################# -# CA configuration section -# -# Configure the number of incorrect password attempts are allowed for -# identities. By default, the value of 'passwordattempts' is 10, which -# means that 10 incorrect password attempts can be made before an identity get -# locked out. -############################################################################# -cfg: - identities: - passwordattempts: 10 - -############################################################################### -# -# Operations section -# -############################################################################### -operations: - # host and port for the operations server - listenAddress: 127.0.0.1:9444 - - # TLS configuration for the operations endpoint - tls: - # TLS enabled - enabled: false - - # path to PEM encoded server certificate for the operations server - cert: - file: - - # path to PEM encoded server key for the operations server - key: - file: - - # require client certificate authentication to access all resources - clientAuthRequired: false - - # paths to PEM encoded ca certificates to trust for client authentication - clientRootCAs: - files: [] - -############################################################################### -# -# Metrics section -# -############################################################################### -metrics: - # statsd, prometheus, or disabled - provider: disabled - - # statsd configuration - statsd: - # network type: tcp or udp - network: udp - - # statsd server address - address: 127.0.0.1:8125 - - # the interval at which locally cached counters and gauges are pushsed - # to statsd; timings are pushed immediately - writeInterval: 10s - - # prefix is prepended to all emitted statsd merics - prefix: server diff --git a/test-network-k8s/docs/CA.md b/test-network-k8s/docs/CA.md index c8758b24..5d8963ec 100644 --- a/test-network-k8s/docs/CA.md +++ b/test-network-k8s/docs/CA.md @@ -42,7 +42,7 @@ simplified, but realistic CA deployment illustrating the key touch points with K - Each organization maintains two distinct, separate CA instances : one dedicated to [TLS](../kube/org0/org0-tls-ca.yaml) - Certificate Signing Requests, and a second process dedicated to [ECert](../kube/org0/org0-ecert-ca.yaml) Enrollments + Certificate Signing Requests, and a second process dedicated to [ECert](../kube/org0/org0-ca.yaml) Enrollments and identity MSPs. @@ -222,7 +222,7 @@ by specifying `FABRIC_CA_SERVER_TLS_CERTFILE` and `FABRIC_CA_SERVER_TLS_KEYFILE` ### [Configure the ECert CA Servers](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#modify-the-ca-server-configuration) When launching the ECert CA pods, both the org volume shares and org config maps are made available via volume shares. -The [fabric-ecert-ca-server.yaml](../config/org0/fabric-ecert-ca-server-config.yaml) includes overrides for: +The [fabric-ecert-ca-server.yaml](../config/org0/fabric-ca-server-config.yaml) includes overrides for: - `port: 443` binds all traffic to the default HTTPS port - `tls.enabled: true` enables TLS for registration and enrollment requests @@ -230,7 +230,7 @@ The [fabric-ecert-ca-server.yaml](../config/org0/fabric-ecert-ca-server-config.y - `csr.hosts:` includes host aliases for accessing the CA with Kube DNS In addition, pay special attention to the location of the `FABRIC_CA_SERVER_TLS_CERTFILE` and `FABRIC_CA_SERVER_TLS_KEYFILE` -environment variables in the [ECert deployment descriptor](../kube/org0/org0-ecert-ca.yaml). These variables +environment variables in the [ECert deployment descriptor](../kube/org0/org0-ca.yaml). These variables reference the TLS certificate authority and signing keys as generated by the admin bootstrap enrollment. @@ -240,9 +240,9 @@ reference the TLS certificate authority and signing keys as generated by the adm ``` ```shell -kubectl -n test-network apply -f kube/org0/org0-ecert-ca.yaml -kubectl -n test-network apply -f kube/org1/org1-ecert-ca.yaml -kubectl -n test-network apply -f kube/org2/org2-ecert-ca.yaml +kubectl -n test-network apply -f kube/org0/org0-ca.yaml +kubectl -n test-network apply -f kube/org1/org1-ca.yaml +kubectl -n test-network apply -f kube/org2/org2-ca.yaml ``` - [x] Note: The `rcaadmin` enrollment's `cert.pem` and `key.pem` locations are specified in the ecert CA's k8s deployment as environment variables. diff --git a/test-network-k8s/docs/CHANNELS.md b/test-network-k8s/docs/CHANNELS.md index 23fa33f6..dacd70cc 100644 --- a/test-network-k8s/docs/CHANNELS.md +++ b/test-network-k8s/docs/CHANNELS.md @@ -74,9 +74,9 @@ of a remote `kubectl` into a local archive files. These files are then mounted constructing the `msp-config` config map: ```shell -kubectl -n $NS exec deploy/org0-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/ordererOrganizations/org0.example.com/msp > msp/msp-org0.example.com.tgz -kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp > msp/msp-org1.example.com.tgz -kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp > msp/msp-org2.example.com.tgz +kubectl -n $NS exec deploy/org0-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/ordererOrganizations/org0.example.com/msp > msp/msp-org0.example.com.tgz +kubectl -n $NS exec deploy/org1-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp > msp/msp-org1.example.com.tgz +kubectl -n $NS exec deploy/org2-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp > msp/msp-org2.example.com.tgz kubectl -n $NS delete configmap msp-config || true kubectl -n $NS