diff --git a/.gitignore b/.gitignore index cdad32577cf..a5e6f78a537 100644 --- a/.gitignore +++ b/.gitignore @@ -36,3 +36,4 @@ **/node_modules # custom config templates *_custom.tpl +build diff --git a/platforms/hyperledger-fabric/charts/external-chaincode/templates/deployment.yaml b/platforms/hyperledger-fabric/charts/external-chaincode/templates/deployment.yaml index ed890de7dbf..516a8fe57b4 100644 --- a/platforms/hyperledger-fabric/charts/external-chaincode/templates/deployment.yaml +++ b/platforms/hyperledger-fabric/charts/external-chaincode/templates/deployment.yaml @@ -88,17 +88,15 @@ spec: LOOKUP_SECRET_RESPONSE=$(curl -sS --header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" ${VAULT_ADDR}/v1/${vault_secret_key} | jq -r 'if .errors then . else . end') validateVaultResponse "secret (${vault_secret_key})" "${LOOKUP_SECRET_RESPONSE}" - echo ${LOOKUP_SECRET_RESPONSE}; - CACERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["ca.crt"]') CLIENT_CERT=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["client.crt"]') CLIENT_KEY=$(echo ${LOOKUP_SECRET_RESPONSE} | jq -r '.data["client.key"]') mkdir -p ${MOUNT_PATH} - echo "${CACERT}" >> ${MOUNT_PATH}/ca.crt - echo "${CLIENT_CERT}" >> ${MOUNT_PATH}/client.crt - echo "${CLIENT_KEY}" >> ${MOUNT_PATH}/client.key + echo "${CACERT}" > ${MOUNT_PATH}/ca.crt + echo "${CLIENT_CERT}" > ${MOUNT_PATH}/client.crt + echo "${CLIENT_KEY}" > ${MOUNT_PATH}/client.key fi volumeMounts: {{ if .Values.vault.tls }} diff --git a/platforms/hyperledger-fabric/charts/install_chaincode/templates/install_chaincode.yaml b/platforms/hyperledger-fabric/charts/install_chaincode/templates/install_chaincode.yaml index 624c8517190..a682acb34d8 100644 --- a/platforms/hyperledger-fabric/charts/install_chaincode/templates/install_chaincode.yaml +++ b/platforms/hyperledger-fabric/charts/install_chaincode/templates/install_chaincode.yaml @@ -179,7 +179,9 @@ spec: #chaincode path CC_SRC_PATH="github.com/chaincode/${CHAINCODE_NAME}/${CHAINCODE_MAINDIR}" - + cd $GOPATH/src/$CC_SRC_PATH + GO111MODULE=on go mod vendor + cd $GOPATH/src/github.com/chaincode elif [ ${CC_RUNTIME_LANGUAGE} = "java" ] then ## Copying desired chaincode to a location diff --git a/platforms/hyperledger-fabric/charts/install_external_chaincode/templates/install_external_chaincode.yaml b/platforms/hyperledger-fabric/charts/install_external_chaincode/templates/install_external_chaincode.yaml index f5ec815940c..378e35c24e8 100644 --- a/platforms/hyperledger-fabric/charts/install_external_chaincode/templates/install_external_chaincode.yaml +++ b/platforms/hyperledger-fabric/charts/install_external_chaincode/templates/install_external_chaincode.yaml @@ -37,6 +37,9 @@ spec: - name: certificates emptyDir: medium: Memory + - name: chaincodepackage + emptyDir: + medium: Memory initContainers: - name: certificates-init image: {{ $.Values.metadata.images.alpineutils }} @@ -146,6 +149,70 @@ spec: {{ end }} - name: certificates mountPath: /secret + + - name: package-init + image: {{ $.Values.metadata.images.alpineutils }} + imagePullPolicy: Always + env: + - name: VAULT_ADDR + value: {{ $.Values.vault.address }} + - name: KUBERNETES_AUTH_PATH + value: {{ $.Values.vault.authpath }} + - name: VAULT_APP_ROLE + value: {{ $.Values.vault.role }} + - name: VAULT_CHAINCODE_PACKAGE_PREFIX + value: {{ $.Values.vault.chaincodepackageprefix}} + - name: CHAINCODE_NAME + value: "{{ $.Values.chaincode.name }}" + - name: CHAINCODE_VERSION + value: "{{ $.Values.chaincode.version }}" + - name: CHAINCODE_MOUNT_PATH + value: /chaincodepackage + command: ["sh", "-c"] + args: + - |- + #!/usr/bin/env sh + ## load encoded package bytes from vault + + validateVaultResponse () { + if echo ${2} | grep "errors"; then + echo "ERROR: unable to retrieve ${1}: ${2}" + exit 1 + fi + } + + KUBE_SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) + echo "Getting secrets from Vault Server: ${VAULT_ADDR}" + # Login to Vault and so I can get an approle token + VAULT_CLIENT_TOKEN=$(curl -sS --request POST ${VAULT_ADDR}/v1/auth/${KUBERNETES_AUTH_PATH}/login \ + -H "Content-Type: application/json" \ + -d '{"role":"'"${VAULT_APP_ROLE}"'","jwt":"'"${KUBE_SA_TOKEN}"'"}' | \ + jq -r 'if .errors then . else .auth.client_token end') + validateVaultResponse 'vault login token' "${VAULT_CLIENT_TOKEN}" + + echo "Getting Package Base64 from Vault in ${VAULT_CHAINCODE_PACKAGE_PREFIX}" + + LOOKUP_PACKAGE_BASE64_RESPONSE=$(curl -sS \ + --header "X-Vault-Token: ${VAULT_CLIENT_TOKEN}" \ + ${VAULT_ADDR}/v1/${VAULT_CHAINCODE_PACKAGE_PREFIX} | jq -r 'if .errors then . else . end') + + validateVaultResponse "secret (${VAULT_CHAINCODE_PACKAGE_PREFIX})" "${LOOKUP_PACKAGE_BASE64_RESPONSE}" + + PACKAGE_HASH=$(echo ${LOOKUP_PACKAGE_BASE64_RESPONSE} | jq -r '.data["package-base64"]') + + PACKAGE_BASE64=$(echo ${LOOKUP_PACKAGE_BASE64_RESPONSE} | jq -r '.data["package-base64"]') + + echo ${PACKAGE_BASE64} | base64 -d > ${CHAINCODE_MOUNT_PATH}/${CHAINCODE_NAME}_${CHAINCODE_VERSION}.tgz + + volumeMounts: + {{ if .Values.vault.tls }} + - name: vaultca + mountPath: "/etc/ssl/certs/" + readOnly: true + {{ end }} + - name: chaincodepackage + mountPath: /chaincodepackage + readOnly: false containers: - name: installextchaincode image: {{ $.Values.metadata.images.fabrictools }} @@ -157,30 +224,8 @@ spec: - |- #!/bin/bash sh # tail -f /dev/null; - ## packaging chaincode - if [ "${CHAINCODE_TLS_DISABLED}" == "false" ]; then - CACERT=$(cat ${CHAINCODE_CERTS_PATH}/ca.crt); - CACERT=${CACERT//$'\n'/\\n}; - CLIENT_CERT=$(cat ${CHAINCODE_CERTS_PATH}/client.crt); - CLIENT_CERT=${CLIENT_CERT//$'\n'/\\n}; - CLIENT_KEY=$(cat ${CHAINCODE_CERTS_PATH}/client.key); - CLIENT_KEY=${CLIENT_KEY//$'\n'/\\n}; - echo '{"address":"'${CHAINCODE_ADDR}'","dial_timeout":"10s","tls_required":true,"client_auth_required":true,"client_key":"'${CLIENT_KEY}'","client_cert":"'${CLIENT_CERT}'","root_cert":"'${CACERT}'"}' > connection.json; - fi - if [ "${CHAINCODE_TLS_DISABLED}" == "true" ]; then - echo '{"address":"'${CHAINCODE_ADDR}'","dial_timeout":"10s","tls_required":false,"client_auth_required":false,"client_key":"","client_cert":"","root_cert":""}' > connection.json; - fi - - echo '{"path":"","type":"external","label":"'${CHAINCODE_NAME}_${CHAINCODE_VERSION}'"}' > metadata.json; - - cat connection.json; - cat metadata.json; - - tar cfz code.tar.gz connection.json; - tar cfz ${CHAINCODE_NAME}_${CHAINCODE_VERSION}.tgz code.tar.gz metadata.json - ## Installing Chaincode - peer lifecycle chaincode install ${CHAINCODE_NAME}_${CHAINCODE_VERSION}.tgz + peer lifecycle chaincode install ${CHAINCODE_MOUNT_PATH}/${CHAINCODE_NAME}_${CHAINCODE_VERSION}.tgz echo "Chaincode installed for Fabric v.2.X" #query installed echo "peer query installed" @@ -224,7 +269,12 @@ spec: value: "{{ $.Values.metadata.network.version }}" - name: CC_RUNTIME_LANGUAGE value: "{{ $.Values.chaincode.lang }}" + - name: CHAINCODE_MOUNT_PATH + value: /chaincodepackage volumeMounts: - name: certificates mountPath: /opt/gopath/src/github.com/hyperledger/fabric/crypto readOnly: true + - name: chaincodepackage + mountPath: /chaincodepackage + readOnly: true diff --git a/platforms/hyperledger-fabric/charts/peernode/conf/default_core.yaml b/platforms/hyperledger-fabric/charts/peernode/conf/default_core.yaml index a347a8c99f8..85311f7a4e4 100644 --- a/platforms/hyperledger-fabric/charts/peernode/conf/default_core.yaml +++ b/platforms/hyperledger-fabric/charts/peernode/conf/default_core.yaml @@ -555,6 +555,9 @@ chaincode: # List of directories to treat as external builders and launchers for # chaincode. The external builder detection processing will iterate over the # builders in the order specified below. + # externalBuilders: + # - path: /var/hyperledger/production/buildpacks + # name: external-builder externalBuilders: [] # - path: /path/to/directory # name: descriptive-builder-name diff --git a/platforms/hyperledger-fabric/configuration/deploy-external-chaincode.yaml b/platforms/hyperledger-fabric/configuration/deploy-external-chaincode.yaml new file mode 100644 index 00000000000..872573ba10a --- /dev/null +++ b/platforms/hyperledger-fabric/configuration/deploy-external-chaincode.yaml @@ -0,0 +1,44 @@ +# This playbook executes required tasks to commit chaincode +# on existing Kubernetes clusters. The Kubernetes clusters should already be created and the infomation +# to connect to the clusters be updated in the network.yaml file that is used as an input to this playbook +########################################################################################### +# To Run this playbook from this directory, use the following command (network.yaml also in this directory) +# ansible-playbook platforms/hyperledger-fabric/configuration/commit-chaincode.yaml -e "@./network.yaml" +############################################################################################ +# Please ensure that the ../../shared/configuration playbooks have been run using the same network.yaml +--- + # This will apply to ansible_provisioners. /etc/ansible/hosts should be configured with this group +- hosts: ansible_provisioners + gather_facts: no + tasks: + + ############################################################################################ + # This task deploys the external chaincode server for desired org + - name: Deploy external chaincode server + include_role: + name: "create/external_chaincode" + vars: + docker_url: "{{ network.docker.url }}" + name: "{{ item.name | lower}}" + namespace: "{{ item.name | lower}}-net" + component_type: "{{ item.type | lower}}" + component_peers: "{{ item.services.peers }}" + org_name: "{{ item.name | lower }}" + org_ns: "{{ item.name | lower }}-net" + kubernetes: "{{ item.k8s }}" + vault: "{{ item.vault }}" + peers: "{{ item.services.peers }}" + git_url: "{{ item.gitops.git_url }}" + git_branch: "{{ item.gitops.branch }}" + charts_dir: "{{ item.gitops.chart_source }}" + values_dir: "{{playbook_dir}}/../../../{{item.gitops.release_dir}}/{{ item.name | lower }}" + loop: "{{ network['organizations'] }}" + when: item.type == 'peer' and item.org_status == 'new' + + vars: #These variables can be overriden from the command line + privilege_escalate: false #Default to NOT escalate to root privledges + install_os: "linux" #Default to linux OS + install_arch: "amd64" #Default to amd64 architecture + bin_install_dir: "~/bin" #Default to /bin install directory for binaries + add_new_org: 'false' # Default to false as this is for main network creation + external_chaincode: false # Default to false diff --git a/platforms/hyperledger-fabric/configuration/deploy-only-peers.yaml b/platforms/hyperledger-fabric/configuration/deploy-only-peers.yaml index 03611613ae4..e555a76cafe 100644 --- a/platforms/hyperledger-fabric/configuration/deploy-only-peers.yaml +++ b/platforms/hyperledger-fabric/configuration/deploy-only-peers.yaml @@ -126,7 +126,7 @@ component_type: "{{ item.type | lower}}" component_services: "{{ item.services }}" vault: "{{ item.vault }}" - git_url: "{{ item.gitops.git_ssh }}" + git_url: "{{ item.gitops.git_url }}" git_branch: "{{ item.gitops.branch }}" docker_url: "{{ network.docker.url }}" charts_dir: "{{ item.gitops.chart_source }}" diff --git a/platforms/hyperledger-fabric/configuration/external-chaincode.yaml b/platforms/hyperledger-fabric/configuration/external-chaincode.yaml index fccfa52e351..895b8370415 100644 --- a/platforms/hyperledger-fabric/configuration/external-chaincode.yaml +++ b/platforms/hyperledger-fabric/configuration/external-chaincode.yaml @@ -93,7 +93,6 @@ name: "create/chaincode/install-external" vars: envspace: "{{ network.env.type }}" - docker_url: "{{ network.docker.url }}" name: "{{ item.name | lower}}" namespace: "{{ item.name | lower}}-net" component_type: "{{ item.type | lower}}" @@ -152,7 +151,6 @@ peers: "{{ item.services.peers }}" git_url: "{{ item.gitops.git_url }}" git_branch: "{{ item.gitops.branch }}" - docker_url: "{{ network.docker.url }}" charts_dir: "{{ item.gitops.chart_source }}" values_dir: "{{playbook_dir}}/../../../{{item.gitops.release_dir}}/{{ item.name | lower }}" loop: "{{ network['organizations'] }}" diff --git a/platforms/hyperledger-fabric/configuration/install-chaincode.yaml b/platforms/hyperledger-fabric/configuration/install-chaincode.yaml index 74efb3157a5..4c385f1f18c 100644 --- a/platforms/hyperledger-fabric/configuration/install-chaincode.yaml +++ b/platforms/hyperledger-fabric/configuration/install-chaincode.yaml @@ -113,7 +113,7 @@ kubernetes: "{{ item.k8s }}" vault: "{{ item.vault }}" peers: "{{ item.services.peers }}" - git_url: "{{ item.gitops.git_ssh }}" + git_url: "{{ item.gitops.git_url }}" git_branch: "{{ item.gitops.branch }}" docker_url: "{{ network.docker.url }}" charts_dir: "{{ item.gitops.chart_source }}" diff --git a/platforms/hyperledger-fabric/configuration/install-external-chaincode-only.yaml b/platforms/hyperledger-fabric/configuration/install-external-chaincode-only.yaml new file mode 100644 index 00000000000..b12559af22c --- /dev/null +++ b/platforms/hyperledger-fabric/configuration/install-external-chaincode-only.yaml @@ -0,0 +1,92 @@ +# This playbook executes required tasks to instal, approve, commit and deploy an external chaincode +# on existing Kubernetes clusters. The Kubernetes clusters should already be created and the infomation +# to connect to the clusters be updated in the network.yaml file that is used as an input to this playbook +########################################################################################### +# To Run this playbook from this directory, use the following command (network.yaml also in this directory) +# ansible-playbook platforms/hyperledger-fabric/configuration/external-chaincode.yaml -e "@./network.yaml" +############################################################################################ +# Please ensure that the ../../shared/configuration playbooks have been run using the same network.yaml +--- + # This will apply to ansible_provisioners. /etc/ansible/hosts should be configured with this group +- hosts: ansible_provisioners + gather_facts: no + tasks: + + ############################################################################################ + # This task installs the external chaincode on the desired peers + - name: Install external chaincode + include_role: + name: "create/chaincode/install-external" + vars: + envspace: "{{ network.env.type }}" + name: "{{ item.name | lower}}" + namespace: "{{ item.name | lower}}-net" + component_type: "{{ item.type | lower}}" + component_peers: "{{ item.services.peers }}" + org_name: "{{ item.name | lower }}" + org_ns: "{{ item.name | lower }}-net" + kubernetes: "{{ item.k8s }}" + vault: "{{ item.vault }}" + peers: "{{ item.services.peers }}" + git_url: "{{ item.gitops.git_url }}" + git_branch: "{{ item.gitops.branch }}" + docker_url: "{{ network.docker.url }}" + charts_dir: "{{ item.gitops.chart_source }}" + values_dir: "{{playbook_dir}}/../../../{{item.gitops.release_dir}}/{{ item.name | lower }}" + loop: "{{ network['organizations'] }}" + when: item.type == 'peer' and item.org_status == 'new' + + ############################################################################################ + # This task approves desired installed chaincode on the peers + - name: "Approve chaincode" + include_role: + name: "create/chaincode/approve" + vars: + participants: "{{ item.participants }}" + docker_url: "{{ network.docker.url }}" + loop: "{{ network['channels'] }}" + when: participants is defined and '2.' in network.version + + ############################################################################################ + # This task commits the desired approved chaincode + - name: Commit chaincode + include_role: + name: "create/chaincode/commit" + vars: + participants: "{{ item.participants }}" + docker_url: "{{ network.docker.url }}" + approvers: "{{ item.endorsers }}" + loop: "{{ network['channels'] }}" + loop_control: + extended: true + when: add_new_org == 'false' and '2.' in network.version + + ############################################################################################ + # This task deploys the external chaincode server for desired org + - name: Deploy external chaincode server + include_role: + name: "create/external_chaincode" + vars: + docker_url: "{{ network.docker.url }}" + name: "{{ item.name | lower}}" + namespace: "{{ item.name | lower}}-net" + component_type: "{{ item.type | lower}}" + component_peers: "{{ item.services.peers }}" + org_name: "{{ item.name | lower }}" + org_ns: "{{ item.name | lower }}-net" + kubernetes: "{{ item.k8s }}" + vault: "{{ item.vault }}" + peers: "{{ item.services.peers }}" + git_url: "{{ item.gitops.git_url }}" + git_branch: "{{ item.gitops.branch }}" + charts_dir: "{{ item.gitops.chart_source }}" + values_dir: "{{playbook_dir}}/../../../{{item.gitops.release_dir}}/{{ item.name | lower }}" + loop: "{{ network['organizations'] }}" + when: item.type == 'peer' and item.org_status == 'new' + + vars: #These variables can be overriden from the command line + privilege_escalate: false #Default to NOT escalate to root privledges + install_os: "linux" #Default to linux OS + install_arch: "amd64" #Default to amd64 architecture + bin_install_dir: "~/bin" #Default to /bin install directory for binaries + add_new_org: 'false' # Default to false as this is for main network creation diff --git a/platforms/hyperledger-fabric/configuration/roles/create/chaincode-cert/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/chaincode-cert/tasks/main.yaml index baa3a7c2909..163a89dc4dc 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/chaincode-cert/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/chaincode-cert/tasks/main.yaml @@ -5,6 +5,8 @@ loop: "{{ services.peers }}" loop_control: loop_var: peer + vars: + first_peer_name: "{{ (services.peers | first)['name'] }}" when: - peer.chaincode is defined - peer.chaincode.external_chaincode is defined diff --git a/platforms/hyperledger-fabric/configuration/roles/create/chaincode-cert/tasks/nested_main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/chaincode-cert/tasks/nested_main.yaml index b9015695f52..404630701b9 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/chaincode-cert/tasks/nested_main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/chaincode-cert/tasks/nested_main.yaml @@ -14,7 +14,9 @@ - generate-crypto-chaincode-server.sh loop_control: loop_var: files - when: setup_user_env is not defined or setup_user_env == true + when: + - setup_user_env is not defined or setup_user_env == true + - peer.name == first_peer_name ############################################################################################ # This task changes the permission for scripts @@ -26,7 +28,9 @@ - generate-crypto-chaincode-server.sh loop_control: loop_var: files - when: setup_user_env