From 0c4141f2a1f9cf0324c87f6084d3aa1f380bf769 Mon Sep 17 00:00:00 2001 From: Simon Stone Date: Tue, 5 Mar 2019 11:48:43 +0000 Subject: [PATCH] [FAB-14485] Extend BYFN to opt inc cert authorities Add a new "-a" option to byfn.sh that optionally deploys certificate authorities (in Docker containers) for organisation 1 and 2. Change-Id: Ib58c46941aa6e8e58bac01aa3349e97d1f93b930 Signed-off-by: Simon Stone --- first-network/byfn.sh | 76 +++++++++++++--------------- first-network/connection-org1.json | 15 ++++++ first-network/connection-org1.yaml | 10 ++++ first-network/connection-org2.json | 15 ++++++ first-network/connection-org2.yaml | 10 ++++ first-network/docker-compose-ca.yaml | 46 +++++++++++++++++ scripts/Jenkins_Scripts/byfn_eyfn.sh | 56 +++++++++++--------- 7 files changed, 164 insertions(+), 64 deletions(-) create mode 100644 first-network/docker-compose-ca.yaml diff --git a/first-network/byfn.sh b/first-network/byfn.sh index cb893bb4f5..4b914afcd1 100755 --- a/first-network/byfn.sh +++ b/first-network/byfn.sh @@ -35,7 +35,7 @@ export VERBOSE=false # Print the usage message function printHelp() { echo "Usage: " - echo " byfn.sh [-c ] [-t ] [-d ] [-f ] [-s ] [-l ] [-o ] [-i ] [-v]" + echo " byfn.sh [-c ] [-t ] [-d ] [-f ] [-s ] [-l ] [-o ] [-i ] [-a] [-v]" echo " - one of 'up', 'down', 'restart', 'generate' or 'upgrade'" echo " - 'up' - bring up the network with docker-compose up" echo " - 'down' - clear the network with docker-compose down" @@ -50,6 +50,7 @@ function printHelp() { echo " -l - the chaincode language: golang (default) or node" echo " -o - the consensus-type of the ordering service: solo (default), kafka, or etcdraft" echo " -i - the tag to be used to launch the network (defaults to \"latest\")" + echo " -a - launch certificate authorities (no certificate authorities are launched by default)" echo " -v - verbose mode" echo " byfn.sh -h (print this message)" echo @@ -156,29 +157,22 @@ function networkUp() { replacePrivateKey generateChannelArtifacts fi + COMPOSE_FILES="-f ${COMPOSE_FILE}" + if [ "${CERTIFICATE_AUTHORITIES}" == "true" ]; then + COMPOSE_FILES="${COMPOSE_FILES} -f ${COMPOSE_FILE_CA}" + export BYFN_CA1_PRIVATE_KEY=$(cd crypto-config/peerOrganizations/org1.example.com/ca && ls *_sk) + export BYFN_CA2_PRIVATE_KEY=$(cd crypto-config/peerOrganizations/org2.example.com/ca && ls *_sk) + fi + if [ "${CONSENSUS_TYPE}" == "kafka" ]; then + COMPOSE_FILES="${COMPOSE_FILES} -f ${COMPOSE_FILE_KAFKA}" + elif [ "${CONSENSUS_TYPE}" == "etcdraft" ]; then + COMPOSE_FILES="${COMPOSE_FILES} -f ${COMPOSE_FILE_RAFT2}" + fi if [ "${IF_COUCHDB}" == "couchdb" ]; then - if [ "$CONSENSUS_TYPE" == "kafka" ]; then - IMAGE_TAG=$IMAGETAG docker-compose -f $COMPOSE_FILE -f $COMPOSE_FILE_KAFKA -f $COMPOSE_FILE_COUCH up -d 2>&1 - docker ps -a - elif [ "$CONSENSUS_TYPE" == "etcdraft" ]; then - IMAGE_TAG=$IMAGETAG docker-compose -f $COMPOSE_FILE -f $COMPOSE_FILE_RAFT2 -f $COMPOSE_FILE_COUCH up -d 2>&1 - docker ps -a - else - IMAGE_TAG=$IMAGETAG docker-compose -f $COMPOSE_FILE -f $COMPOSE_FILE_COUCH up -d 2>&1 - docker ps -a - fi - else - if [ "$CONSENSUS_TYPE" == "kafka" ]; then - IMAGE_TAG=$IMAGETAG docker-compose -f $COMPOSE_FILE -f $COMPOSE_FILE_KAFKA up -d 2>&1 - docker ps -a - elif [ "$CONSENSUS_TYPE" == "etcdraft" ]; then - IMAGE_TAG=$IMAGETAG docker-compose -f $COMPOSE_FILE -f $COMPOSE_FILE_RAFT2 up -d 2>&1 - docker ps -a - else - IMAGE_TAG=$IMAGETAG docker-compose -f $COMPOSE_FILE up -d 2>&1 - docker ps -a - fi + COMPOSE_FILES="${COMPOSE_FILES} -f ${COMPOSE_FILE_COUCH}" fi + IMAGE_TAG=$IMAGETAG docker-compose ${COMPOSE_FILES} up -d 2>&1 + docker ps -a if [ $? -ne 0 ]; then echo "ERROR !!!! Unable to start network" exit 1 @@ -197,7 +191,7 @@ function networkUp() { fi # now run the end to end script - docker exec cli scripts/script.sh $CHANNEL_NAME $CLI_DELAY $LANGUAGE $CLI_TIMEOUT $VERBOSE + docker exec cli scripts/script.sh $CHANNEL_NAME $CLI_DELAY $LANGUAGE $CLI_TIMEOUT $VERBOSE $NO_CHAINCODE if [ $? -ne 0 ]; then echo "ERROR !!!! Test failed" exit 1 @@ -221,22 +215,19 @@ function upgradeNetwork() { mkdir -p $LEDGERS_BACKUP export IMAGE_TAG=$IMAGETAG + COMPOSE_FILES="-f ${COMPOSE_FILE}" + if [ "${CERTIFICATE_AUTHORITIES}" == "true" ]; then + COMPOSE_FILES="${COMPOSE_FILES} -f ${COMPOSE_FILE_CA}" + export BYFN_CA1_PRIVATE_KEY=$(cd crypto-config/peerOrganizations/org1.example.com/ca && ls *_sk) + export BYFN_CA2_PRIVATE_KEY=$(cd crypto-config/peerOrganizations/org2.example.com/ca && ls *_sk) + fi + if [ "${CONSENSUS_TYPE}" == "kafka" ]; then + COMPOSE_FILES="${COMPOSE_FILES} -f ${COMPOSE_FILE_KAFKA}" + elif [ "${CONSENSUS_TYPE}" == "etcdraft" ]; then + COMPOSE_FILES="${COMPOSE_FILES} -f ${COMPOSE_FILE_RAFT2}" + fi if [ "${IF_COUCHDB}" == "couchdb" ]; then - if [ "$CONSENSUS_TYPE" == "kafka" ]; then - COMPOSE_FILES="-f $COMPOSE_FILE -f $COMPOSE_FILE_KAFKA -f $COMPOSE_FILE_COUCH" - elif [ "$CONSENSUS_TYPE" == "etcdraft" ]; then - COMPOSE_FILES="-f $COMPOSE_FILE -f $COMPOSE_FILE_RAFT2 -f $COMPOSE_FILE_COUCH" - else - COMPOSE_FILES="-f $COMPOSE_FILE -f $COMPOSE_FILE_COUCH" - fi - else - if [ "$CONSENSUS_TYPE" == "kafka" ]; then - COMPOSE_FILES="-f $COMPOSE_FILE -f $COMPOSE_FILE_KAFKA" - elif [ "$CONSENSUS_TYPE" == "etcdraft" ]; then - COMPOSE_FILES="-f $COMPOSE_FILE -f $COMPOSE_FILE_RAFT2" - else - COMPOSE_FILES="-f $COMPOSE_FILE" - fi + COMPOSE_FILES="${COMPOSE_FILES} -f ${COMPOSE_FILE_COUCH}" fi # removing the cli container @@ -283,7 +274,7 @@ function upgradeNetwork() { function networkDown() { # stop org3 containers also in addition to org1 and org2, in case we were running sample to add org3 # stop kafka and zookeeper containers in case we're running with kafka consensus-type - docker-compose -f $COMPOSE_FILE -f $COMPOSE_FILE_COUCH -f $COMPOSE_FILE_KAFKA -f $COMPOSE_FILE_RAFT2 -f $COMPOSE_FILE_ORG3 down --volumes --remove-orphans + docker-compose -f $COMPOSE_FILE -f $COMPOSE_FILE_COUCH -f $COMPOSE_FILE_KAFKA -f $COMPOSE_FILE_RAFT2 -f $COMPOSE_FILE_CA -f $COMPOSE_FILE_ORG3 down --volumes --remove-orphans # Don't remove the generated artifacts -- note, the ledgers are always removed if [ "$MODE" != "restart" ]; then @@ -508,6 +499,8 @@ COMPOSE_FILE_ORG3=docker-compose-org3.yaml COMPOSE_FILE_KAFKA=docker-compose-kafka.yaml # two additional etcd/raft orderers COMPOSE_FILE_RAFT2=docker-compose-etcdraft2.yaml +# certificate authorities compose file +COMPOSE_FILE_CA=docker-compose-ca.yaml # # use golang as the default language for chaincode LANGUAGE=golang @@ -537,7 +530,7 @@ else exit 1 fi -while getopts "h?c:t:d:f:s:l:i:o:v" opt; do +while getopts "h?c:t:d:f:s:l:i:o:av" opt; do case "$opt" in h | \?) printHelp @@ -567,6 +560,9 @@ while getopts "h?c:t:d:f:s:l:i:o:v" opt; do o) CONSENSUS_TYPE=$OPTARG ;; + a) + CERTIFICATE_AUTHORITIES=true + ;; v) VERBOSE=true ;; diff --git a/first-network/connection-org1.json b/first-network/connection-org1.json index 68190f94ac..d9f460eb9d 100644 --- a/first-network/connection-org1.json +++ b/first-network/connection-org1.json @@ -17,6 +17,9 @@ "peers": [ "peer0.org1.example.com", "peer1.org1.example.com" + ], + "certificateAuthorities": [ + "ca.org1.example.com" ] } }, @@ -39,5 +42,17 @@ "ssl-target-name-override": "peer1.org1.example.com" } } + }, + "certificateAuthorities": { + "ca.org1.example.com": { + "url": "https://localhost:7054", + "caName": "ca-org1", + "tlsCACerts": { + "path": "crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem" + }, + "httpOptions": { + "verify": false + } + } } } diff --git a/first-network/connection-org1.yaml b/first-network/connection-org1.yaml index c58f9d8333..daa9ad6422 100644 --- a/first-network/connection-org1.yaml +++ b/first-network/connection-org1.yaml @@ -13,6 +13,8 @@ organizations: peers: - peer0.org1.example.com - peer1.org1.example.com + certificateAuthorities: + - ca.org1.example.com peers: peer0.org1.example.com: url: grpcs://localhost:7051 @@ -26,3 +28,11 @@ peers: path: crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem grpcOptions: ssl-target-name-override: peer1.org1.example.com +certificateAuthorities: + ca.org1.example.com: + url: https://localhost:7054 + caName: ca-org1 + tlsCACerts: + path: crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem + httpOptions: + verify: false diff --git a/first-network/connection-org2.json b/first-network/connection-org2.json index 35def918a4..49f9106d6c 100644 --- a/first-network/connection-org2.json +++ b/first-network/connection-org2.json @@ -17,6 +17,9 @@ "peers": [ "peer0.org2.example.com", "peer1.org2.example.com" + ], + "certificateAuthorities": [ + "ca.org2.example.com" ] } }, @@ -39,5 +42,17 @@ "ssl-target-name-override": "peer1.org2.example.com" } } + }, + "certificateAuthorities": { + "ca.org2.example.com": { + "url": "https://localhost:8054", + "caName": "ca-org2", + "tlsCACerts": { + "path": "crypto-config/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem" + }, + "httpOptions": { + "verify": false + } + } } } diff --git a/first-network/connection-org2.yaml b/first-network/connection-org2.yaml index 076f37dfb1..b21c879fd8 100644 --- a/first-network/connection-org2.yaml +++ b/first-network/connection-org2.yaml @@ -13,6 +13,8 @@ organizations: peers: - peer0.org2.example.com - peer1.org2.example.com + certificateAuthorities: + - ca.org2.example.com peers: peer0.org2.example.com: url: grpcs://localhost:9051 @@ -26,3 +28,11 @@ peers: path: crypto-config/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem grpcOptions: ssl-target-name-override: peer1.org2.example.com +certificateAuthorities: + ca.org2.example.com: + url: https://localhost:8054 + caName: ca-org2 + tlsCACerts: + path: crypto-config/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem + httpOptions: + verify: false diff --git a/first-network/docker-compose-ca.yaml b/first-network/docker-compose-ca.yaml new file mode 100644 index 0000000000..7f019606e1 --- /dev/null +++ b/first-network/docker-compose-ca.yaml @@ -0,0 +1,46 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +version: '2' + +networks: + byfn: + +services: + ca0: + image: hyperledger/fabric-ca:$IMAGE_TAG + environment: + - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server + - FABRIC_CA_SERVER_CA_NAME=ca-org1 + - FABRIC_CA_SERVER_TLS_ENABLED=true + - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem + - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/${BYFN_CA1_PRIVATE_KEY} + - FABRIC_CA_SERVER_PORT=7054 + ports: + - "7054:7054" + command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/${BYFN_CA1_PRIVATE_KEY} -b admin:adminpw -d' + volumes: + - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config + container_name: ca_peerOrg1 + networks: + - byfn + + ca1: + image: hyperledger/fabric-ca:$IMAGE_TAG + environment: + - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server + - FABRIC_CA_SERVER_CA_NAME=ca-org2 + - FABRIC_CA_SERVER_TLS_ENABLED=true + - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem + - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/${BYFN_CA2_PRIVATE_KEY} + - FABRIC_CA_SERVER_PORT=8054 + ports: + - "8054:8054" + command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/${BYFN_CA2_PRIVATE_KEY} -b admin:adminpw -d' + volumes: + - ./crypto-config/peerOrganizations/org2.example.com/ca/:/etc/hyperledger/fabric-ca-server-config + container_name: ca_peerOrg2 + networks: + - byfn \ No newline at end of file diff --git a/scripts/Jenkins_Scripts/byfn_eyfn.sh b/scripts/Jenkins_Scripts/byfn_eyfn.sh index d70e197da1..4b5c4ed8a1 100755 --- a/scripts/Jenkins_Scripts/byfn_eyfn.sh +++ b/scripts/Jenkins_Scripts/byfn_eyfn.sh @@ -69,29 +69,37 @@ if [ $1 != 0 ]; then fi } - echo "############## BYFN,EYFN DEFAULT CHANNEL TEST ###################" - echo "#################################################################" - echo y | ./byfn.sh -m down - echo y | ./byfn.sh -m up -t 60 - copy_logs $? default-channel - echo y | ./eyfn.sh -m up -t 60 - copy_logs $? default-channel - echo y | ./eyfn.sh -m down - echo +echo "############## BYFN,EYFN DEFAULT CHANNEL TEST ###################" +echo "#################################################################" +echo y | ./byfn.sh -m down +echo y | ./byfn.sh -m up -t 60 +copy_logs $? default-channel +echo y | ./eyfn.sh -m up -t 60 +copy_logs $? default-channel +echo y | ./eyfn.sh -m down +echo + +echo "############### BYFN,EYFN CUSTOM CHANNEL WITH COUCHDB TEST ##############" +echo "#########################################################################" +echo y | ./byfn.sh -m up -c custom-channel-couchdb -s couchdb -t 75 -d 15 +copy_logs $? custom-channel-couch couchdb +echo y | ./eyfn.sh -m up -c custom-channel-couchdb -s couchdb -t 75 -d 15 +copy_logs $? custom-channel-couch +echo y | ./eyfn.sh -m down +echo - echo "############### BYFN,EYFN CUSTOM CHANNEL WITH COUCHDB TEST ##############" - echo "#########################################################################" - echo y | ./byfn.sh -m up -c custom-channel-couchdb -s couchdb -t 75 -d 15 - copy_logs $? custom-channel-couch couchdb - echo y | ./eyfn.sh -m up -c custom-channel-couchdb -s couchdb -t 75 -d 15 - copy_logs $? custom-channel-couch - echo y | ./eyfn.sh -m down - echo +echo "############### BYFN,EYFN WITH NODE Chaincode. TEST ################" +echo "####################################################################" +echo y | ./byfn.sh -m up -l node -t 60 +copy_logs $? default-channel-node +echo y | ./eyfn.sh -m up -l node -t 60 +copy_logs $? default-channel-node +echo y | ./eyfn.sh -m down +echo - echo "############### BYFN,EYFN WITH NODE Chaincode. TEST ################" - echo "####################################################################" - echo y | ./byfn.sh -m up -l node -t 60 - copy_logs $? default-channel-node - echo y | ./eyfn.sh -m up -l node -t 60 - copy_logs $? default-channel-node - echo y | ./eyfn.sh -m down +echo "############### BYFN WITH CA TEST ################" +echo "##################################################" +echo y | ./byfn.sh -m up -a +copy_logs $? default-channel-ca +echo y | ./byfn.sh -m down -a +echo \ No newline at end of file