create configmap msp-config --from-file=msp/``` diff --git a/test-network-k8s/docs/HIGH_AVAILABILITY.md b/test-network-k8s/docs/HIGH_AVAILABILITY.md index d23a411a..585f09cc 100644 --- a/test-network-k8s/docs/HIGH_AVAILABILITY.md +++ b/test-network-k8s/docs/HIGH_AVAILABILITY.md @@ -56,7 +56,7 @@ It is important that applications connect to the `org2-peer-gateway-svc` or `org The solution is to add the additional servicename to the hosts field in the SAN section of the TLS certificate. As an example here is the command that is used to create the TLS certificate for org1-peer1. Note the ```bash -fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-ecert-ca --csr.hosts org1-peer1,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp +fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-ca --csr.hosts org1-peer1,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp ``` ## Summary diff --git a/test-network-k8s/docs/TEST_NETWORK.md b/test-network-k8s/docs/TEST_NETWORK.md index c3832bad..a16d0af8 100644 --- a/test-network-k8s/docs/TEST_NETWORK.md +++ b/test-network-k8s/docs/TEST_NETWORK.md @@ -44,44 +44,30 @@ the target usage in the network. For example, the ordering organization sets up the node local MSP with: ```shell # Each identity in the network needs a registration and enrollment. -fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp -fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp -fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp -fabric-ca-client register --id.name org0-admin --id.secret org0adminpw --id.type admin --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" +fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp +fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp +fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp +fabric-ca-client register --id.name org0-admin --id.secret org0adminpw --id.type admin --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-ecert-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp -fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-ecert-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp -fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ecert-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp -fabric-ca-client enroll --url https://org0-admin:org0adminpw@org0-ecert-ca --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/users/Admin@org0.example.com/msp - -# Each node in the network needs a TLS registration and enrollment. -fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp -fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp -fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-tls-ca --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - -fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-tls-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls -fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-tls-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls -fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-tls-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls - -# Copy the TLS signing keys to a fixed path for convenience when starting the orderers. -cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/tls/keystore/server.key -cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/tls/keystore/server.key -cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/*_sk /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/tls/keystore/server.key +fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp +fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp +fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp +fabric-ca-client enroll --url https://org0-admin:org0adminpw@org0-ca --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/users/Admin@org0.example.com/msp # Create an MSP config.yaml (why is this not generated by the enrollment by fabric-ca-client?) echo "NodeOUs: Enable: true ClientOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp/config.yaml @@ -181,23 +167,20 @@ cat kube/org2/org2-peer2.yaml | sed 's,{{FABRIC_VERSION}},'${FABRIC_VERSION}',g' After the peers and orderers have started, the Kube namespace includes pods, deployments, and service bindings for: - Org0 (org0.example.com): - - TLS Certificate Authority : https://org0-tls-ca - - ECert Certificate Authority : https://org0-ecert-ca + - ECert Certificate Authority : https://org0-ca - Orderer1 : grpcs://org0-orderer1 - Orderer2 : grpcs://org0-orderer2 - Orderer3 : grpcs://org0-orderer3 - Org1 (org1.example.com): - - TLS Certificate Authority : https://org1-tls-ca - - ECert Certificate Authority : https://org1-ecert-ca + - ECert Certificate Authority : https://org1-ca - Peer Node 1 : grpcs://org1-peer1 - Peer Node 2 : grpcs://org1-peer2 - Org2 (org2.example.com): - - TLS Certificate Authority : https://org2-tls-ca - - ECert Certificate Authority : https://org2-ecert-ca + - ECert Certificate Authority : https://org2-ca - Peer Node 1 : grpcs://org2-peer1 - Peer Node 2 : grpcs://org2-peer2 diff --git a/test-network-k8s/kube/fabric-rest-sample.yaml b/test-network-k8s/kube/fabric-rest-sample.yaml index 2bf99d7f..66422faa 100644 --- a/test-network-k8s/kube/fabric-rest-sample.yaml +++ b/test-network-k8s/kube/fabric-rest-sample.yaml @@ -30,7 +30,7 @@ data: "org1-peer1" ], "certificateAuthorities": [ - "org1-ecert" + "org1-ca" ] } }, @@ -48,9 +48,9 @@ data: } }, "certificateAuthorities": { - "org1-ecert-ca": { - "url": "https://org1-ecert-ca", - "caName": "org1-ecert-ca", + "org1-ca": { + "url": "https://org1-ca", + "caName": "org1-ca", "tlsCACerts": { "pem": "TODO" }, @@ -106,7 +106,7 @@ data: "org2-peer1" ], "certificateAuthorities": [ - "org2-ecert-ca" + "org2-ca" ] } }, @@ -123,9 +123,9 @@ data: } }, "certificateAuthorities": { - "org2-ecert-ca": { - "url": "https://org2-ecert-ca", - "caName": "org2-ecert-ca", + "org2-ca": { + "url": "https://org2-ca", + "caName": "org2-ca", "tlsCACerts": { "pem": ["-----BEGIN CERTIFICATE-----\\nMIICKDCCAc6gAwIBAgIUJAF4fQK1KsnvdaUjau462D/5HPYwCgYIKoZIzj0EAwIw\\naDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt\\nY2Etc2VydmVyMB4XDTIxMDkxOTExMTcwMFoXDTM2MDkxNTExMTcwMFowaDELMAkG\\nA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl\\ncmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2Vy\\ndmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8bLvzagP3YANMGHVomZoGCQD\\nRgM3SenagZQ4IWqNQJSV3yTxzdgAWnPhwc+B/HdAOvAq2Oz54FmiSL9dAJoivqNW\\nMFQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE\\nFDdBAwT47jtbj48aXdMfRvMPbD5tMA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E\\nAwIDSAAwRQIhAITSk4lYWqu12jZkR94aNoKT36ctaeKHuRvXs7m2qaHSAiAtUPO7\\nXlHtI9SDTRvI4DNSb2O7y7+B3WxVeCx50fivDw==\\n-----END CERTIFICATE-----\\n"] }, diff --git a/test-network-k8s/kube/org0/org0-ecert-ca-tls-cert.yaml b/test-network-k8s/kube/org0/org0-ca-tls-cert.yaml similarity index 65% rename from test-network-k8s/kube/org0/org0-ecert-ca-tls-cert.yaml rename to test-network-k8s/kube/org0/org0-ca-tls-cert.yaml index b493f155..3f6e643f 100644 --- a/test-network-k8s/kube/org0/org0-ecert-ca-tls-cert.yaml +++ b/test-network-k8s/kube/org0/org0-ca-tls-cert.yaml @@ -2,7 +2,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: org0-ecert-ca-tls-cert + name: org0-ca-tls-cert namespace: test-network spec: isCA: false @@ -11,10 +11,10 @@ spec: size: 256 dnsNames: - localhost - - org0-ecert-ca - - org0-ecert-ca.test-network.svc.cluster.local + - org0-ca + - org0-ca.test-network.svc.cluster.local ipAddresses: - 127.0.0.1 - secretName: org0-ecert-ca-tls-cert + secretName: org0-ca-tls-cert issuerRef: name: org0-tls-cert-issuer \ No newline at end of file diff --git a/test-network-k8s/kube/org0/org0-ecert-ca.yaml b/test-network-k8s/kube/org0/org0-ca.yaml similarity index 87% rename from test-network-k8s/kube/org0/org0-ecert-ca.yaml rename to test-network-k8s/kube/org0/org0-ca.yaml index f1b8b024..c02b48fa 100644 --- a/test-network-k8s/kube/org0/org0-ecert-ca.yaml +++ b/test-network-k8s/kube/org0/org0-ca.yaml @@ -7,16 +7,16 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: org0-ecert-ca + name: org0-ca spec: replicas: 1 selector: matchLabels: - app: org0-ecert-ca + app: org0-ca template: metadata: labels: - app: org0-ecert-ca + app: org0-ca spec: containers: - name: main @@ -24,7 +24,7 @@ spec: imagePullPolicy: IfNotPresent env: - name: FABRIC_CA_SERVER_CA_NAME - value: "org0-ecert-ca" + value: "org0-ca" - name: FABRIC_CA_SERVER_DEBUG value: "false" - name: FABRIC_CA_SERVER_HOME @@ -42,7 +42,7 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml - subPath: fabric-ecert-ca-server-config.yaml + subPath: fabric-ca-server-config.yaml - name: tls-cert-volume mountPath: /var/hyperledger/fabric-ca-server/tls readOnly: true @@ -60,17 +60,17 @@ spec: name: org0-config - name: tls-cert-volume secret: - secretName: org0-ecert-ca-tls-cert + secretName: org0-ca-tls-cert --- apiVersion: v1 kind: Service metadata: - name: org0-ecert-ca + name: org0-ca spec: ports: - name: tls port: 443 protocol: TCP selector: - app: org0-ecert-ca \ No newline at end of file + app: org0-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org0/org0-tls-ca.yaml b/test-network-k8s/kube/org0/org0-tls-ca.yaml deleted file mode 100644 index 0ae21a25..00000000 --- a/test-network-k8s/kube/org0/org0-tls-ca.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org0-tls-ca -spec: - replicas: 1 - selector: - matchLabels: - app: org0-tls-ca - template: - metadata: - labels: - app: org0-tls-ca - spec: - containers: - - name: main - image: {{FABRIC_CONTAINER_REGISTRY}}/fabric-ca:{{FABRIC_CA_VERSION}} - imagePullPolicy: IfNotPresent - env: - - name: FABRIC_CA_SERVER_CA_NAME - value: "org0-tls-ca" - - name: FABRIC_CA_SERVER_DEBUG - value: "false" - - name: FABRIC_CA_SERVER_HOME - value: "/var/hyperledger/fabric-tls-ca-server" - - name: FABRIC_CA_CLIENT_HOME - value: "/var/hyperledger/fabric-ca-client" - ports: - - containerPort: 443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric-tls-ca-server/fabric-ca-server-config.yaml - subPath: fabric-tls-ca-server-config.yaml - readinessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 2 - periodSeconds: 5 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org0 - - name: fabric-config - configMap: - name: org0-config - ---- -apiVersion: v1 -kind: Service -metadata: - name: org0-tls-ca -spec: - ports: - - name: tls - port: 443 - protocol: TCP - selector: - app: org0-tls-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-ecert-ca-tls-cert.yaml b/test-network-k8s/kube/org1/org1-ca-tls-cert.yaml similarity index 65% rename from test-network-k8s/kube/org1/org1-ecert-ca-tls-cert.yaml rename to test-network-k8s/kube/org1/org1-ca-tls-cert.yaml index 875a5649..99e5626e 100644 --- a/test-network-k8s/kube/org1/org1-ecert-ca-tls-cert.yaml +++ b/test-network-k8s/kube/org1/org1-ca-tls-cert.yaml @@ -2,7 +2,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: org1-ecert-ca-tls-cert + name: org1-ca-tls-cert namespace: test-network spec: isCA: false @@ -11,10 +11,10 @@ spec: size: 256 dnsNames: - localhost - - org1-ecert-ca - - org1-ecert-ca.test-network.svc.cluster.local + - org1-ca + - org1-ca.test-network.svc.cluster.local ipAddresses: - 127.0.0.1 - secretName: org1-ecert-ca-tls-cert + secretName: org1-ca-tls-cert issuerRef: name: org1-tls-cert-issuer \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-ecert-ca.yaml b/test-network-k8s/kube/org1/org1-ca.yaml similarity index 87% rename from test-network-k8s/kube/org1/org1-ecert-ca.yaml rename to test-network-k8s/kube/org1/org1-ca.yaml index 9c50747c..9e7c8ec0 100644 --- a/test-network-k8s/kube/org1/org1-ecert-ca.yaml +++ b/test-network-k8s/kube/org1/org1-ca.yaml @@ -7,16 +7,16 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: org1-ecert-ca + name: org1-ca spec: replicas: 1 selector: matchLabels: - app: org1-ecert-ca + app: org1-ca template: metadata: labels: - app: org1-ecert-ca + app: org1-ca spec: containers: - name: main @@ -24,7 +24,7 @@ spec: imagePullPolicy: IfNotPresent env: - name: FABRIC_CA_SERVER_CA_NAME - value: "org1-ecert-ca" + value: "org1-ca" - name: FABRIC_CA_SERVER_DEBUG value: "false" - name: FABRIC_CA_SERVER_HOME @@ -42,7 +42,7 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml - subPath: fabric-ecert-ca-server-config.yaml + subPath: fabric-ca-server-config.yaml - name: tls-cert-volume mountPath: /var/hyperledger/fabric-ca-server/tls readOnly: true @@ -60,16 +60,16 @@ spec: name: org1-config - name: tls-cert-volume secret: - secretName: org1-ecert-ca-tls-cert + secretName: org1-ca-tls-cert --- apiVersion: v1 kind: Service metadata: - name: org1-ecert-ca + name: org1-ca spec: ports: - name: tls port: 443 protocol: TCP selector: - app: org1-ecert-ca \ No newline at end of file + app: org1-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org1/org1-tls-ca.yaml b/test-network-k8s/kube/org1/org1-tls-ca.yaml deleted file mode 100644 index a16da691..00000000 --- a/test-network-k8s/kube/org1/org1-tls-ca.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org1-tls-ca -spec: - replicas: 1 - selector: - matchLabels: - app: org1-tls-ca - template: - metadata: - labels: - app: org1-tls-ca - spec: - containers: - - name: main - image: {{FABRIC_CONTAINER_REGISTRY}}/fabric-ca:{{FABRIC_CA_VERSION}} - imagePullPolicy: IfNotPresent - env: - - name: FABRIC_CA_SERVER_CA_NAME - value: "org1-tls-ca" - - name: FABRIC_CA_SERVER_DEBUG - value: "false" - - name: FABRIC_CA_SERVER_HOME - value: "/var/hyperledger/fabric-tls-ca-server" - - name: FABRIC_CA_CLIENT_HOME - value: "/var/hyperledger/fabric-ca-client" - ports: - - containerPort: 443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric-tls-ca-server/fabric-ca-server-config.yaml - subPath: fabric-tls-ca-server-config.yaml - readinessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 2 - periodSeconds: 5 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org1 - - name: fabric-config - configMap: - name: org1-config - ---- -apiVersion: v1 -kind: Service -metadata: - name: org1-tls-ca -spec: - ports: - - name: tls - port: 443 - protocol: TCP - selector: - app: org1-tls-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-ecert-ca-tls-cert.yaml b/test-network-k8s/kube/org2/org2-ca-tls-cert.yaml similarity index 65% rename from test-network-k8s/kube/org2/org2-ecert-ca-tls-cert.yaml rename to test-network-k8s/kube/org2/org2-ca-tls-cert.yaml index 7321ab84..d073a486 100644 --- a/test-network-k8s/kube/org2/org2-ecert-ca-tls-cert.yaml +++ b/test-network-k8s/kube/org2/org2-ca-tls-cert.yaml @@ -2,7 +2,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: org2-ecert-ca-tls-cert + name: org2-ca-tls-cert namespace: test-network spec: isCA: false @@ -11,10 +11,10 @@ spec: size: 256 dnsNames: - localhost - - org2-ecert-ca - - org2-ecert-ca.test-network.svc.cluster.local + - org2-ca + - org2-ca.test-network.svc.cluster.local ipAddresses: - 127.0.0.1 - secretName: org2-ecert-ca-tls-cert + secretName: org2-ca-tls-cert issuerRef: name: org2-tls-cert-issuer \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-ecert-ca.yaml b/test-network-k8s/kube/org2/org2-ca.yaml similarity index 87% rename from test-network-k8s/kube/org2/org2-ecert-ca.yaml rename to test-network-k8s/kube/org2/org2-ca.yaml index 5d568ffd..bbace681 100644 --- a/test-network-k8s/kube/org2/org2-ecert-ca.yaml +++ b/test-network-k8s/kube/org2/org2-ca.yaml @@ -7,16 +7,16 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: org2-ecert-ca + name: org2-ca spec: replicas: 1 selector: matchLabels: - app: org2-ecert-ca + app: org2-ca template: metadata: labels: - app: org2-ecert-ca + app: org2-ca spec: containers: - name: main @@ -24,7 +24,7 @@ spec: imagePullPolicy: IfNotPresent env: - name: FABRIC_CA_SERVER_CA_NAME - value: "org2-ecert-ca" + value: "org2-ca" - name: FABRIC_CA_SERVER_DEBUG value: "false" - name: FABRIC_CA_SERVER_HOME @@ -42,7 +42,7 @@ spec: mountPath: /var/hyperledger - name: fabric-config mountPath: /var/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml - subPath: fabric-ecert-ca-server-config.yaml + subPath: fabric-ca-server-config.yaml - name: tls-cert-volume mountPath: /var/hyperledger/fabric-ca-server/tls readOnly: true @@ -60,16 +60,16 @@ spec: name: org2-config - name: tls-cert-volume secret: - secretName: org2-ecert-ca-tls-cert + secretName: org2-ca-tls-cert --- apiVersion: v1 kind: Service metadata: - name: org2-ecert-ca + name: org2-ca spec: ports: - name: tls port: 443 protocol: TCP selector: - app: org2-ecert-ca \ No newline at end of file + app: org2-ca \ No newline at end of file diff --git a/test-network-k8s/kube/org2/org2-tls-ca.yaml b/test-network-k8s/kube/org2/org2-tls-ca.yaml deleted file mode 100644 index 53ec23db..00000000 --- a/test-network-k8s/kube/org2/org2-tls-ca.