Skip to content

Instantly share code, notes, and snippets.

@AurelienGasser

AurelienGasser/rendered-peer-1.yaml

Created May 5, 2020 20:25
Show Gist options
  • Save AurelienGasser/d1388665590f7fd91bee2bde5a680028 to your computer and use it in GitHub Desktop.
Save AurelienGasser/d1388665590f7fd91bee2bde5a680028 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rendered-peer-1.yaml
---
# Source: hlf-k8s/charts/ca/templates/secret--ca.yaml
apiVersion: v1
kind: Secret
metadata:
name: network-org-1-peer-1-ca--ca
labels:
app: ca
heritage: "Tiller"
release: "network-org-1-peer-1"
chart: ca-1.2.0
type: Opaque
data:
CA_ADMIN: "Y2FBZG1pbg=="
CA_PASSWORD: "Y2FQYXNzd29yZA=="
---
# Source: hlf-k8s/charts/ca/templates/configmap--ca.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: network-org-1-peer-1-ca--ca
labels:
app: ca
heritage: "Tiller"
release: "network-org-1-peer-1"
chart: ca-1.2.0
data:
GODEBUG: "netdns=go"
FABRIC_CA_HOME: /var/hyperledger/fabric-ca
FABRIC_CA_SERVER_CA_NAME: "rcaOrg1"
SERVICE_DNS: 0.0.0.0 # Point to itself
---
# Source: hlf-k8s/charts/ca/templates/configmap--config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: network-org-1-peer-1-ca--config
labels:
app: ca
heritage: "Tiller"
release: "network-org-1-peer-1"
chart: ca-1.2.0
data:
ca.yaml: |
#############################################################################
# This is a configuration file for the fabric-ca-server command.
#############################################################################
# Version of config file
version: 1.4.2
# Server's listening port
port: 7054
# Enables debug logging
debug: true
# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000
#############################################################################
# TLS section
#############################################################################
tls:
# Enable TLS (handled by the Ingress)
enabled: false
# TLS for the server's listening port
certfile: /var/hyperledger/tls/secret/tls.crt
keyfile: /var/hyperledger/tls/secret/tls.key
clientauth:
# Supported types: NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven and RequireAndVerifyClientCert.
type: noclientcert
# List of root certificate authorities used when verifying client certificates
certfiles:
#############################################################################
# The CA section contains information related to the Certificate Authority
# including the name of the CA, which should be unique for all members
# of a blockchain network. It also includes the key and certificate files
# used when issuing enrollment certificates (ECerts) and transaction
# certificates (TCerts).
# The chainfile (if it exists) contains the certificate chain which
# should be trusted for this CA, where the 1st in the chain is always the
# root CA certificate.
#############################################################################
ca:
# Name of this CA
name:
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile: /var/hyperledger/fabric-ca/msp/certs/network-org-1-peer-1-ca-cert.pem
# Chain file
chainfile:
#############################################################################
# The gencrl REST endpoint is used to generate a CRL that contains revoked
# certificates. This section contains configuration options that are used
# during gencrl request processing.
#############################################################################
crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h
#############################################################################
# The registry section controls how the fabric-ca-server does two things:
# 1) authenticates enrollment requests which contain a username and password
# (also known as an enrollment ID and secret).
# 2) once authenticated, retrieves the identity's attribute names and
# values which the fabric-ca-server optionally puts into TCerts
# which it issues for transacting on the Hyperledger Fabric blockchain.
# These attributes are useful for making access control decisions in
# chaincode.
# There are two main configuration options:
# 1) The fabric-ca-server is the registry.
# This is true if "ldap.enabled" in the ldap section below is false.
# 2) An LDAP server is the registry, in which case the fabric-ca-server
# calls the LDAP server to perform these tasks.
# This is true if "ldap.enabled" in the ldap section below is true,
# which means this "registry" section is ignored.
#############################################################################
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: <<<ADMIN>>>
pass: <<<ADMINPW>>>
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "peer,orderer,client,user"
hf.Registrar.DelegateRoles: "peer,orderer,client,user"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