is not defined or setup_user_env == true + when: + - setup_user_env is not defined or setup_user_env == true + - peer.name == first_peer_name ############################################################################################ # This task copies generate-crypto-chaincode-server.sh file using the CA Tools Pod @@ -34,21 +38,27 @@ shell: | export CA_TOOL_CLI=$(KUBECONFIG={{ kubernetes.config_file }} kubectl get po -n {{ component_name }} | grep "ca-tools" | awk '{print $1}') KUBECONFIG={{ kubernetes.config_file }} kubectl cp ./build/generate-crypto-chaincode-server.sh {{ component_name }}/${CA_TOOL_CLI}:/root/ca-tools/{{org_name|lower}}/generate-crypto-chaincode-server.sh - when: setup_user_env is not defined or setup_user_env == true + when: + - setup_user_env is not defined or setup_user_env == true + - peer.name == first_peer_name ############################################################################################ # This task executes generate-crypto-chaincode-server.sh file using the CA Tools to generate user certificate - name: Execute generate-crypto-chaincode-server.sh file using the CA Tools shell: | export CA_TOOL_CLI=$(KUBECONFIG={{ kubernetes.config_file }} kubectl get po -n {{ component_name }} | grep "ca-tools" | awk '{print $1}') - KUBECONFIG={{ kubernetes.config_file }} kubectl exec -n {{ component_name }} ${CA_TOOL_CLI} -- /root/ca-tools/{{org_name|lower}}/./generate-crypto-chaincode-server.sh {{component_name}} {{org_name|lower}} {{peer.chaincode.name}} chaincode {{org_name}} "{{subject}}" "chaincode-{{peer.chaincode.name}}-{{peer.chaincode.version}}-{{ org_name }}.{{ component_name }}.svc.cluster.local" + KUBECONFIG={{ kubernetes.config_file }} kubectl exec -n {{ component_name }} ${CA_TOOL_CLI} -- /root/ca-tools/{{org_name|lower}}/./generate-crypto-chaincode-server.sh {{component_name}} {{org_name|lower}} {{peer.chaincode.name}} chaincode {{org_name}} "{{subject}}" "chaincode-{{peer.chaincode.name}}-{{peer.chaincode.version}}-{{ org_name }}.{{ component_name }}.svc.cluster.local" {{peer.chaincode.version}} KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{ component_name }}/${CA_TOOL_CLI}:crypto-config ./build/crypto-config + when: + - peer.name == first_peer_name ############################################################################################ # Copy certificates to vault - name: Copy certificates to vault shell: | - vault write {{ vault.secret_path | default('secret') }}/crypto/peerOrganizations/{{ component_name }}/chaincode/{{peer.chaincode.name}} ca.crt="$(cat ./build/crypto-config/peerOrganizations/{{ component_name }}/users/{{peer.chaincode.name}}@{{ component_name }}/tls/ca.crt)" client.crt="$(cat ./build/crypto-config/peerOrganizations/{{ component_name }}/users/{{peer.chaincode.name}}@{{ component_name }}/tls/client.crt)" client.key="$(cat ./build/crypto-config/peerOrganizations/{{ component_name }}/users/{{peer.chaincode.name}}@{{ component_name }}/tls/client.key)" + vault write {{ vault.secret_path | default('secret') }}/crypto/peerOrganizations/{{ component_name }}/chaincode/{{peer.chaincode.name}}/certificate/v{{peer.chaincode.version}} ca.crt="$(cat ./build/crypto-config/peerOrganizations/{{ component_name }}/chaincode/{{peer.chaincode.name}}-{{peer.chaincode.version}}@{{ component_name }}/tls/ca.crt)" client.crt="$(cat ./build/crypto-config/peerOrganizations/{{ component_name }}/chaincode/{{peer.chaincode.name}}-{{peer.chaincode.version}}@{{ component_name }}/tls/client.crt)" client.key="$(cat ./build/crypto-config/peerOrganizations/{{ component_name }}/chaincode/{{peer.chaincode.name}}-{{peer.chaincode.version}}@{{ component_name }}/tls/client.key)" environment: VAULT_ADDR: "{{ vault.url }}" VAULT_TOKEN: "{{ vault.root_token }}" + when: + - peer.name == first_peer_name diff --git a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/approve/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/approve/tasks/main.yaml index 62ba21c62fe..a237a5344af 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/approve/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/approve/tasks/main.yaml @@ -3,6 +3,12 @@ # This role creates value file for the deployment of chaincode approve ############################################################################################# +############################################################################################ +# Set variable to check approval peers +# - name: "Create approvalpeers placeholder to store the peers" +# set_fact: +# approvalpeers: "{{approvalpeers | default({})}}" + ############################################################################################ # Create value file for chaincode approve - name: "Create value file for chaincode approve" @@ -10,6 +16,7 @@ vars: org_query: "organizations[?name=='{{participant.name}}']" org: "{{ network | json_query(org_query) | first }}" + first_peer_name: "{{(participant.peers | first)['name']}}" loop: "{{ participants }}" loop_control: loop_var: participant diff --git a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/approve/tasks/valuefile.yaml b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/approve/tasks/valuefile.yaml index 9e64c5d3da7..f826762ab77 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/approve/tasks/valuefile.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/approve/tasks/valuefile.yaml @@ -1,6 +1,6 @@ --- ############################################################################################ -# This role creates the approve_chaincode value file +# This role creates the approve_chaincode value file, for one peer per org # Check or Wait if install-chaincode is already run - name: "Waiting for chaincode to be installed on {{ peer.name }}" @@ -56,7 +56,9 @@ loop: "{{ org.services.peers }}" loop_control: loop_var: peer - when: peer.chaincode is defined and approve_chaincode.resources|length == 0 + when: + - peer.chaincode is defined and approve_chaincode.resources|length == 0 + - peer.name == first_peer_name #Git Push : Pushes the above generated files to git directory - name: Git Push diff --git a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/commit/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/commit/tasks/main.yaml index e1ab81e6844..4017518ae63 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/commit/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/commit/tasks/main.yaml @@ -3,6 +3,21 @@ # This role creates value file for the deployment of chaincode commit ############################################################################################# +############################################################################################ +# Check if approve-chaincode pods on all orgs are completed +- name: "Waiting for chaincode to be approve on {{ peer.name }}" + include_tasks: wait_for_approval_sub.yaml + vars: + approve_peer_name: "{{(participant.peers | first)['name']}}" + org_query: "organizations[?name=='{{participant.name}}']" + org: "{{ network | json_query(org_query) | first }}" + peer_query: "peers[?name=='{{approve_peer_name}}']" + peer: "{{org.services | json_query(peer_query) | first}}" + loop: "{{ participants }}" + loop_control: + loop_var: participant + when: peer.chaincode is defined + ############################################################################################ # Create value file for chaincode commit - name: "Create value file for chaincode commit" @@ -11,6 +26,28 @@ channelcreator_query: "participants[?type=='creator']" org_query: "organizations[?name=='{{participant.name}}']" org: "{{ network | json_query(org_query) | first }}" + commit_peer_name: "{{(org.services.peers | first)['name']}}" loop: "{{ item | json_query(channelcreator_query) }}" loop_control: loop_var: participant + + +############################################################################################ +# This task only check for the first peer of the first creator listed +- name: "Waiting for chaincode to be commited on {{ peer.name }}" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + channelcreator_query: "participants[?type=='creator']" + org_query: "organizations[?name=='{{participant.name}}']" + org: "{{ network | json_query(org_query) | first }}" + peer: "{{ org.services.peers | first}}" + kubernetes: "{{ org.k8s }}" + component_type: "Job" + namespace: "{{ org.name | lower }}-net" + component_name: "commitchaincode-{{ peer.chaincode.name }}-{{ peer.chaincode.version }}-{{ peer.chaincode.sequence }}" + loop: "{{ (item | json_query(channelcreator_query))[0:1] }}" + loop_control: + loop_var: participant + when: + - peer.chaincode is defined and '2.' in network.version diff --git a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/commit/tasks/valuefile.yaml b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/commit/tasks/valuefile.yaml index 8ac23661379..98bbe7c41ad 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/commit/tasks/valuefile.