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# -# Copyright IBM Corp. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: org2-tls-ca -spec: - replicas: 1 - selector: - matchLabels: - app: org2-tls-ca - template: - metadata: - labels: - app: org2-tls-ca - spec: - containers: - - name: main - image: {{FABRIC_CONTAINER_REGISTRY}}/fabric-ca:{{FABRIC_CA_VERSION}} - imagePullPolicy: IfNotPresent - env: - - name: FABRIC_CA_SERVER_CA_NAME - value: "org2-tls-ca" - - name: FABRIC_CA_SERVER_DEBUG - value: "false" - - name: FABRIC_CA_SERVER_HOME - value: "/var/hyperledger/fabric-tls-ca-server" - - name: FABRIC_CA_CLIENT_HOME - value: "/var/hyperledger/fabric-ca-client" - ports: - - containerPort: 443 - volumeMounts: - - name: fabric-volume - mountPath: /var/hyperledger - - name: fabric-config - mountPath: /var/hyperledger/fabric-tls-ca-server/fabric-ca-server-config.yaml - subPath: fabric-tls-ca-server-config.yaml - readinessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 2 - periodSeconds: 5 - volumes: - - name: fabric-volume - persistentVolumeClaim: - claimName: fabric-org2 - - name: fabric-config - configMap: - name: org2-config - ---- -apiVersion: v1 -kind: Service -metadata: - name: org2-tls-ca -spec: - ports: - - name: tls - port: 443 - protocol: TCP - selector: - app: org2-tls-ca \ No newline at end of file diff --git a/test-network-k8s/scripts/application_connection.sh b/test-network-k8s/scripts/application_connection.sh index 25d451a6..9f053ac0 100755 --- a/test-network-k8s/scripts/application_connection.sh +++ b/test-network-k8s/scripts/application_connection.sh @@ -8,11 +8,11 @@ function app_extract_MSP_archives() { mkdir -p build/msp set -ex - kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp | tar zxf - -C build/msp - kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org1-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org2-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp | tar zxf - -C build/msp - kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp | tar zxf - -C build/msp - kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org1-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org2-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp | tar zxf - -C build/msp } function app_one_line_pem { @@ -49,12 +49,12 @@ function construct_application_configmap() { mkdir -p build/application/gateways local peer_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/org1-tls-ca.pem - local ca_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/cacerts/org1-ecert-ca.pem + local ca_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/cacerts/org1-ca.pem echo "$(json_ccp 1 $peer_pem $ca_pem)" > build/application/gateways/org1_ccp.json peer_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/org2-tls-ca.pem - ca_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/cacerts/org2-ecert-ca.pem + ca_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/cacerts/org2-ca.pem echo "$(json_ccp 2 $peer_pem $ca_pem)" > build/application/gateways/org2_ccp.json diff --git a/test-network-k8s/scripts/channel.sh b/test-network-k8s/scripts/channel.sh index 5aa3158f..bad4255d 100755 --- a/test-network-k8s/scripts/channel.sh +++ b/test-network-k8s/scripts/channel.sh @@ -8,7 +8,7 @@ function create_channel_org_MSP() { local org=$1 local org_type=$2 - local ecert_ca=${org}-ecert-ca + local ecert_ca=${org}-ca echo 'set -x @@ -56,9 +56,9 @@ function aggregate_channel_MSP() { rm -rf ./build/msp/ mkdir -p ./build/msp - kubectl -n $NS exec deploy/org0-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/ordererOrganizations/org0.example.com/msp > build/msp/msp-org0.example.com.tgz - kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp > build/msp/msp-org1.example.com.tgz - kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp > build/msp/msp-org2.example.com.tgz + kubectl -n $NS exec deploy/org0-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/ordererOrganizations/org0.example.com/msp > build/msp/msp-org0.example.com.tgz + kubectl -n $NS exec deploy/org1-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp > build/msp/msp-org1.example.com.tgz + kubectl -n $NS exec deploy/org2-ca -- tar zcvf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp > build/msp/msp-org2.example.com.tgz kubectl -n $NS delete configmap msp-config || true kubectl -n $NS create configmap msp-config --from-file=build/msp/ diff --git a/test-network-k8s/scripts/fabric_CAs.sh b/test-network-k8s/scripts/fabric_CAs.sh index 6e3776cf..4a299897 100755 --- a/test-network-k8s/scripts/fabric_CAs.sh +++ b/test-network-k8s/scripts/fabric_CAs.sh @@ -13,33 +13,16 @@ function launch_CA() { | kubectl -n $NS apply -f - } -function launch_TLS_CAs() { - push_fn "Launching TLS CAs" - - launch_CA kube/org0/org0-tls-ca.yaml - launch_CA kube/org1/org1-tls-ca.yaml - launch_CA kube/org2/org2-tls-ca.yaml - - kubectl -n $NS rollout status deploy/org0-tls-ca - kubectl -n $NS rollout status deploy/org1-tls-ca - kubectl -n $NS rollout status deploy/org2-tls-ca - - # todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up - sleep 10 - - pop_fn -} - function launch_ECert_CAs() { push_fn "Launching ECert CAs" - launch_CA kube/org0/org0-ecert-ca.yaml - launch_CA