#############################################################################
# Database section
# Supported types are: "sqlite3", "postgres", and "mysql".
# The datasource value depends on the type.
# If the type is "sqlite3", the datasource value is a file name to use
# as the database store. Since "sqlite3" is an embedded database, it
# may not be used if you want to run the fabric-ca-server in a cluster.
# To run the fabric-ca-server in a cluster, you must choose "postgres"
# or "mysql".
#############################################################################
db:
type: <<<DB_TYPE>>>
datasource: <<<DB_DATASOURCE>>>
tls:
enabled: false
certfiles:
client:
certfile:
keyfile:
#############################################################################
# LDAP section
# If LDAP is enabled, the fabric-ca-server calls LDAP to:
# 1) authenticate enrollment ID and secret (i.e. username and password)
# for enrollment requests;
# 2) To retrieve identity attributes
#############################################################################
ldap:
# Enables or disables the LDAP client (default: false)
# If this is set to true, the "registry" section is ignored.
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
# TLS configuration for the client connection to the LDAP server
tls:
certfiles:
client:
certfile:
keyfile:
# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
attribute:
# 'names' is an array of strings containing the LDAP attribute names which are
# requested from the LDAP server for an LDAP identity's entry
names: ['uid','member']
# The 'converters' section is used to convert an LDAP entry to the value of
# a fabric CA attribute.
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the boolean expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
converters:
- name:
value:
# The 'maps' section contains named maps which may be referenced by the 'map'
# function in the 'converters' section to map LDAP responses to arbitrary values.
# For example, assume a user has an LDAP attribute named 'member' which has multiple
# values which are each a distinguished name (i.e. a DN). For simplicity, assume the
# values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
# Further assume the following configuration.
# converters:
# - name: hf.Registrar.Roles
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: peer
# - name: dn2
# value: client
# The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
# "peer,client,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "peer" and "dn2" with "client".
maps:
groups:
- name:
value:
#############################################################################
# Affiliations section, specified as hierarchical maps.
# Note: Affiliations are case sensitive except for the non-leaf affiliations.
#############################################################################
affiliations:
substra:
- paris
- nantes
#############################################################################
# Signing section
#
# The "default" subsection is used to sign enrollment certificates;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
# The "ca" profile subsection is used to sign intermediate CA certificates;
# the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
# Note that "isca" is true, meaning that it issues a CA certificate.
# A maxpathlen of 0 means that the intermediate CA cannot issue other
# intermediate CA certificates, though it can still issue end entity certificates.
# (See RFC 5280, section 4.2.1.9)
#
# The "tls" profile subsection is used to sign TLS certificate requests;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
###########################################################################
# Certificate Signing Request (CSR) section.
# This controls the creation of the root CA certificate.
# The expiration for the root CA certificate is configured with the
# "ca.expiry" field below, whose default value is "131400h" which is
# 15 years in hours.
# The pathlength field is used to limit CA certificate hierarchy as described
# in section 4.2.1.9 of RFC 5280.
# Examples:
# 1) No pathlength value means no limit is requested.
# 2) pathlength == 1 means a limit of 1 is requested which is the default for
# a root CA. This means the root CA can issue intermediate CA certificates,
# but these intermediate CAs may not in turn issue other CA certificates
# though they can still issue end entity certificates.
# 3) pathlength == 0 means a limit of 0 is requested;
# this is the default for an intermediate CA, which means it can not issue
# CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
cn: "rcaOrg1"
names:
- C: "FR"
ST: "Loire-Atlantique"
L: "Nantes"
O: "Substra"
OU: "Fabric"
hosts:
- localhost
# K8S Service
- network-org-1-peer-1-ca.org-1.svc.cluster.local
ca:
expiry: 131400h
pathlength: 1
#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
#############################################################################
# Multi CA section (unused in a K8S deployment)
#############################################################################
cacount:
cafiles:
#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
# 1) A single server process may contain or function as one or more CAs.
# This is configured by the "Multi CA section" above.
# 2) Each CA is either a root CA or an intermediate CA.
# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
# url - The URL of the parent server
# caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
# profile - Name of the signing profile to use in issuing the certificate
# label - Label to use in HSM operations
#
# tls section for secure socket connection
# certfiles - PEM-encoded list of trusted root certificate files
# client:
# certfile - PEM-encoded certificate file for when client authentication
# is enabled on server
# keyfile - PEM-encoded key file for when client authentication
# is enabled on server
#############################################################################
intermediate:
parentserver:
url:
caname:
enrollment:
hosts:
profile:
label:
tls:
certfiles:
client:
certfile:
keyfile:
#############################################################################
# Extra configuration options
# .e.g to enable adding and removing affiliations or identities
#############################################################################
cfg:
affiliations:
allowremove: true
identities:
allowremove: true
---
# Source: hlf-k8s/charts/ca/templates/configmap--db.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: network-org-1-peer-1-ca--db
labels:
app: ca
heritage: "Tiller"
release: "network-org-1-peer-1"
chart: ca-1.2.0
data:
DB_SSL: "disable"
---
# Source: hlf-k8s/charts/peer/templates/configmap--peer.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: network-org-1-peer-1--peer
labels:
app: peer
heritage: "Tiller"
release: "network-org-1-peer-1"
chart: peer-1.3.0
data:
CORE_PEER_ADDRESSAUTODETECT: "true"
CORE_PEER_ID: network-org-1-peer-1
CORE_PEER_NETWORKID: nid1
# If we have an ingress, we set hostname to it
# Otherwise we use CORE_PEER_ADDRESSAUTODETECT to auto-detect its address
CORE_PEER_LISTENADDRESS: 0.0.0.0:7051
CORE_PEER_EVENTS_ADDRESS: 0.0.0.0:7053
CORE_PEER_COMMITTER_ENABLED: "true"
CORE_PEER_PROFILE_ENABLED: "true"
CORE_PEER_DISCOVERY_PERIOD: 60s
CORE_PEER_DISCOVERY_TOUCHPERIOD: 60s
CORE_PEER_LOCALMSPID: "MyOrg1MSP"
CORE_PEER_MSPCONFIGPATH: /var/hyperledger/msp
###########
# Logging #
###########
CORE_LOGGING_LEVEL: "info"
CORE_LOGGING_PEER: "info"
CORE_LOGGING_CAUTHDSL: "warning"
CORE_LOGGING_GOSSIP: "info"
CORE_LOGGING_LEDGER: "info"
CORE_LOGGING_MSP: "warning"
CORE_LOGGING_POLICIES: "warning"
CORE_LOGGING_GRPC: "error"
##########
# Gossip #
##########
CORE_PEER_GOSSIP_BOOTSTRAP: "127.0.0.1:7051"
CORE_PEER_GOSSIP_ENDPOINT: ""
CORE_PEER_GOSSIP_EXTERNALENDPOINT: "network-org-1-peer-1.org-1:7051"
CORE_PEER_GOSSIP_ORGLEADER: "false"
CORE_PEER_GOSSIP_USELEADERELECTION: "true"
##########
# TLS #
##########
CORE_PEER_TLS_ENABLED: "true"
CORE_PEER_TLS_CERT_FILE: "/var/hyperledger/tls/server/pair/tls.crt"
CORE_PEER_TLS_KEY_FILE: "/var/hyperledger/tls/server/pair/tls.key"
CORE_PEER_TLS_ROOTCERT_FILE: "/var/hyperledger/tls/server/cert/cacert.pem"
CORE_PEER_TLS_CLIENTAUTHREQUIRED: "true"
# This is fixed prior to starting the peer
CORE_PEER_TLS_CLIENTROOTCAS_FILES: "/var/hyperledger/tls/client/cert/*"
CORE_PEER_TLS_CLIENTCERT_FILE: "/var/hyperledger/tls/client/pair/tls.crt"
CORE_PEER_TLS_CLIENTKEY_FILE: "/var/hyperledger/tls/client/pair/tls.key"
CORE_VM_ENDPOINT: unix:///host/var/run/docker.sock
CORE_LEDGER_STATE_STATEDATABASE: "goleveldb"
# Containers in the same pod share the host
PEER_CFG_PATH: /var/hyperledger/config
