epistemophiliac/fabric-samples
1
0
Fork 0
mirror of https://github.com/hyperledger/fabric-samples.git synced 2026-06-24 10:35:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
fabric-samples/test-network-k8s/scripts/fabric_CAs.sh
Josh Kneubuhl f4854558c5 goodbye, org-tls-ca+org-ecert-ca, hello: org-ca 
Signed-off-by: Josh Kneubuhl <jkneubuh@us.ibm.com>
2022-01-20 07:20:53 -05:00

95 lines
No EOL
3.2 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
function launch_CA() {
local yaml=$1
cat ${yaml} \
| sed 's,{{FABRIC_CONTAINER_REGISTRY}},'${FABRIC_CONTAINER_REGISTRY}',g' \
| sed 's,{{FABRIC_CA_VERSION}},'${FABRIC_CA_VERSION}',g' \
| kubectl -n $NS apply -f -
}
function launch_ECert_CAs() {
push_fn "Launching ECert CAs"
launch_CA kube/org0/org0-ca.yaml
launch_CA kube/org1/org1-ca.yaml
launch_CA kube/org2/org2-ca.yaml
kubectl -n $NS rollout status deploy/org0-ca
kubectl -n $NS rollout status deploy/org1-ca
kubectl -n $NS rollout status deploy/org2-ca
# todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up
sleep 10
pop_fn
}
# experimental: create TLS CA issuers using cert-manager for each org.
function init_tls_cert_issuers() {
push_fn "Initializing TLS certificate issuers"
# todo: secret needs to be created before the issuer - the lag will cause an error on the first init for the issuer.
kubectl -n $NS delete -f kube/org0/org0-tls-cert-issuer-secret.yaml || true
kubectl -n $NS delete -f kube/org1/org1-tls-cert-issuer-secret.yaml || true
kubectl -n $NS delete -f kube/org2/org2-tls-cert-issuer-secret.yaml || true
kubectl -n $NS create -f kube/org0/org0-tls-cert-issuer-secret.yaml
kubectl -n $NS create -f kube/org1/org1-tls-cert-issuer-secret.yaml
kubectl -n $NS create -f kube/org2/org2-tls-cert-issuer-secret.yaml
# todo: find a better way to wait for the secret to be created.
# sleep 10
kubectl -n $NS apply -f kube/org0/org0-tls-cert-issuer.yaml
kubectl -n $NS apply -f kube/org1/org1-tls-cert-issuer.yaml
kubectl -n $NS apply -f kube/org2/org2-tls-cert-issuer.yaml
kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org0-tls-cert-issuer
kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org1-tls-cert-issuer
kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org2-tls-cert-issuer
pop_fn
}
# use cert-manager to issue ECDSA TLS certificates for the ecert CA. Replaces the bootstrap ecert user enrollment in the TLS CA
function issue_ECert_CA_tls_certs() {
kubectl -n $NS apply -f kube/org0/org0-ca-tls-cert.yaml
kubectl -n $NS apply -f kube/org1/org1-ca-tls-cert.yaml
kubectl -n $NS apply -f kube/org2/org2-ca-tls-cert.yaml
kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org0-ca-tls-cert
kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org1-ca-tls-cert
kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org2-ca-tls-cert
}
function enroll_bootstrap_ECert_CA_user() {
local org=$1
local auth=$2
local ecert_ca=${org}-ca
echo 'set -x
fabric-ca-client enroll \
--url https://'${auth}'@'${ecert_ca}' \
--tls.certfiles /var/hyperledger/fabric-ca-server/tls/ca.crt \
--mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp
' | exec kubectl -n $NS exec deploy/${ecert_ca} -i -- /bin/sh
}
function enroll_bootstrap_ECert_CA_users() {
push_fn "Enrolling bootstrap ECert CA users"
enroll_bootstrap_ECert_CA_user org0 $RCAADMIN_AUTH
enroll_bootstrap_ECert_CA_user org1 $RCAADMIN_AUTH
enroll_bootstrap_ECert_CA_user org2 $RCAADMIN_AUTH
pop_fn
}
Reference in a new issue View git blame Copy permalink