kube/org1/org1-ecert-ca.yaml - launch_CA kube/org2/org2-ecert-ca.yaml + launch_CA kube/org0/org0-ca.yaml + launch_CA kube/org1/org1-ca.yaml + launch_CA kube/org2/org2-ca.yaml - kubectl -n $NS rollout status deploy/org0-ecert-ca - kubectl -n $NS rollout status deploy/org1-ecert-ca - kubectl -n $NS rollout status deploy/org2-ecert-ca + kubectl -n $NS rollout status deploy/org0-ca + kubectl -n $NS rollout status deploy/org1-ca + kubectl -n $NS rollout status deploy/org2-ca # todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up sleep 10 @@ -77,92 +60,19 @@ function init_tls_cert_issuers() { # use cert-manager to issue ECDSA TLS certificates for the ecert CA. Replaces the bootstrap ecert user enrollment in the TLS CA function issue_ECert_CA_tls_certs() { - kubectl -n $NS apply -f kube/org0/org0-ecert-ca-tls-cert.yaml - kubectl -n $NS apply -f kube/org1/org1-ecert-ca-tls-cert.yaml - kubectl -n $NS apply -f kube/org2/org2-ecert-ca-tls-cert.yaml + kubectl -n $NS apply -f kube/org0/org0-ca-tls-cert.yaml + kubectl -n $NS apply -f kube/org1/org1-ca-tls-cert.yaml + kubectl -n $NS apply -f kube/org2/org2-ca-tls-cert.yaml - kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org0-ecert-ca-tls-cert - kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org1-ecert-ca-tls-cert - kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org2-ecert-ca-tls-cert -} - - -# Enroll bootstrap user with TLS CA -# https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-bootstrap-user-with-tls-ca -function enroll_bootstrap_TLS_CA_user() { - local org=$1 - local auth=$2 - local tlsca=${org}-tls-ca - - # todo: get rid of export here - put in yaml - - echo 'set -x - - mkdir -p $FABRIC_CA_CLIENT_HOME/tls-root-cert - cp $FABRIC_CA_SERVER_HOME/ca-cert.pem $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem - - fabric-ca-client enroll \ - --url https://'$auth'@'${tlsca}' \ - --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ - --csr.hosts '${tlsca}' \ - --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - - ' | exec kubectl -n $NS exec deploy/${tlsca} -i -- /bin/sh -} - -function enroll_bootstrap_TLS_CA_users() { - push_fn "Enrolling bootstrap TLS CA users" - - enroll_bootstrap_TLS_CA_user org0 $TLSADMIN_AUTH - enroll_bootstrap_TLS_CA_user org1 $TLSADMIN_AUTH - enroll_bootstrap_TLS_CA_user org2 $TLSADMIN_AUTH - - pop_fn -} - -function register_enroll_ECert_CA_bootstrap_user() { - local org=$1 - local tlsauth=$2 - local tlsca=${org}-tls-ca - local ecertca=${org}-ecert-ca - - echo 'set -x - - fabric-ca-client register \ - --id.name rcaadmin \ - --id.secret rcaadminpw \ - --url https://'${tlsca}' \ - --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ - --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp - - fabric-ca-client enroll \ - --url https://'${tlsauth}'@'${tlsca}' \ - --tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \ - --csr.hosts '${ecertca}' \ - --mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp - - # Important: the rcaadmin signing certificate is referenced by the ECert CA FABRIC_CA_SERVER_TLS_CERTFILE config attribute. - # For simplicity, reference the key at a fixed, known location - cp $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp/keystore/*_sk $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp/keystore/key.pem - - ' | exec kubectl -n $NS exec deploy/${tlsca} -i -- /bin/sh -} - -# https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#register-and-enroll-the-organization-ca-bootstrap-identity-with-the-tls-ca -function register_enroll_ECert_CA_bootstrap_users() { - push_fn "Registering and enrolling ECert CA bootstrap users" - - register_enroll_ECert_CA_bootstrap_user org0 $TLSADMIN_AUTH - register_enroll_ECert_CA_bootstrap_user org1 $TLSADMIN_AUTH - register_enroll_ECert_CA_bootstrap_user org2 $TLSADMIN_AUTH - - pop_fn + kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org0-ca-tls-cert + kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org1-ca-tls-cert + kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org2-ca-tls-cert } function enroll_bootstrap_ECert_CA_user() { local org=$1 local auth=$2 - local ecert_ca=${org}-ecert-ca + local ecert_ca=${org}-ca echo 'set -x diff --git a/test-network-k8s/scripts/kind.sh b/test-network-k8s/scripts/kind.sh index 6d64d7d9..de0ae3e2 100755 --- a/test-network-k8s/scripts/kind.sh +++ b/test-network-k8s/scripts/kind.sh @@ -41,6 +41,19 @@ function apply_nginx_ingress() { pop_fn } +function install_cert_manager() { + push_fn "Installing cert-manager" + + # Install cert-manager to manage TLS certificates + kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml + + kubectl -n cert-manager rollout status deploy/cert-manager + kubectl -n cert-manager rollout status deploy/cert-manager-cainjector + kubectl -n cert-manager rollout status deploy/cert-manager-webhook + + pop_fn +} + function kind_create() { push_fn "Creating cluster \"${CLUSTER_NAME}\"" @@ -137,6 +150,7 @@ function kind_init() { kind_create apply_nginx_ingress + install_cert_manager launch_docker_registry if [ "${STAGE_DOCKER_IMAGES}" == true ]; then diff --git a/test-network-k8s/scripts/rest_sample.sh b/test-network-k8s/scripts/rest_sample.sh index fe397164..8e9f1057 100755 --- a/test-network-k8s/scripts/rest_sample.sh +++ b/test-network-k8s/scripts/rest_sample.sh @@ -8,11 +8,11 @@ function extract_MSP_archives() { mkdir -p build/msp - kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp | tar zxf - -C build/msp - kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org1-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org2-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/msp | tar zxf - -C build/msp - kubectl -n $NS exec deploy/org1-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp | tar zxf - -C build/msp - kubectl -n $NS exec deploy/org2-ecert-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org1-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp | tar zxf - -C build/msp + kubectl -n $NS exec deploy/org2-ca -- tar zcf - -C /var/hyperledger/fabric organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp | tar zxf - -C build/msp } function one_line_pem { @@ -37,12 +37,12 @@ function construct_rest_sample_configmap() { mkdir -p build/fabric-rest-sample-config local peer_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/org1-tls-ca.pem - local ca_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/cacerts/org1-ecert-ca.pem + local ca_pem=build/msp/organizations/peerOrganizations/org1.example.com/msp/cacerts/org1-ca.pem echo "$(json_ccp 1 $peer_pem $ca_pem)" > build/fabric-rest-sample-config/HLF_CONNECTION_PROFILE_ORG1 peer_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/tlscacerts/org2-tls-ca.pem - ca_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/cacerts/org2-ecert-ca.pem + ca_pem=build/msp/organizations/peerOrganizations/org2.example.com/msp/cacerts/org2-ca.pem echo "$(json_ccp 2 $peer_pem $ca_pem)" > build/fabric-rest-sample-config/HLF_CONNECTION_PROFILE_ORG2 diff --git a/test-network-k8s/scripts/test_network.sh b/test-network-k8s/scripts/test_network.sh index 805fd7c3..db5295bc 100755 --- a/test-network-k8s/scripts/test_network.sh +++ b/test-network-k8s/scripts/test_network.sh @@ -52,35 +52,35 @@ function create_org0_local_MSP() { export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric-ca-server/tls/ca.crt # Each identity in the network needs a registration and enrollment. - fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org0-admin --id.secret org0adminpw --id.type admin --url https://org0-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ecert-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" + fabric-ca-client register --id.name org0-orderer1 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp + fabric-ca-client register --id.name org0-orderer2 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp + fabric-ca-client register --id.name org0-orderer3 --id.secret ordererpw --id.type orderer --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp + fabric-ca-client register --id.name org0-admin --id.secret org0adminpw --id.type admin --url https://org0-ca --mspdir $FABRIC_CA_CLIENT_HOME/org0-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" - fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-ecert-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp - fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-ecert-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp - fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ecert-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp - fabric-ca-client enroll --url https://org0-admin:org0adminpw@org0-ecert-ca --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/users/Admin@org0.example.com/msp + fabric-ca-client enroll --url https://org0-orderer1:ordererpw@org0-ca --csr.hosts org0-orderer1 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp + fabric-ca-client enroll --url https://org0-orderer2:ordererpw@org0-ca --csr.hosts org0-orderer2 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp + fabric-ca-client enroll --url https://org0-orderer3:ordererpw@org0-ca --csr.hosts org0-orderer3 --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp + fabric-ca-client enroll --url https://org0-admin:org0adminpw@org0-ca --mspdir /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/users/Admin@org0.example.com/msp # Create an MSP config.yaml (why is this not generated by the enrollment by fabric-ca-client?) echo "NodeOUs: Enable: true ClientOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: - Certificate: cacerts/org0-ecert-ca.pem + Certificate: cacerts/org0-ca.pem OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer2.org0.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer1.org0.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer3.org0.example.com/msp/config.yaml - ' | exec kubectl -n $NS exec deploy/org0-ecert-ca -i -- /bin/sh + ' | exec kubectl -n $NS exec deploy/org0-ca -i -- /bin/sh } function create_org1_local_MSP() { @@ -90,13 +90,13 @@ function create_org1_local_MSP() { export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric-ca-server/tls/ca.crt # Each identity in the network needs a registration and enrollment. - fabric-ca-client register --id.name org1-peer1 --id.secret peerpw --id.type peer --url https://org1-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org1-peer2 --id.secret peerpw --id.type peer --url https://org1-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org1-admin --id.secret org1adminpw --id.type admin --url https://org1-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ecert-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" + fabric-ca-client register --id.name org1-peer1 --id.secret peerpw --id.type peer --url https://org1-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ca/rcaadmin/msp + fabric-ca-client register --id.name org1-peer2 --id.secret peerpw --id.type peer --url