FABRIC_CFG_PATH: /var/hyperledger/fabric_cfg
GODEBUG: "netdns=go"
ADMIN_MSP_PATH: /var/hyperledger/admin_msp
ORD_TLS_PATH: /var/hyperledger/tls/ord/cert
---
# Source: hlf-k8s/templates/configmap-application-organization.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: network-org-1-peer-1-hlf-k8s-application-organizations
data:
application-organizations: |
MyOrg1 network-org-1-peer-1-hlf-k8s-config-operator.org-1/config/configOrgWithAnchors.json
---
# Source: hlf-k8s/templates/configmap-application-proposal-organization.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: network-org-1-peer-1-hlf-k8s-application-proposal-organizations
data:
application-proposal-organizations: |
---
# Source: hlf-k8s/templates/configmap-enrollment.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: network-org-1-peer-1-hlf-k8s-enrollment
data:
enrollments: |
admin adminpwd --id.attrs hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert
user pwd --id.type peer
---
# Source: hlf-k8s/templates/configmap-fabric.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ConfigMap
metadata:
name: network-org-1-peer-1-hlf-k8s-fabric
data:
discoverConfig.yaml: |
version: 0
tlsconfig:
certpath: /var/hyperledger/tls/client/pair/tls.crt
keypath: /var/hyperledger/tls/client/pair/tls.key
peercacertpath: /var/hyperledger/tls/server/cert/cacert.pem
timeout: 0s
signerconfig:
mspid: MyOrg1MSP
identitypath: /var/hyperledger/msp/signcerts/cert.pem
keypath: /var/hyperledger/msp/keystore/key.pem
configtx.yaml: |
Application:
Organizations: null
Organizations:
- &id001
AnchorPeers:
- Host: network-org-1-peer-1.org-1
Port: 7051
ID: MyOrg1MSP
MSPDir: /var/hyperledger/admin_msp
Name: MyOrg1
Profiles:
OrgsChannel:
Application:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "ANY Admins"
Organizations:
- *id001
Consortium: SampleConsortium
core.yaml: |
peer:
BCCSP:
Default: SW
PKCS11:
FileKeyStore:
KeyStore: null
Hash: null
Label: null
Library: null
Pin: null
Security: null
SW:
FileKeyStore:
KeyStore: null
Hash: SHA2
Security: 256
address: network-org-1-peer-1.org-1:7051
addressAutoDetect: false
adminService: null
authentication:
timewindow: 15m
client:
connTimeout: 3s
deliveryclient:
connTimeout: 3s
reConnectBackoffThreshold: 3600s
reconnectTotalTimeThreshold: 3600s
discovery:
authCacheEnabled: true
authCacheMaxSize: 1000
authCachePurgeRetentionRatio: 0.75
enabled: true
orgMembersAllowedAccess: false
fileSystemPath: /var/hyperledger/production
gomaxprocs: -1
gossip:
aliveExpirationTimeout: 25s
aliveTimeInterval: 5s
bootstrap: 127.0.0.1:7051
connTimeout: 2s
dialTimeout: 3s
digestWaitTime: 1s
election:
leaderAliveThreshold: 10s
leaderElectionDuration: 5s
membershipSampleInterval: 1s
startupGracePeriod: 15s
endpoint: null
externalEndpoint: network-org-1-peer-1.org-1:7051
maxBlockCountToStore: 100
maxPropagationBurstLatency: 10ms
maxPropagationBurstSize: 10
membershipTrackerInterval: 5s
orgLeader: 'false'
propagateIterations: 1
propagatePeerNum: 3
publishCertPeriod: 10s
publishStateInfoInterval: 4s
pullInterval: 4s
pullPeerNum: 3
pvtData:
btlPullMargin: 10
pullRetryThreshold: 60s
pushAckTimeout: 3s
reconcileBatchSize: 10
reconcileSleepInterval: 1m
reconciliationEnabled: true
transientstoreMaxBlockRetention: 1000
reconnectInterval: 25s
recvBuffSize: 20
requestStateInfoInterval: 4s
requestWaitTime: 1500ms
responseWaitTime: 2s
sendBuffSize: 200
skipBlockVerification: false
skipHandshake: 'true'
stateInfoRetentionInterval: null
useLeaderElection: 'true'
handlers:
authFilters:
- name: DefaultAuth
- name: ExpirationCheck
decorators:
- name: DefaultDecorator
endorsers:
escc:
library: null
name: DefaultEndorsement