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/commit/tasks/valuefile.yaml @@ -2,20 +2,6 @@ ############################################################################################ # This role creates the commit_chaincode value file -# Check or Wait if approve-chaincode is already run -- name: "Waiting for chaincode to be approve on {{ peer.name }}" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Job" - namespace: "{{ org.name |lower }}-net" - kubernetes: "{{ org.k8s }}" - component_name: "approvechaincode-{{ peer.name }}-{{ peer.chaincode.name }}-{{ peer.chaincode.version }}-{{ peer.chaincode.sequence | default('1') }}" - loop: "{{ org.services.peers }}" - loop_control: - loop_var: peer - when: peer.chaincode is defined - # Check if commit-chaincode is already run - name: 'Check for commit-chaincode job' include_role: @@ -45,7 +31,7 @@ loop_var: organization when: organization.type == 'peer' -# Nested task for chaincode commit +# Nested task for chaincode commit on the commit peer only - name: "Create value file for chaincode commit" include_role: name: helm_component @@ -67,7 +53,9 @@ loop: "{{ org.services.peers }}" loop_control: loop_var: peer - when: peer.chaincode is defined and commit_chaincode.resources|length == 0 + when: + - peer.chaincode is defined and commit_chaincode.resources|length == 0 + - peer.name == commit_peer_name #Git Push : Pushes the above generated files to git directory - name: Git Push diff --git a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/commit/tasks/wait_for_approval_sub.yaml b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/commit/tasks/wait_for_approval_sub.yaml new file mode 100644 index 00000000000..455e34a9599 --- /dev/null +++ b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/commit/tasks/wait_for_approval_sub.yaml @@ -0,0 +1,10 @@ +--- +# This task waits for chaincode to be approved +- name: "Waiting for chaincode to be approve on {{ peer.name }}" + include_role: + name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" + vars: + component_type: "Job" + namespace: "{{ org.name |lower }}-net" + kubernetes: "{{ org.k8s }}" + component_name: "approvechaincode-{{ peer.name }}-{{ peer.chaincode.name }}-{{ peer.chaincode.version }}-{{ peer.chaincode.sequence | default('1') }}" diff --git a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/install-external/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/install-external/tasks/main.yaml index a886fc05124..9950a222554 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/install-external/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/install-external/tasks/main.yaml @@ -1,6 +1,110 @@ ########################################################################################### -# This task packages and installs the external chaincode details -- name: Package and installs the external chaincode details +# This task is to create a temporary directory for packaging +- name: Creates temporary package folder + file: + state: directory + path: "tmp/package/{{ org_ns }}" + +# This task copies the certificates used for the packaging to temp folder +- name: Copies the certificate to temp folder + shell: | + export CA_TOOL_CLI=$(KUBECONFIG={{ kubernetes.config_file }} kubectl get po -n {{ org_ns }} | grep "ca-tools" | awk '{print $1}'); + KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{ org_ns }}/${CA_TOOL_CLI}:crypto-config/peerOrganizations/{{ org_ns }}/users/{{ first_peer_name }}-chaincode@{{ org_ns }}/tls ./tmp/package/{{ org_ns }}; + vars: + chaincode_name: "{{ peers[0].chaincode.name | lower }}" + chaincode_version: "{{ peers[0].chaincode.version }}" + chaincode_tls_disabled: "{{ peers[0].chaincode.tls_disabled }}" + package_name: "{{ peers[0].chaincode.name | lower }}_{{ peers[0].chaincode.version }}" + first_peer_name: "{{ peers[0].name }}" + when: + - peers is defined + - peers | length > 0 + +# This task packs the external chaincode details +- name: Generation chaincode connection details with mTLS + shell: | + cd tmp/package/{{ org_ns }} + echo '{}' | jq --arg cc_addr "chaincode-{{ chaincode_name }}-{{ chaincode_version }}-{{ org_name }}.{{ org_ns }}.svc.cluster.local:7052" \ + --arg c_key "$(cat ./client.key)" \ + --arg c_crt "$(cat ./client.crt)" \ + --arg ca_crt "$(cat ./ca.crt)" \ + '{"address": $cc_addr, "dial_timeout":"10s", "tls_required":true, "client_auth_required":true, "client_key":$c_key, "client_cert":$c_crt, "root_cert":$ca_crt}' > connection.json + echo '{"path":"","type":"external","label":"'{{ package_name }}'"}' > metadata.json; + vars: + chaincode_name: "{{ peers[0].chaincode.name | lower }}" + chaincode_version: "{{ peers[0].chaincode.version }}" + package_name: "{{ peers[0].chaincode.name | lower }}_{{ peers[0].chaincode.version }}" + when: + - peers is defined + - peers | length > 0 + - peers[0].chaincode.tls_disabled == false + +# This task packs the external chaincode details without tls +- name: Generation chaincode connection details without TLS + shell: | + CHAINCODE_ADDR=chaincode-{{ chaincode_name }}-{{ chaincode_version }}-{{ org_name }}.{{ org_ns }}.svc.cluster.local:7052 + cd tmp/package/{{ org_ns }} + echo '{"address":"'${CHAINCODE_ADDR}'","dial_timeout":"10s","tls_required":false,"client_auth_required":false,"client_key":"","client_cert":"","root_cert":""}' > connection.json + echo '{"path":"","type":"external","label":"'{{ package_name }}'"}' > metadata.json + vars: + chaincode_name: "{{ peers[0].chaincode.name | lower }}" + chaincode_version: "{{ peers[0].chaincode.version }}" + package_name: "{{ peers[0].chaincode.name | lower }}_{{ peers[0].chaincode.version }}" + when: + - peers is defined + - peers | length > 0 + - peers[0].chaincode.tls_disabled == true + +# This tasks packs the chaincode details file +- name : Packs the chaicode package file + shell: | + # Packages chaincode details + cd tmp/package/{{ org_ns }} + tar cfz code.tar.gz connection.json; + tar cfz {{ package_name }}.tgz code.tar.gz metadata.json; + vars: + package_name: "{{ peers[0].chaincode.name | lower }}_{{ peers[0].chaincode.version }}" + when: + - peers is defined + - peers | length > 0 + +# This task checks the +- name: Checks the status of the package file + stat: + path: tmp/package/{{ org_ns }}/{{ package_name }}.tgz + register: packagefile + vars: + package_name: "{{ peers[0].chaincode.name | lower }}_{{ peers[0].chaincode.version }}" + +# This task stops the playbook if the package details file exists +- name: Fails if the package file doesn't exist + fail: + msg: Package doesn't exist, please check the process + when: packagefile.stat.exists == false + +# This task saves the package details to vault in base64 format +- name: Saves the package file to vault in base64 format + shell: | + PACKAGE_VAULT_ADDR={{ vault.secret_path | default('secret') }}/crypto/peerOrganizations/{{ org_ns }}/chaincode/{{ chaincode_name }}/package/v{{ chaincode_version }} + vault write ${PACKAGE_VAULT_ADDR} package-base64="$(cat ./tmp/package/{{ org_ns }}/{{ package_name }}.tgz | base64)" + rm -rf ./tmp/package + vars: + chaincode_name: "{{ peers[0].chaincode.name | lower }}" + chaincode_version: "{{ peers[0].chaincode.version }}" + package_name: "{{ peers[0].chaincode.name | lower }}_{{ peers[0].chaincode.version }}" + environment: + VAULT_ADDR: "{{ vault.url }}" + VAULT_TOKEN: "{{ vault.root_token }}" + +# This task delete the packaging temp directory +- name: Deletes the temp package directory + file: + path: "tmp/package/{{ org_ns }}" + state: absent + when: packagefile.stat.exists == true + +# This task installs the external chaincode details +- name: Installs the external chaincode details include_tasks: nested_main.yaml vars: chaincode_name: "{{ peer.chaincode.name | lower }}" diff --git a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/install-external/tasks/nested_main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/install-external/tasks/nested_main.yaml index e256e0e1934..a92c34c1901 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/chaincode/install-external/tasks/nested_main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/chaincode/install-external/tasks/nested_main.yaml @@ -16,11 +16,10 @@ # Copy buildpack for external chaincode - name: Copy buildpack for external chaincode shell: | - KUBECONFIG={{ kubernetes.config_file }} kubectl exec -it -n {{ org_ns }} {{ peer.name }}-0 -c {{ peer.name }} -- mkdir -p /var/hyperledger/production/buildpacks/{{ peer.chaincode.name }}/bin - KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{ peer.chaincode.buildpack_path }}/detect {{ org_ns }}/{{ peer.name }}-0:/var/hyperledger/production/buildpacks/{{ peer.chaincode.name }}/bin/detect -c {{ peer.name }} - KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{ peer.chaincode.buildpack_path }}/build {{ org_ns }}/{{ peer.name }}-0:/var/hyperledger/production/buildpacks/{{ peer.chaincode.name }}/bin/build -c {{ peer.name }} - KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{ peer.chaincode.buildpack_path }}/release {{ org_ns }}/{{ peer.name }}-0:/var/hyperledger/production/buildpacks/{{ peer.chaincode.name }}/bin/release -c {{ peer.name }} - KUBECONFIG={{ kubernetes.config_file }} kubectl exec -it -n {{ org_ns }} {{ peer.name }}-0 -c {{ peer.name }} -- chmod -R 777 /var/hyperledger/production/buildpacks/{{ peer.chaincode.name }}/bin/ + KUBECONFIG={{ kubernetes.config_file }} kubectl exec -i -n {{ org_ns }} {{ peer.name }}-0 -c {{ peer.name }} -- mkdir -p /var/hyperledger/production/buildpacks/bin + KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{ peer.chaincode.buildpack_path }}/. {{ org_ns }}/{{ peer.name }}-0:/var/hyperledger/production/buildpacks/bin -c {{ peer.name }} + KUBECONFIG={{ kubernetes.config_file }} kubectl exec -i -n {{ org_ns }} {{ peer.name }}-0 -c {{ peer.name }} -- sh -c "cd /var/hyperledger/production/buildpacks/bin && mv */* ./" + KUBECONFIG={{ kubernetes.config_file }} kubectl exec -i -n {{ org_ns }} {{ peer.name }}-0 -c {{ peer.name }} -- chmod -R 777 /var/hyperledger/production/buildpacks/bin/ when: - install_chaincode.resources|length == 0 - peer.chaincode.buildpack_path is defined diff --git a/platforms/hyperledger-fabric/configuration/roles/create/external_chaincode/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/external_chaincode/tasks/main.yaml index a6161be7247..3d564cb7295 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/external_chaincode/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/external_chaincode/tasks/main.yaml @@ -8,6 +8,7 @@ loop: "{{ peers }}" loop_control: loop_var: peer + extended: true when: - peer.chaincode is defined - peer.chaincode.external_chaincode is defined diff --git a/platforms/hyperledger-fabric/configuration/roles/create/external_chaincode/tasks/nested_main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/external_chaincode/tasks/nested_main.yaml index 12ecf8a9c03..8ec18aee349 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/external_chaincode/tasks/nested_main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/external_chaincode/tasks/nested_main.yaml @@ -1,13 +1,4 @@ # Check or Wait if commit-chaincode is already run for v.2.x -- name: "Waiting for chaincode to be commited on {{ peer.name }}" - include_role: - name: "{{ playbook_dir }}/../../shared/configuration/roles/check/helm_component" - vars: - component_type: "Job" - namespace: "{{ org_ns }}" - component_name: "commitchaincode-{{ peer.chaincode.name }}-{{ peer.chaincode.version }}" - when: - - peer.chaincode is defined and '2.' in network.version ############################################################################################ # Check if external-chaincode-server is already running @@ -58,7 +49,7 @@ name: "{{ playbook_dir }}/../../shared/configuration/roles/git_push" vars: GIT_DIR: "{{ playbook_dir }}/../../../" - GIT_REPO: "{{ item.gitops.git_push_url }}" + GIT_REPO: "{{ item.gitops.git_repo }}" GIT_USERNAME: "{{ item.gitops.username }}" GIT_EMAIL: "{{ item.gitops.email }}" GIT_PASSWORD: "{{ item.gitops.password }}" diff --git a/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert-clone/Readme.md b/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert-clone/Readme.md new file mode 100644 index 00000000000..26f29633fe2 --- /dev/null +++ b/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert-clone/Readme.md @@ -0,0 +1,19 @@ +## ROLE: peer-chaincode-cert +This role generates and updates TLS certificates for chaincode interactons by peer + +### Tasks +(Variables with * are fetched from the playbook which is calling this role) +#### 1. Copy generate-crypto-peer-chaincode.sh to destination directory +This task copies the generate-crypto-peer-chaincode.sh from scripts folder to specified destination folder + +#### 2. Changing the permission of msp files +This task chnages the permission required for creating msp files + +#### 3. Copy generate_crypto.sh file using the CA Tools +This task pushes the above file to CA CLI Pod. + +#### 4. Execute generate-crypto-peer-chaincode.sh file using the CA Tools +This tasks executes generate-crypto-peer-chaincode.sh inside the CA CLI Pod and copies the generated crypto to a destination folder + +#### 5. Copy certificates to vault +This task copies the generated certificates to vault. \ No newline at end of file diff --git a/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert-clone/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert-clone/tasks/main.yaml new file mode 100644 index 00000000000..cc593d27340 --- /dev/null +++ b/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert-clone/tasks/main.yaml @@ -0,0 +1,80 @@ +############################################################################################ +# This is a test +- name: Display all peers + ansible.builtin.debug: + msg: "Found {{ services | community.general.json_query('peers[*].name') | join(' ') }} for org {{ component_name }}" + +- name: Fails the job if peers are undefined + fail: + msg: peers are undefined for {{ component_name }} + when: services.peers is not defined or services.peers | length == 0 + +- name: Wait for debugging + pause: + prompt: Press any key to continue + +############################################################################################ +# Copy generate-crypto-shared-peer-chaincode.sh script from scrips directory +- name: Copy generate-crypto-shared-peer-chaincode.sh to destination directory + copy: + src: "{{ playbook_dir }}/../scripts/{{ files }}" + dest: build/ + mode: 0755 + remote_src: yes + with_items: + - generate-crypto-shared-peer-chaincode.sh + loop_control: + loop_var: files + when: setup_user_env is not defined or setup_user_env == true + +############################################################################################ +# This task changes the permission +- name: Changing the permissions + file: + path: ./build/{{ files }} + mode: '0775' + with_items: + - generate-crypto-shared-peer-chaincode.sh + loop_control: + loop_var: files + when: setup_user_env is not defined or setup_user_env == true + +############################################################################################ +# This task copies generate-crypto-shared-peer-chaincode.sh file using the CA Tools Pod +- name: Copy generate-crypto-shared-peer-chaincode.sh file using the CA Tools + shell: | + export CA_TOOL_CLI=$(KUBECONFIG={{ kubernetes.config_file }} kubectl get po -n {{ component_name }} | grep "ca-tools" | awk '{print $1}') + KUBECONFIG={{ kubernetes.config_file }} kubectl cp ./build/generate-crypto-shared-peer-chaincode.sh {{ component_name }}/${CA_TOOL_CLI}:/root/ca-tools/{{org_name|lower}}/generate-crypto-shared-peer-chaincode.sh + when: setup_user_env is not defined or setup_user_env == true + + +############################################################################################ +# This section is to generate user certificate for peers in the same org using same certificates +# This task executes generate-crypto-shared-peer-chaincode.sh file using the CA Tools to generate user certificate +- name: Execute generate-crypto-shared-peer-chaincode.sh file using the CA Tools + shell: | + export CA_TOOL_CLI=$(KUBECONFIG={{ kubernetes.config_file }} kubectl get po -n {{ component_name }} | grep "ca-tools" | awk '{print $1}') + KUBECONFIG={{ kubernetes.config_file }} kubectl exec -n {{ component_name }} ${CA_TOOL_CLI} -- /root/ca-tools/{{org_name|lower}}/./generate-crypto-shared-peer-chaincode.sh {{component_name}} {{org_name|lower}} {{first_peer_name}}-chaincode app {{org_name}} "{{subject}}" "{{peerlist}}" + KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{ component_name }}/${CA_TOOL_CLI}:crypto-config ./build/crypto-config + vars: + first_peer_name: "{{ services.peers[0].name }}" + peerlist: "{{ services | community.general.json_query('peers[*].name') | join(' ') }}" + +# This task creates certs for peer for external chaincode servers +- name: Creates certs for peer for external chaincode servers + include_tasks: nested_main.yaml + loop: "{{ services.peers }}" + loop_control: + loop_var: peer + when: + - peer.chaincode is defined + - peer.chaincode.external_chaincode is defined + - peer.chaincode.external_chaincode == true + - peer.chaincode.tls_disabled == false + vars: + temp_peer_cert_folder: build/tmp/certs/crypto-config + +# This task clean up variable for the next org +- name: Clean up variable + set_fact: + cert_generated: !!null diff --git a/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert-clone/tasks/nested_main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert-clone/tasks/nested_main.yaml new file mode 100644 index 00000000000..95c96d729c0 --- /dev/null +++ b/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert-clone/tasks/nested_main.yaml @@ -0,0 +1,11 @@ +############################################################################################# +# This role generates crypto material for users. +############################################################################################# +############################################################################################ +# Copy certificates to vault +- name: Copy certificates to vault + shell: | + vault write {{ vault.secret_path | default('secret') }}/crypto/peerOrganizations/{{ component_name }}/peers/{{ peer.name }}.