https://org1-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ca/rcaadmin/msp + fabric-ca-client register --id.name org1-admin --id.secret org1adminpw --id.type admin --url https://org1-ca --mspdir $FABRIC_CA_CLIENT_HOME/org1-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" - fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-ecert-ca --csr.hosts org1-peer1,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp - fabric-ca-client enroll --url https://org1-peer2:peerpw@org1-ecert-ca --csr.hosts org1-peer2,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp - fabric-ca-client enroll --url https://org1-admin:org1adminpw@org1-ecert-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp + fabric-ca-client enroll --url https://org1-peer1:peerpw@org1-ca --csr.hosts org1-peer1,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp + fabric-ca-client enroll --url https://org1-peer2:peerpw@org1-ca --csr.hosts org1-peer2,org1-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp + fabric-ca-client enroll --url https://org1-admin:org1adminpw@org1-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/server.key @@ -104,22 +104,22 @@ function create_org1_local_MSP() { echo "NodeOUs: Enable: true ClientOUIdentifier: - Certificate: cacerts/org1-ecert-ca.pem + Certificate: cacerts/org1-ca.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: - Certificate: cacerts/org1-ecert-ca.pem + Certificate: cacerts/org1-ca.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: - Certificate: cacerts/org1-ecert-ca.pem + Certificate: cacerts/org1-ca.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: - Certificate: cacerts/org1-ecert-ca.pem + Certificate: cacerts/org1-ca.pem OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer2.org1.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/peers/org1-peer1.org1.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml - ' | exec kubectl -n $NS exec deploy/org1-ecert-ca -i -- /bin/sh + ' | exec kubectl -n $NS exec deploy/org1-ca -i -- /bin/sh } @@ -129,13 +129,13 @@ function create_org2_local_MSP() { export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/fabric-ca-server/tls/ca.crt # Each identity in the network needs a registration and enrollment. - fabric-ca-client register --id.name org2-peer1 --id.secret peerpw --id.type peer --url https://org2-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org2-peer2 --id.secret peerpw --id.type peer --url https://org2-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ecert-ca/rcaadmin/msp - fabric-ca-client register --id.name org2-admin --id.secret org2adminpw --id.type admin --url https://org2-ecert-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ecert-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" + fabric-ca-client register --id.name org2-peer1 --id.secret peerpw --id.type peer --url https://org2-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ca/rcaadmin/msp + fabric-ca-client register --id.name org2-peer2 --id.secret peerpw --id.type peer --url https://org2-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ca/rcaadmin/msp + fabric-ca-client register --id.name org2-admin --id.secret org2adminpw --id.type admin --url https://org2-ca --mspdir $FABRIC_CA_CLIENT_HOME/org2-ca/rcaadmin/msp --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" - fabric-ca-client enroll --url https://org2-peer1:peerpw@org2-ecert-ca --csr.hosts org2-peer1,org2-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp - fabric-ca-client enroll --url https://org2-peer2:peerpw@org2-ecert-ca --csr.hosts org2-peer2,org2-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp - fabric-ca-client enroll --url https://org2-admin:org2adminpw@org2-ecert-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp + fabric-ca-client enroll --url https://org2-peer1:peerpw@org2-ca --csr.hosts org2-peer1,org2-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp + fabric-ca-client enroll --url https://org2-peer2:peerpw@org2-ca --csr.hosts org2-peer2,org2-peer-gateway-svc --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp + fabric-ca-client enroll --url https://org2-admin:org2adminpw@org2-ca --mspdir /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/*_sk /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/server.key @@ -143,21 +143,21 @@ function create_org2_local_MSP() { echo "NodeOUs: Enable: true ClientOUIdentifier: - Certificate: cacerts/org2-ecert-ca.pem + Certificate: cacerts/org2-ca.pem OrganizationalUnitIdentifier: client PeerOUIdentifier: - Certificate: cacerts/org2-ecert-ca.pem + Certificate: cacerts/org2-ca.pem OrganizationalUnitIdentifier: peer AdminOUIdentifier: - Certificate: cacerts/org2-ecert-ca.pem + Certificate: cacerts/org2-ca.pem OrganizationalUnitIdentifier: admin OrdererOUIdentifier: - Certificate: cacerts/org2-ecert-ca.pem + Certificate: cacerts/org2-ca.pem OrganizationalUnitIdentifier: orderer" > /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer2.org2.example.com/msp/config.yaml cp /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/peers/org2-peer1.org2.example.com/msp/config.yaml /var/hyperledger/fabric/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/config.yaml - ' | exec kubectl -n $NS exec deploy/org2-ecert-ca -i -- /bin/sh + ' | exec kubectl -n $NS exec deploy/org2-ca -i -- /bin/sh } function create_local_MSP() { @@ -178,8 +178,6 @@ function network_up() { load_org_config # Network TLS CAs -# launch_TLS_CAs -# enroll_bootstrap_TLS_CA_users init_tls_cert_issuers # Network ECert CAs