mirror of
https://github.com/hyperledger/fabric-samples.git
synced 2026-06-17 15:35:09 +00:00
9f9cec7195
* Run RCAADMIN registration on the host OS, not in k8s Signed-off-by: Josh Kneubuhl <jkneubuh@us.ibm.com> * Fix a typo that caused the log trailer to not exit cleanly on error Signed-off-by: Josh Kneubuhl <jkneubuh@us.ibm.com> * allow a node registration to have been previously created. This allows for multiple 'network up' targets to be run. Signed-off-by: Josh Kneubuhl <jkneubuh@us.ibm.com>
76 lines
No EOL
2.5 KiB
Bash
Executable file
76 lines
No EOL
2.5 KiB
Bash
Executable file
#!/bin/bash
|
|
#
|
|
# Copyright IBM Corp All Rights Reserved
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
function launch_ECert_CAs() {
|
|
push_fn "Launching Fabric CAs"
|
|
|
|
apply_template kube/org0/org0-ca.yaml
|
|
apply_template kube/org1/org1-ca.yaml
|
|
apply_template kube/org2/org2-ca.yaml
|
|
|
|
kubectl -n $NS rollout status deploy/org0-ca
|
|
kubectl -n $NS rollout status deploy/org1-ca
|
|
kubectl -n $NS rollout status deploy/org2-ca
|
|
|
|
# todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up
|
|
sleep 5
|
|
|
|
pop_fn
|
|
}
|
|
|
|
# experimental: create TLS CA issuers using cert-manager for each org.
|
|
function init_tls_cert_issuers() {
|
|
push_fn "Initializing TLS certificate Issuers"
|
|
|
|
# Create a self-signing certificate issuer / root TLS certificate for the blockchain.
|
|
# TODO : Bring-Your-Own-Key - allow the network bootstrap to read an optional ECDSA key pair for the TLS trust root CA.
|
|
kubectl -n $NS apply -f kube/root-tls-cert-issuer.yaml
|
|
kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/root-tls-cert-issuer
|
|
|
|
# Use the self-signing issuer to generate three Issuers, one for each org.
|
|
kubectl -n $NS apply -f kube/org0/org0-tls-cert-issuer.yaml
|
|
kubectl -n $NS apply -f kube/org1/org1-tls-cert-issuer.yaml
|
|
kubectl -n $NS apply -f kube/org2/org2-tls-cert-issuer.yaml
|
|
|
|
kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org0-tls-cert-issuer
|
|
kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org1-tls-cert-issuer
|
|
kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org2-tls-cert-issuer
|
|
|
|
pop_fn
|
|
}
|
|
|
|
function enroll_bootstrap_ECert_CA_user() {
|
|
local org=$1
|
|
|
|
# Determine the CA information and TLS certificate
|
|
CA_NAME=${org}-ca
|
|
CA_DIR=${TEMP_DIR}/cas/${CA_NAME}
|
|
mkdir -p ${CA_DIR}
|
|
|
|
# Read the CA's TLS certificate from the cert-manager CA secret
|
|
echo "retrieving ${CA_NAME} TLS root cert"
|
|
kubectl -n $NS get secret ${CA_NAME}-tls-cert -o json \
|
|
| jq -r .data.\"ca.crt\" \
|
|
| base64 -d \
|
|
> ${CA_DIR}/tlsca-cert.pem
|
|
|
|
# Enroll the root CA user
|
|
fabric-ca-client enroll \
|
|
--url https://${RCAADMIN_USER}:${RCAADMIN_PASS}@${CA_NAME}.${DOMAIN}:${NGINX_HTTPS_PORT} \
|
|
--tls.certfiles $TEMP_DIR/cas/${CA_NAME}/tlsca-cert.pem \
|
|
--mspdir $TEMP_DIR/enrollments/${org}/users/${RCAADMIN_USER}/msp
|
|
}
|
|
|
|
function enroll_bootstrap_ECert_CA_users() {
|
|
push_fn "Enrolling bootstrap ECert CA users"
|
|
|
|
enroll_bootstrap_ECert_CA_user org0
|
|
enroll_bootstrap_ECert_CA_user org1
|
|
enroll_bootstrap_ECert_CA_user org2
|
|
|
|
pop_fn
|
|
} |