New changes
The following pull requests have been merged
- FabricIdentity: Manage the registering and enrolling of users automatically (including renewal)
- FabricNetworkConfig: Manage the network configuration based on the Bevel Fabric Operator and external configuration
- Enrollment for peers/orderers/identities now accepts a secret reference to get the TLS Cert of the FabricCA
- FabricCA supports initialization from custom certificate authority referenced from secret
- Minor bug fixes
FabricIdentity
You can now manage the registering and enrolling of users automatically. This includes renewal of the user certificates.
This is an example on how to create a FabricIdentity:
# This identity will register and enroll the user for org1
kubectl hlf identity create --name org1-admin --namespace default \
--ca-name org1-ca --ca-namespace default \
--ca ca --mspid Org1MSP --enroll-id explorer-admin --enroll-secret explorer-adminpw \
--ca-enroll-id=enroll --ca-enroll-secret=enrollpw --ca-type=admin
FabricNetworkConfig
You can now manage the network configuration based on the Bevel Fabric Operator and external configuration.
This CRD will react to changes in the Identities and FabricCASecrets and update the network configuration accordingly.
This is an example on how to create a FabricNetworkConfig:
kubectl hlf networkconfig create --name=org1-cp \
-o Org1MSP -o OrdererMSP -c demo \
--identities=org1-admin.default --secret=org1-cp
Enrollment for peers/orderers/identities
You can now use a secret reference to get the TLS Cert of the FabricCA, instead of having to specify the certificate in the CRD.
apiVersion: hlf.kungfusoftware.es/v1alpha1
kind: FabricPeer
metadata:
# <your metadata>
spec:
...
secret:
enrollment:
component:
cahost: org1-ca.default
caname: ca
caport: 7054
catls:
cacert: ''
secretRef:
key: tls.crt
name: org1-ca--tls-cryptomaterial
namespace: default
enrollid: peer
enrollsecret: peerpw
external: null
tls:
cahost: org1-ca.default
caname: tlsca
caport: 7054
catls:
cacert: ''
secretRef:
key: tls.crt
name: org1-ca--tls-cryptomaterial
namespace: default
csr:
cn: peer01
hosts:
- 127.0.0.1
- localhost
- peer01.org1.default
enrollid: peer
enrollsecret: peerpw
external: null
...
FabricCA supports initialization from custom certificate authority
You can now initialize the FabricCA from a custom certificate authority referenced from a secret.
This includes support for both CAs, the signing CA and the TLS CA.
You can check the following example:
apiVersion: hlf.kungfusoftware.es/v1alpha1
kind: FabricCA
metadata:
name: org1-ca
namespace: default
spec:
ca:
ca:
cert: ''
chain: ''
key: ''
secret:
name: org1-ca--tls-cryptomaterial
tlsCA:
...
ca:
cert: ''
chain: ''
key: ''
secret:
name: <your secret containing the certfile, chainfile, keyfile>