{{ component_name }}/chaincode ca.crt="$(cat ./build/crypto-config/peerOrganizations/{{ component_name }}/users/{{peer.name}}-chaincode@{{ component_name }}/tls/ca.crt)" client.crt="$(cat ./build/crypto-config/peerOrganizations/{{ component_name }}/users/{{peer.name}}-chaincode@{{ component_name }}/tls/client.crt)" client.key="$(cat ./build/crypto-config/peerOrganizations/{{ component_name }}/users/{{peer.name}}-chaincode@{{ component_name }}/tls/client.key)" + environment: + VAULT_ADDR: "{{ vault.url }}" + VAULT_TOKEN: "{{ vault.root_token }}" diff --git a/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert/tasks/main.yaml index d192fe7e7e7..c07b4efa05a 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert/tasks/main.yaml @@ -1,4 +1,10 @@ ############################################################################################ +# This task clean up the temp folder for certificate generation +- name: Clean up temp folder + file: + state: absent + path: build/tmp/certs + # This task creates certs for peer for external chaincode servers - name: Creates certs for peer for external chaincode servers include_tasks: nested_main.yaml @@ -10,3 +16,10 @@ - peer.chaincode.external_chaincode is defined - peer.chaincode.external_chaincode == true - peer.chaincode.tls_disabled == false + vars: + temp_peer_cert_folder: build/tmp/certs/crypto-config + +# This task clean up variable for the next org +- name: Clean up variable + set_fact: + cert_generated: !!null diff --git a/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert/tasks/nested_main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert/tasks/nested_main.yaml index 18262b41102..9af7372a181 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert/tasks/nested_main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/peer-chaincode-cert/tasks/nested_main.yaml @@ -7,7 +7,7 @@ - name: Copy generate-crypto-peer-chaincode.sh to destination directory copy: src: "{{ playbook_dir }}/../scripts/{{ files }}" - dest: "./build/{{ files }}" + dest: build/ mode: 0755 remote_src: yes with_items: @@ -37,12 +37,110 @@ when: setup_user_env is not defined or setup_user_env == true ############################################################################################ +# This section is to generate user certificate for peers in the same org using same certificates # This task executes generate-crypto-peer-chaincode.sh file using the CA Tools to generate user certificate -- name: Execute generate-crypto-peer-chaincode.sh file using the CA Tools +- name: Execute generate-crypto-peer-chaincode.sh file using the CA Tools shell: | export CA_TOOL_CLI=$(KUBECONFIG={{ kubernetes.config_file }} kubectl get po -n {{ component_name }} | grep "ca-tools" | awk '{print $1}') KUBECONFIG={{ kubernetes.config_file }} kubectl exec -n {{ component_name }} ${CA_TOOL_CLI} -- /root/ca-tools/{{org_name|lower}}/./generate-crypto-peer-chaincode.sh {{component_name}} {{org_name|lower}} {{peer.name}}-chaincode app {{org_name}} "{{subject}}" KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{ component_name }}/${CA_TOOL_CLI}:crypto-config ./build/crypto-config + KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{ component_name }}/${CA_TOOL_CLI}:/root/ca-tools ./build/ca-tools + when: cert_generated|default(None) == None + +# This task copies the first set of certificates to a temp folder, which will be copied to the new peers in the same orgs later +- name: Copy peer certificates to temp folder + shell: | + mkdir -p {{temp_peer_cert_folder}} && cp -a ./build/crypto-config/peerOrganizations {{temp_peer_cert_folder}} && + cp -a ./build/ca-tools {{temp_peer_cert_folder}} + when: cert_generated|default(None) == None + +# This task is to set variables to keep track of the certifcate for the first peer +- name: Set varibles if crypto-config is copied + set_fact: + peer_admin_cert_file: "{{temp_peer_cert_folder}}/peerOrganizations/{{component_name}}/users/{{peer.name}}-chaincode@{{component_name}}/msp/admincerts/{{peer.name}}-chaincode@{{component_name}}-cert.pem" + src_peer_cert_file_name: "{{peer.name}}-chaincode@{{component_name}}-cert.pem" + peer_cert_folder: "{{temp_peer_cert_folder}}/peerOrganizations/{{component_name}}/users/{{peer.name}}-chaincode@{{component_name}}" + peer_ca_tool_folder: "{{temp_peer_cert_folder}}/ca-tools/{{org_name|lower}}/client{{peer.name}}-chaincode" + ca_tool_admin_full_path: "{{temp_peer_cert_folder}}/ca-tools/{{org_name|lower}}/client{{peer.name}}-chaincode/msp/admincerts/{{peer.name}}-chaincode@{{component_name}}-cert.pem" + src_peer_ca_tool_file_name: "{{peer.name}}-chaincode@{{component_name}}-cert.pem" + when: + - cert_generated|default(None) == None + +# This task is to copy the files peer certifcate to target temp folder +- name: Copy peer certificates to local + shell: | + mkdir -p {{temp_peer_cert_folder}}/peerOrganizations/{{component_name}}/users/{{peer.name}}-chaincode@{{component_name}} && + cp -a {{ peer_cert_folder }}/. {{temp_peer_cert_folder}}/peerOrganizations/{{component_name}}/users/{{peer.name}}-chaincode@{{component_name}}/ && + mkdir -p {{temp_peer_cert_folder}}/ca-tools/{{org_name|lower}}/client{{peer.name}}-chaincode && + cp -a {{peer_ca_tool_folder}}/. {{temp_peer_cert_folder}}/ca-tools/{{org_name|lower}}/client{{peer.name}}-chaincode/ + when: + - cert_generated|default(None) == true + +# This task copies the certificate which needs to be renamed for particular peer in crypto-config +- name: Copy crypto-config peer certificate file with correct peer name under crypto-config + ansible.builtin.copy: + src: "{{peer_admin_cert_file}}" + dest: "{{temp_peer_cert_folder}}/peerOrganizations/{{component_name}}/users/{{peer.name}}-chaincode@{{component_name}}/msp/admincerts/{{peer.name}}-chaincode@{{component_name}}-cert.pem" + remote_src: true + when: + - cert_generated|default(None) == true + +# This task copies the certificate which needs to be renamed for particular peer in ca-tool +- name: Copy ca-tool peer certificate file with correct peer name under ca-tool + ansible.builtin.copy: + src: "{{ca_tool_admin_full_path}}" + dest: "{{temp_peer_cert_folder}}/ca-tools/{{org_name|lower}}/client{{peer.name}}-chaincode/msp/admincerts/{{peer.name}}-chaincode@{{component_name}}-cert.pem" + remote_src: true + when: + - cert_generated|default(None) == true + +# This task removes the certificate not below to the target peer under crypto-config +- name: Remove useless certficiate file in the new peer folder under crypto-config + ansible.builtin.file: + path: "{{temp_peer_cert_folder}}/peerOrganizations/{{component_name}}/users/{{peer.name}}-chaincode@{{component_name}}/msp/admincerts/{{src_peer_cert_file_name}}" + state: absent + when: + - cert_generated|default(None) == true + +# This task removes the certificate not below to the target peer +- name: Remove useless certficiate file in the new peer folder under ca-tool + ansible.builtin.file: + path: "{{temp_peer_cert_folder}}/ca-tools/{{org_name|lower}}/client{{peer.name}}-chaincode/msp/admincerts/{{src_peer_ca_tool_file_name}}" + state: absent + when: + - cert_generated|default(None) == true + +# This task copies all the certificate for the peer back to ca-tool pod +- name: Copy certificate to peer pod + shell: | + export CA_TOOL_CLI=$(KUBECONFIG={{ kubernetes.config_file }} kubectl get po -n {{ component_name }} | grep "ca-tools" | awk '{print $1}') + KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{temp_peer_cert_folder}}/peerOrganizations/{{component_name}}/users/{{peer.name}}-chaincode@{{component_name}} {{ component_name }}/${CA_TOOL_CLI}:crypto-config/peerOrganizations/{{component_name}}/users + KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{temp_peer_cert_folder}}/ca-tools/{{org_name|lower}}/client{{peer.name}}-chaincode {{ component_name }}/${CA_TOOL_CLI}:/root/ca-tools/{{org_name|lower}} + when: + - cert_generated|default(None) == true + +# Copy to ./build/crypto-config for vault saving +- name: Copy certificates to ./build/crypto-config for Vault + shell: | + mkdir -p ./build/crypto-config/peerOrganizations/{{component_name}}/users/{{peer.name}}-chaincode@{{component_name}} && + cp -a {{temp_peer_cert_folder}}/peerOrganizations/{{component_name}}/users/{{peer.name}}-chaincode@{{component_name}}/. ./build/crypto-config/peerOrganizations/{{component_name}}/users/{{peer.name}}-chaincode@{{component_name}} + when: + - cert_generated|default(None) == true + +# This task is to check if the crypto-config file exists +- name: Check if the crypto-config/peerOrganizations/ca-tools file are copied + stat: + path: "{{temp_peer_cert_folder}}/ca-tools" + register: crypto_config_files + when: cert_generated|default(None) == None + +# This task is to set variables if the file exists +- name: Set varibles if crypto-config is copied + set_fact: + cert_generated: true + when: + - cert_generated|default(None) == None + - crypto_config_files.stat.exists ############################################################################################ # Copy certificates to vault diff --git a/platforms/hyperledger-fabric/configuration/roles/create/peers/tasks/nested_main.yaml b/platforms/hyperledger-fabric/configuration/roles/create/peers/tasks/nested_main.yaml index 3ec5a45235e..4fe12b4748e 100644 --- a/platforms/hyperledger-fabric/configuration/roles/create/peers/tasks/nested_main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/create/peers/tasks/nested_main.yaml @@ -13,7 +13,7 @@ - peer.core_yaml is defined - peer.core_yaml.initialize_from == 'file' - peer.core_yaml.configpath is defined - - peer.core_yaml.tpl == true + # - peer.core_yaml.tpl == true ############################################################################################ # This task fetches the custom core.yaml @@ -58,7 +58,7 @@ loop_var: peer when: - peer.peerstatus is not defined or peer.peerstatus == 'new' - - update_core_yaml is undefined or update_core_yaml == false + # - update_core_yaml is undefined or update_core_yaml == false #Git Push : Pushes the above generated files to git directory - name: Git Push diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/external_chaincode.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/external_chaincode.tpl index e41f9dcb016..ecf23191eae 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/external_chaincode.