epistemophiliac/fabric-samples
1
0
Fork 0
mirror of https://github.com/hyperledger/fabric-samples.git synced 2026-06-24 10:35:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
fabric-samples/test-network-k8s/scripts/fabric_CAs.sh
Josh Kneubuhl 5b7edf264e Experimental use of cert-manager.io to issue node TLS certificates 
Signed-off-by: Josh Kneubuhl <jkneubuh@us.ibm.com>
2022-01-19 18:04:47 -05:00

185 lines
No EOL
6.2 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
function launch_CA() {
local yaml=$1
cat ${yaml} \
| sed 's,{{FABRIC_CONTAINER_REGISTRY}},'${FABRIC_CONTAINER_REGISTRY}',g' \
| sed 's,{{FABRIC_CA_VERSION}},'${FABRIC_CA_VERSION}',g' \
| kubectl -n $NS apply -f -
}
function launch_TLS_CAs() {
push_fn "Launching TLS CAs"
launch_CA kube/org0/org0-tls-ca.yaml
launch_CA kube/org1/org1-tls-ca.yaml
launch_CA kube/org2/org2-tls-ca.yaml
kubectl -n $NS rollout status deploy/org0-tls-ca
kubectl -n $NS rollout status deploy/org1-tls-ca
kubectl -n $NS rollout status deploy/org2-tls-ca
# todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up
sleep 10
pop_fn
}
function launch_ECert_CAs() {
push_fn "Launching ECert CAs"
launch_CA kube/org0/org0-ecert-ca.yaml
launch_CA kube/org1/org1-ecert-ca.yaml
launch_CA kube/org2/org2-ecert-ca.yaml
kubectl -n $NS rollout status deploy/org0-ecert-ca
kubectl -n $NS rollout status deploy/org1-ecert-ca
kubectl -n $NS rollout status deploy/org2-ecert-ca
# todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up
sleep 10
pop_fn
}
# experimental: create TLS CA issuers using cert-manager for each org.
function init_tls_cert_issuers() {
push_fn "Initializing TLS certificate issuers"
# todo: secret needs to be created before the issuer - the lag will cause an error on the first init for the issuer.
kubectl -n $NS delete -f kube/org0/org0-tls-cert-issuer-secret.yaml || true
kubectl -n $NS delete -f kube/org1/org1-tls-cert-issuer-secret.yaml || true
kubectl -n $NS delete -f kube/org2/org2-tls-cert-issuer-secret.yaml || true
kubectl -n $NS create -f kube/org0/org0-tls-cert-issuer-secret.yaml
kubectl -n $NS create -f kube/org1/org1-tls-cert-issuer-secret.yaml
kubectl -n $NS create -f kube/org2/org2-tls-cert-issuer-secret.yaml
# todo: find a better way to wait for the secret to be created.
# sleep 10
kubectl -n $NS apply -f kube/org0/org0-tls-cert-issuer.yaml
kubectl -n $NS apply -f kube/org1/org1-tls-cert-issuer.yaml
kubectl -n $NS apply -f kube/org2/org2-tls-cert-issuer.yaml
kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org0-tls-cert-issuer
kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org1-tls-cert-issuer
kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org2-tls-cert-issuer
pop_fn
}
# use cert-manager to issue ECDSA TLS certificates for the ecert CA. Replaces the bootstrap ecert user enrollment in the TLS CA
function issue_ECert_CA_tls_certs() {
kubectl -n $NS apply -f kube/org0/org0-ecert-ca-tls-cert.yaml
kubectl -n $NS apply -f kube/org1/org1-ecert-ca-tls-cert.yaml
kubectl -n $NS apply -f kube/org2/org2-ecert-ca-tls-cert.yaml
kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org0-ecert-ca-tls-cert
kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org1-ecert-ca-tls-cert
kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org2-ecert-ca-tls-cert
}
# Enroll bootstrap user with TLS CA
# https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#enroll-bootstrap-user-with-tls-ca
function enroll_bootstrap_TLS_CA_user() {
local org=$1
local auth=$2
local tlsca=${org}-tls-ca
# todo: get rid of export here - put in yaml
echo 'set -x
mkdir -p $FABRIC_CA_CLIENT_HOME/tls-root-cert
cp $FABRIC_CA_SERVER_HOME/ca-cert.pem $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem
fabric-ca-client enroll \
--url https://'$auth'@'${tlsca}' \
--tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \
--csr.hosts '${tlsca}' \
--mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp
' | exec kubectl -n $NS exec deploy/${tlsca} -i -- /bin/sh
}
function enroll_bootstrap_TLS_CA_users() {
push_fn "Enrolling bootstrap TLS CA users"
enroll_bootstrap_TLS_CA_user org0 $TLSADMIN_AUTH
enroll_bootstrap_TLS_CA_user org1 $TLSADMIN_AUTH
enroll_bootstrap_TLS_CA_user org2 $TLSADMIN_AUTH
pop_fn
}
function register_enroll_ECert_CA_bootstrap_user() {
local org=$1
local tlsauth=$2
local tlsca=${org}-tls-ca
local ecertca=${org}-ecert-ca
echo 'set -x
fabric-ca-client register \
--id.name rcaadmin \
--id.secret rcaadminpw \
--url https://'${tlsca}' \
--tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \
--mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/tlsadmin/msp
fabric-ca-client enroll \
--url https://'${tlsauth}'@'${tlsca}' \
--tls.certfiles $FABRIC_CA_CLIENT_HOME/tls-root-cert/tls-ca-cert.pem \
--csr.hosts '${ecertca}' \
--mspdir $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp
# Important: the rcaadmin signing certificate is referenced by the ECert CA FABRIC_CA_SERVER_TLS_CERTFILE config attribute.
# For simplicity, reference the key at a fixed, known location
cp $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp/keystore/*_sk $FABRIC_CA_CLIENT_HOME/tls-ca/rcaadmin/msp/keystore/key.pem
' | exec kubectl -n $NS exec deploy/${tlsca} -i -- /bin/sh
}
# https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html#register-and-enroll-the-organization-ca-bootstrap-identity-with-the-tls-ca
function register_enroll_ECert_CA_bootstrap_users() {
push_fn "Registering and enrolling ECert CA bootstrap users"
register_enroll_ECert_CA_bootstrap_user org0 $TLSADMIN_AUTH
register_enroll_ECert_CA_bootstrap_user org1 $TLSADMIN_AUTH
register_enroll_ECert_CA_bootstrap_user org2 $TLSADMIN_AUTH
pop_fn
}
function enroll_bootstrap_ECert_CA_user() {
local org=$1
local auth=$2
local ecert_ca=${org}-ecert-ca
echo 'set -x
fabric-ca-client enroll \
--url https://'${auth}'@'${ecert_ca}' \
--tls.certfiles /var/hyperledger/fabric-ca-server/tls/ca.crt \
--mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp
' | exec kubectl -n $NS exec deploy/${ecert_ca} -i -- /bin/sh
}
function enroll_bootstrap_ECert_CA_users() {
push_fn "Enrolling bootstrap ECert CA users"
enroll_bootstrap_ECert_CA_user org0 $RCAADMIN_AUTH
enroll_bootstrap_ECert_CA_user org1 $RCAADMIN_AUTH
enroll_bootstrap_ECert_CA_user org2 $RCAADMIN_AUTH
pop_fn
}
Reference in a new issue View git blame Copy permalink