validators:
vscc:
library: null
name: DefaultValidation
id: MyOrg1
keepalive:
client:
interval: 60s
timeout: 20s
deliveryClient:
interval: 60s
timeout: 20s
minInterval: 60s
listenAddress: 0.0.0.0:7051
localMspId: MyOrg1MSP
localMspType: bccsp
mspConfigPath: /var/hyperledger/admin_msp
networkId: dev
profile:
enabled: false
listenAddress: 0.0.0.0:6060
tls:
enabled: 'true'
cert:
file: /var/hyperledger/tls/server/pair/tls.crt
key:
file: /var/hyperledger/tls/server/pair/tls.key
clientAuthRequired: 'true'
clientCert:
file: /var/hyperledger/tls/client/pair/tls.crt
clientKey:
file: /var/hyperledger/tls/client/pair/tls.key
clientRootCAs:
- /var/hyperledger/admin_msp/cacerts/cacert.pem
rootcert:
file: /var/hyperledger/admin_msp/cacerts/cacert.pem
validatorPoolSize: null
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.29.7
heritage: Tiller
release: network-org-1-peer-1
name: network-org-1-peer-1-nginx-ingress
---
# Source: hlf-k8s/charts/nginx-ingress/templates/default-backend-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.29.7
heritage: Tiller
release: network-org-1-peer-1
name: network-org-1-peer-1-nginx-ingress-backend
---
# Source: hlf-k8s/templates/rbac.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: network-org-1-peer-1-hlf-k8s
labels:
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/instance: network-org-1-peer-1
helm.sh/chart: hlf-k8s-1.1.1
app.kubernetes.io/name: hlf-k8s
app.kubernetes.io/part-of: hlf-k8s
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: network-org-1-peer-1-hlf-k8s
labels:
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/instance: network-org-1-peer-1
helm.sh/chart: hlf-k8s-1.1.1
app.kubernetes.io/name: hlf-k8s
app.kubernetes.io/part-of: hlf-k8s
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs:
- get
- watch
- list
- create
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: network-org-1-peer-1-hlf-k8s
labels:
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/instance: network-org-1-peer-1
helm.sh/chart: hlf-k8s-1.1.1
app.kubernetes.io/name: hlf-k8s
app.kubernetes.io/part-of: hlf-k8s
subjects:
- kind: ServiceAccount
name: network-org-1-peer-1-hlf-k8s
namespace: org-1
roleRef:
kind: Role
name: network-org-1-peer-1-hlf-k8s
apiGroup: rbac.authorization.k8s.io
---
# Source: hlf-k8s/charts/nginx-ingress/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.29.7
heritage: Tiller
release: network-org-1-peer-1
name: network-org-1-peer-1-nginx-ingress
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- update
- watch
- apiGroups:
- extensions
- "networking.k8s.io" # k8s 1.14+
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- extensions
- "networking.k8s.io" # k8s 1.14+
resources:
- ingresses/status
verbs:
- update
---
# Source: hlf-k8s/charts/nginx-ingress/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.29.7
heritage: Tiller
release: network-org-1-peer-1
name: network-org-1-peer-1-nginx-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: network-org-1-peer-1-nginx-ingress
subjects:
- kind: ServiceAccount
name: network-org-1-peer-1-nginx-ingress
namespace: org-1
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.29.7
heritage: Tiller
release: network-org-1-peer-1
name: network-org-1-peer-1-nginx-ingress
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- update
- watch
- apiGroups:
- extensions
- "networking.k8s.io" # k8s 1.14+
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- "networking.k8s.io" # k8s 1.14+
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- ingress-controller-leader-nginx
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.29.7