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/external_chaincode.tpl @@ -33,8 +33,8 @@ spec: vault: role: vault-role address: {{ vault.url }} - authpath: {{ namespace }}-auth - chaincodesecretprefix: {{ vault.secret_path | default('secret') }}/crypto/peerOrganizations/{{ namespace }}/chaincode/{{ peer.chaincode.name }} + authpath: {{ network.env.type }}{{ namespace }}-auth + chaincodesecretprefix: {{ vault.secret_path | default('secret') }}/crypto/peerOrganizations/{{ namespace }}/chaincode/{{ peer.chaincode.name }}/certificate/v{{ peer.chaincode.version }} serviceaccountname: vault-auth imagesecretname: regcred diff --git a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_external_chaincode_job.tpl b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_external_chaincode_job.tpl index 9d06024979a..0fcc845a730 100644 --- a/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_external_chaincode_job.tpl +++ b/platforms/hyperledger-fabric/configuration/roles/helm_component/templates/install_external_chaincode_job.tpl @@ -36,6 +36,7 @@ spec: imagesecretname: regcred secretgitprivatekey: {{ vault.secret_path | default('secret') }}/credentials/{{ namespace }}/git?git_password tls: false + chaincodepackageprefix: {{ vault.secret_path | default('secret') }}/crypto/peerOrganizations/{{ namespace }}/chaincode/{{ component_chaincode.name | lower | e }}/package/v{{ component_chaincode.version }} chaincode: name: {{ component_chaincode.name | lower | e }} version: {{ component_chaincode.version }} diff --git a/platforms/hyperledger-fabric/configuration/roles/setup/config_block/orderer_sign/tasks/nested_orderer_cli_sign.yaml b/platforms/hyperledger-fabric/configuration/roles/setup/config_block/orderer_sign/tasks/nested_orderer_cli_sign.yaml index d6f611dd1a6..a161c9a42d5 100644 --- a/platforms/hyperledger-fabric/configuration/roles/setup/config_block/orderer_sign/tasks/nested_orderer_cli_sign.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/setup/config_block/orderer_sign/tasks/nested_orderer_cli_sign.yaml @@ -12,7 +12,7 @@ component_name: "cli-{{ channel_name }}-{{ org.name }}-{{ orderer.name }}" orderer_name: "{{ orderer.name }}" component_ns: "{{ org.name | lower}}-net" - git_url: "{{ org.gitops.git_ssh }}" + git_url: "{{ org.gitops.git_url }}" git_branch: "{{ org.gitops.branch }}" charts_dir: "{{ org.gitops.chart_source }}" vault: "{{ org.vault }}" diff --git a/platforms/hyperledger-fabric/configuration/roles/setup/fetch_core_yaml/tasks/main.yaml b/platforms/hyperledger-fabric/configuration/roles/setup/fetch_core_yaml/tasks/main.yaml index 36aa2e84668..8c5048738ff 100644 --- a/platforms/hyperledger-fabric/configuration/roles/setup/fetch_core_yaml/tasks/main.yaml +++ b/platforms/hyperledger-fabric/configuration/roles/setup/fetch_core_yaml/tasks/main.yaml @@ -3,7 +3,9 @@ - name: Fetch current core.yaml from running peers shell: | export POD_NAME=$(KUBECONFIG={{ kubernetes.config_file }} kubectl get po -n {{ component_name }} | grep "{{ peer.name }}-0" | awk '{print $1}') - KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{ component_name }}/${POD_NAME}:/etc/hyperledger/fabric/core.yaml -c {{ peer.name }} ../../../build/{{ peer.name }}-core.yaml + KUBECONFIG={{ kubernetes.config_file }} kubectl cp {{ component_name }}/${POD_NAME}:/etc/hyperledger/fabric/core.yaml -c {{ peer.name }} ../../../build/{{ peer.name }}-{{ org_name }}-core.yaml + vars: + org_name: "{{ item.name }}" loop_control: loop_var: peer loop: "{{ component_services.peers }}" diff --git a/platforms/hyperledger-fabric/configuration/update-orderer-yaml.yaml b/platforms/hyperledger-fabric/configuration/update-orderer-yaml.yaml index a71c540dddb..642cc72f513 100644 --- a/platforms/hyperledger-fabric/configuration/update-orderer-yaml.yaml +++ b/platforms/hyperledger-fabric/configuration/update-orderer-yaml.yaml @@ -22,7 +22,7 @@ component_type: "{{ item.type | lower}}" component_services: "{{ item.services }}" vault: "{{ item.vault }}" - git_url: "{{ item.gitops.git_ssh }}" + git_url: "{{ item.gitops.git_url }}" git_branch: "{{ item.gitops.branch }}" docker_url: "{{ network.docker.url }}" charts_dir: "{{ item.gitops.chart_source }}" diff --git a/platforms/hyperledger-fabric/configuration/update-peer-core-yaml.yaml b/platforms/hyperledger-fabric/configuration/update-peer-core-yaml.yaml index 44adfbd5d57..187634e376b 100644 --- a/platforms/hyperledger-fabric/configuration/update-peer-core-yaml.yaml +++ b/platforms/hyperledger-fabric/configuration/update-peer-core-yaml.yaml @@ -22,7 +22,7 @@ component_type: "{{ item.type | lower}}" component_services: "{{ item.services }}" vault: "{{ item.vault }}" - git_url: "{{ item.gitops.git_ssh }}" + git_url: "{{ item.gitops.git_url }}" git_branch: "{{ item.gitops.branch }}" docker_url: "{{ network.docker.url }}" charts_dir: "{{ item.gitops.chart_source }}" diff --git a/platforms/hyperledger-fabric/scripts/generate-crypto-chaincode-server.sh b/platforms/hyperledger-fabric/scripts/generate-crypto-chaincode-server.sh index f3dfd4c94fa..477c2f01327 100644 --- a/platforms/hyperledger-fabric/scripts/generate-crypto-chaincode-server.sh +++ b/platforms/hyperledger-fabric/scripts/generate-crypto-chaincode-server.sh @@ -7,14 +7,23 @@ fi set -x # Input parameters +# orgname-net FULLY_QUALIFIED_ORG_NAME=$1 +# orgname | lower ORG_NAME=$2 -TYPE_FOLDER=peers -ID_NAME=$3 +TYPE_FOLDER=chaincode +# chaincode_name +CHAINCODE_NAME=$3 +# chaincode ID_TYPE=$4 +# org_name AFFILIATION=$5 +# ca subject SUBJECT=$6 +# chaincode hostname HOST=$7 +# chaincode version +VERSION=$8 # Local variables CURRENT_DIR=${PWD} @@ -27,34 +36,32 @@ ORG_HOME="${HOME}/ca-tools/${ORG_NAME}" ## Register and enroll chaincode cert for peer # Get the user identity -ORG_USER="${ID_NAME}@${FULLY_QUALIFIED_ORG_NAME}" -ORG_USERPASS="${ID_NAME}@${FULLY_QUALIFIED_ORG_NAME}-pw" -ADMIN_USER="Admin@${FULLY_QUALIFIED_ORG_NAME}" -ADMIN_USERPASS="Admin@${FULLY_QUALIFIED_ORG_NAME}-pw" +ORG_USER="${CHAINCODE_NAME}-${VERSION}@${FULLY_QUALIFIED_ORG_NAME}" +ORG_USERPASS="${CHAINCODE_NAME}-${VERSION}@${FULLY_QUALIFIED_ORG_NAME}-pw" # Checking if the user msp folder exists in the CA server -if [ ! -d "${ORG_HOME}/client${ID_NAME}" ]; then # if user certificates do not exist +if [ ! -d "${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}" ]; then # if user certificates do not exist ## Register and enroll User for Org fabric-ca-client register -d --id.name ${ORG_USER} --id.secret ${ORG_USERPASS} --id.type ${ID_TYPE} --csr.names "${SUBJECT}" --id.affiliation ${AFFILIATION} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} # Enroll the registered user to generate enrollment certificate - fabric-ca-client enroll -d -u https://${ORG_USER}:${ORG_USERPASS}@${CA} --csr.names "${SUBJECT}" --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/client${ID_NAME} + fabric-ca-client enroll -d -u https://${ORG_USER}:${ORG_USERPASS}@${CA} --csr.names "${SUBJECT}" --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION} - mkdir ${ORG_HOME}/client${ID_NAME}/msp/admincerts - cp ${ORG_HOME}/client${ID_NAME}/msp/signcerts/* ${ORG_HOME}/client${ID_NAME}/msp/admincerts/${ORG_USER}-cert.pem + mkdir ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/msp/admincerts + cp ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/msp/signcerts/* ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/msp/admincerts/${ORG_USER}-cert.pem - mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_USER} - cp -R ${ORG_HOME}/client${ID_NAME}/msp ${ORG_CYPTO_FOLDER}/users/${ORG_USER} + mkdir -p ${ORG_CYPTO_FOLDER}/chaincode/${ORG_USER} + cp -R ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/msp ${ORG_CYPTO_FOLDER}/chaincode/${ORG_USER} # Get TLS cert for user and copy to appropriate location - fabric-ca-client enroll -d --enrollment.profile tls -u https://${ORG_USER}:${ORG_USERPASS}@${CA} -M ${ORG_HOME}/client${ID_NAME}/tls --tls.certfiles ${ROOT_TLS_CERT} --csr.hosts "${HOST}" + fabric-ca-client enroll -d --enrollment.profile tls -u https://${ORG_USER}:${ORG_USERPASS}@${CA} -M ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/tls --tls.certfiles ${ROOT_TLS_CERT} --csr.hosts "${HOST}" # Copy the TLS key and cert to the appropriate place - mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls - cp ${ORG_HOME}/client${ID_NAME}/tls/keystore/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls/client.key - cp ${ORG_HOME}/client${ID_NAME}/tls/signcerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls/client.crt - cp ${ORG_HOME}/client${ID_NAME}/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls/ca.crt + mkdir -p ${ORG_CYPTO_FOLDER}/chaincode/${ORG_USER}/tls + cp ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/tls/keystore/* ${ORG_CYPTO_FOLDER}/chaincode/${ORG_USER}/tls/client.key + cp ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/tls/signcerts/* ${ORG_CYPTO_FOLDER}/chaincode/${ORG_USER}/tls/client.crt + cp ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/chaincode/${ORG_USER}/tls/ca.crt else # If User certificate exists @@ -62,25 +69,23 @@ else # If User certificate exists CUR_DATETIME=$(date -d "$(echo $(date)' + 5 minutes')" +'%Y%m%d%H%M%S') # Extracting "notAfter" datetime from the existing user certificate | e.g. 20210302182036 - CERT_DATETIME=$(date -d "$(echo $(openssl x509 -noout -enddate < ${ORG_HOME}/client${ID_NAME}/msp/signcerts/cert.pem) | sed 's/notAfter=//g')" +'%Y%m%d%H%M%S') + CERT_DATETIME=$(date -d "$(echo $(openssl x509 -noout -enddate < ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/msp/signcerts/cert.pem) | sed 's/notAfter=//g')" +'%Y%m%d%H%M%S') # In case the certificate is expired or attrs key and value pairs do not match completly, generate a new certificate for the user if [ "${CUR_DATETIME}" -ge "$CERT_DATETIME" ]; then # Generate a new enrollment certificate - fabric-ca-client enroll -d -u https://${ORG_USER}:${ORG_USERPASS}@${CA} --csr.names "${SUBJECT}" --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/client${ID_NAME} + fabric-ca-client enroll -d -u https://${ORG_USER}:${ORG_USERPASS}@${CA} --csr.names "${SUBJECT}" --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION} - cp ${ORG_HOME}/client${ID_NAME}/msp/signcerts/* ${ORG_HOME}/client${ID_NAME}/msp/admincerts/${ORG_USER}-cert.pem - cp -R ${ORG_HOME}/client${ID_NAME}/msp ${ORG_CYPTO_FOLDER}/users/${ORG_USER} + cp ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/msp/signcerts/* ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/msp/admincerts/${ORG_USER}-cert.pem + cp -R ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/msp ${ORG_CYPTO_FOLDER}/chaincode/${ORG_USER} # Get TLS cert for user and copy to appropriate location - fabric-ca-client enroll -d --enrollment.profile tls -u https://${ORG_USER}:${ORG_USERPASS}@${CA} -M ${ORG_HOME}/client${ID_NAME}/tls --tls.certfiles ${ROOT_TLS_CERT} --csr.hosts "${HOST}" + fabric-ca-client enroll -d --enrollment.profile tls -u https://${ORG_USER}:${ORG_USERPASS}@${CA} -M ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/tls --tls.certfiles ${ROOT_TLS_CERT} --csr.hosts "${HOST}" # Copy the TLS key and cert to the appropriate place - cp ${ORG_HOME}/client${ID_NAME}/tls/keystore/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls/client.key - cp ${ORG_HOME}/client${ID_NAME}/tls/signcerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls/client.crt - cp ${ORG_HOME}/client${ID_NAME}/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls/ca.crt + cp ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/tls/keystore/* ${ORG_CYPTO_FOLDER}/chaincode/${ORG_USER}/tls/client.key + cp ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/tls/signcerts/* ${ORG_CYPTO_FOLDER}/chaincode/${ORG_USER}/tls/client.crt + cp ${ORG_HOME}/chaincode/${CHAINCODE_NAME}/v${VERSION}/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/chaincode/${ORG_USER}/tls/ca.crt fi fi - -cd ${CURRENT_DIR} diff --git a/platforms/hyperledger-fabric/scripts/generate-crypto-shared-peer-chaincode.sh b/platforms/hyperledger-fabric/scripts/generate-crypto-shared-peer-chaincode.sh new file mode 100644 index 00000000000..a43fc42b3f7 --- /dev/null +++ b/platforms/hyperledger-fabric/scripts/generate-crypto-shared-peer-chaincode.sh @@ -0,0 +1,135 @@ +#!/bin/bash +if [ $# -lt 7 ]; then + echo "Usage : . $0 " + exit +fi + +set -x + +# Input parameters +# orgname-net +FULLY_QUALIFIED_ORG_NAME=$1 +# orgname +ORG_NAME=$2 +TYPE_FOLDER=peers +# peername-chaincode +ID_NAME=$3 +# app +ID_TYPE=$4 +# orgname +AFFILIATION=$5 +# subject +SUBJECT=$6 +# peers list in the org +PEERS=$7 + +# Local variables +CURRENT_DIR=${PWD} +CA="ca.${FULLY_QUALIFIED_ORG_NAME}:7054" +ORG_CYPTO_FOLDER="/crypto-config/peerOrganizations/${FULLY_QUALIFIED_ORG_NAME}" +ROOT_TLS_CERT="/crypto-config/peerOrganizations/${FULLY_QUALIFIED_ORG_NAME}/ca/ca.${FULLY_QUALIFIED_ORG_NAME}-cert.pem" +CAS_FOLDER="${HOME}/ca-tools/cas/ca-${ORG_NAME}" +ORG_HOME="${HOME}/ca-tools/${ORG_NAME}" + + +## Register and enroll chaincode cert for peer + +# Get the user identity +ORG_USER="${ID_NAME}@${FULLY_QUALIFIED_ORG_NAME}" +ORG_USERPASS="${ID_NAME}@${FULLY_QUALIFIED_ORG_NAME}-pw" +ADMIN_USER="Admin@${FULLY_QUALIFIED_ORG_NAME}" +ADMIN_USERPASS="Admin@${FULLY_QUALIFIED_ORG_NAME}-pw" + +# Checking if the user msp folder exists in the CA server +if [ ! -d "${ORG_HOME}/client${ID_NAME}" ]; then # if user certificates do not exist + + ## Register and enroll User for Org + fabric-ca-client register -d --id.name ${ORG_USER} --id.secret ${ORG_USERPASS} --id.type ${ID_TYPE} --csr.names "${SUBJECT}" --id.affiliation ${AFFILIATION} --tls.certfiles ${ROOT_TLS_CERT} --home ${CAS_FOLDER} + + # Enroll the registered user to generate enrollment certificate + fabric-ca-client enroll -d -u https://${ORG_USER}:${ORG_USERPASS}@${CA} --csr.names "${SUBJECT}" --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/client${ID_NAME} + + for peer in ${PEERS}; do + if [ "${peer}-chaincode" != "${ID_NAME}" ]; then + mkdir -p ${ORG_HOME}/client${peer}-chaincode/msp/admincerts + cp ${ORG_HOME}/client${ID_NAME}/msp/signcerts/* ${ORG_HOME}/client${peer}-chaincode/msp/admincerts/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME}-cert.pem + else + mkdir -p ${ORG_HOME}/client${ID_NAME}/msp/admincerts + cp ${ORG_HOME}/client${ID_NAME}/msp/signcerts/* ${ORG_HOME}/client${ID_NAME}/msp/admincerts/${ORG_USER}-cert.pem + fi + done + + + for peer in ${PEERS}; do + if [ "${peer}-chaincode" != "${ID_NAME}" ]; then + mkdir -p ${ORG_CYPTO_FOLDER}/users/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME} + cp -R ${ORG_HOME}/client${ID_NAME}/msp ${ORG_CYPTO_FOLDER}/users/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME} + else + mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_USER} + cp -R ${ORG_HOME}/client${ID_NAME}/msp ${ORG_CYPTO_FOLDER}/users/${ORG_USER} + fi + done + + # Get TLS cert for user and copy to appropriate location + fabric-ca-client enroll -d --enrollment.profile tls -u https://${ORG_USER}:${ORG_USERPASS}@${CA} -M ${ORG_HOME}/client${ID_NAME}/tls --tls.certfiles ${ROOT_TLS_CERT} + + # Copy the TLS key and cert to the appropriate place + for peer in ${PEERS}; do + if [ "${peer}-chaincode" != "${ID_NAME}" ]; then + mkdir -p ${ORG_CYPTO_FOLDER}/users/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME}/tls + cp ${ORG_HOME}/client${ID_NAME}/tls/keystore/* ${ORG_CYPTO_FOLDER}/users/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME}/tls/client.key + cp ${ORG_HOME}/client${ID_NAME}/tls/signcerts/* ${ORG_CYPTO_FOLDER}/users/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME}/tls/client.crt + cp ${ORG_HOME}/client${ID_NAME}/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/users/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME}/tls/ca.crt + else + mkdir -p ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls + cp ${ORG_HOME}/client${ID_NAME}/tls/keystore/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls/client.key + cp ${ORG_HOME}/client${ID_NAME}/tls/signcerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls/client.crt + cp ${ORG_HOME}/client${ID_NAME}/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls/ca.crt + fi + done + +else # If User certificate exists + + # Current datetime + 5 minutes | e.g. 20210302182036 + CUR_DATETIME=$(date -d "$(echo $(date)' + 5 minutes')" +'%Y%m%d%H%M%S') + + # Extracting "notAfter" datetime from the existing user certificate | e.g. 20210302182036 + CERT_DATETIME=$(date -d "$(echo $(openssl x509 -noout -enddate < ${ORG_HOME}/client${ID_NAME}/msp/signcerts/cert.pem) | sed 's/notAfter=//g')" +'%Y%m%d%H%M%S') + + # In case the certificate is expired or attrs key and value pairs do not match completly, generate a new certificate for the user + if [ "${CUR_DATETIME}" -ge "$CERT_DATETIME" ]; then + + # Generate a new enrollment certificate + fabric-ca-client enroll -d -u https://${ORG_USER}:${ORG_USERPASS}@${CA} --csr.names "${SUBJECT}" --tls.certfiles ${ROOT_TLS_CERT} --home ${ORG_HOME}/client${ID_NAME} + + for peer in ${PEERS}; do + if [ "${peer}-chaincode" != "${ID_NAME}" ]; then + mkdir -p ${ORG_HOME}/client${peer}-chaincode/msp/admincerts + cp ${ORG_HOME}/client${ID_NAME}/msp/signcerts/* ${ORG_HOME}/client${peer}-chaincode/msp/admincerts/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME}-cert.pem + cp -R ${ORG_HOME}/client${ID_NAME}/msp ${ORG_CYPTO_FOLDER}/users/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME} + else + cp ${ORG_HOME}/client${ID_NAME}/msp/signcerts/* ${ORG_HOME}/client${ID_NAME}/msp/admincerts/${ORG_USER}-cert.pem + cp -R ${ORG_HOME}/client${ID_NAME}/msp ${ORG_CYPTO_FOLDER}/users/${ORG_USER} + fi + done + + # Get TLS cert for user and copy to appropriate location + fabric-ca-client enroll -d --enrollment.profile tls -u https://${ORG_USER}:${ORG_USERPASS}@${CA} -M ${ORG_HOME}/client${ID_NAME}/tls --tls.certfiles ${ROOT_TLS_CERT} + + # Copy the TLS key and cert to the appropriate place + for peer in ${PEERS}; do + if [ "${peer}-chaincode" != "${ID_NAME}" ]; then + mkdir -p ${ORG_CYPTO_FOLDER}/users/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME}/tls + cp ${ORG_HOME}/client${ID_NAME}/tls/keystore/* ${ORG_CYPTO_FOLDER}/users/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME}/tls/client.key + cp ${ORG_HOME}/client${ID_NAME}/tls/signcerts/* ${ORG_CYPTO_FOLDER}/users/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME}/tls/client.crt + cp ${ORG_HOME}/client${ID_NAME}/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/users/${peer}-chaincode@${FULLY_QUALIFIED_ORG_NAME}/tls/ca.crt + else + cp ${ORG_HOME}/client${ID_NAME}/tls/keystore/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls/client.key + cp ${ORG_HOME}/client${ID_NAME}/tls/signcerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls/client.crt + cp ${ORG_HOME}/client${ID_NAME}/tls/tlscacerts/* ${ORG_CYPTO_FOLDER}/users/${ORG_USER}/tls/ca.crt + fi + done + fi +fi + +cd ${CURRENT_DIR}