heritage: Tiller
release: network-org-1-peer-1
name: network-org-1-peer-1-nginx-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: network-org-1-peer-1-nginx-ingress
subjects:
- kind: ServiceAccount
name: network-org-1-peer-1-nginx-ingress
namespace: org-1
---
# Source: hlf-k8s/charts/ca/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: network-org-1-peer-1-ca
labels:
app: ca
heritage: "Tiller"
release: "network-org-1-peer-1"
chart: ca-1.2.0
spec:
type: "ClusterIP"
ports:
- port: 7054
targetPort: 7054
protocol: TCP
name: http
selector:
app: ca
release: network-org-1-peer-1
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.29.7
component: "controller"
heritage: Tiller
release: network-org-1-peer-1
name: network-org-1-peer-1-nginx-ingress-controller
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
app: nginx-ingress
component: "controller"
release: network-org-1-peer-1
type: "LoadBalancer"
---
# Source: hlf-k8s/charts/nginx-ingress/templates/default-backend-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.29.7
component: "default-backend"
heritage: Tiller
release: network-org-1-peer-1
name: network-org-1-peer-1-nginx-ingress-default-backend
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
selector:
app: nginx-ingress
component: "default-backend"
release: network-org-1-peer-1
type: "ClusterIP"
---
# Source: hlf-k8s/charts/peer/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: network-org-1-peer-1
labels:
app: peer
heritage: "Tiller"
release: "network-org-1-peer-1"
chart: peer-1.3.0
spec:
type: ClusterIP
ports:
- port: 7051
targetPort: 7051
protocol: TCP
name: request
- port: 7053
targetPort: 7053
protocol: TCP
name: event
selector:
app: peer
release: network-org-1-peer-1
---
# Source: hlf-k8s/charts/ca/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: network-org-1-peer-1-ca
labels:
app: ca
heritage: "Tiller"
release: "network-org-1-peer-1"
chart: ca-1.2.0
spec:
replicas: 1
selector:
matchLabels:
app: ca
release: network-org-1-peer-1
# Ensure we allow our pod to be unavailable, so we can upgrade
strategy:
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
app: ca
heritage: "Tiller"
release: "network-org-1-peer-1"
chart: ca-1.2.0
spec:
volumes:
- name: data
emptyDir: {}
- name: ca-config
configMap:
name: network-org-1-peer-1-ca--config
initContainers:
- name: wait-for-db
image: jwilder/dockerize
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: network-org-1-peer-1-ca--db
command:
- sh
- -c
- |
if [ -n "$DB_TYPE" ]; then
dockerize -wait tcp://$DB_HOST:$DB_PORT -timeout 30s && echo "Database $DB_TYPE on $DB_HOST:$DB_PORT is ready"
fi
containers:
- name: ca
image: "hyperledger/fabric-ca:1.4.2"
imagePullPolicy: IfNotPresent
command:
- sh
- -c
- |
if [ -n "$DB_TYPE" ]; then
while [ -z ${DB_PASSWORD+x} ];
do
echo "\033[0;31mDB_PASSWORD environmental variable must contain a value \033[0m"
sleep 60
done
case "$DB_TYPE" in
postgres)
export DB_DATASOURCE="host=${DB_HOST} port=${DB_PORT} user=${DB_USERNAME} password=${DB_PASSWORD} dbname=${DB_DATABASE} sslmode=${DB_SSL}";;
mysql)
export DB_DATASOURCE="${DB_USERNAME}:${DB_PASSWORD}@tcp(${DB_HOST}:${DB_PORT})/${DB_DATABASE}?parseTime=true" ;;
*)
echo "\033[0;31m Database type '$DB_TYPE' not supported\033[0m"; exit 1;;
esac
fi
mkdir -p $FABRIC_CA_HOME
cp /var/hyperledger/ca_config/ca.yaml $FABRIC_CA_HOME/fabric-ca-server-config.yaml
sed -i "s|<<<ADMIN>>>|${CA_ADMIN}|g" ${FABRIC_CA_HOME}/fabric-ca-server-config.yaml
sed -i "s|<<<ADMINPW>>>|${CA_PASSWORD}|g" $FABRIC_CA_HOME/fabric-ca-server-config.yaml
sed -i "s|<<<DB_TYPE>>>|${DB_TYPE:-"sqlite3"}|g" $FABRIC_CA_HOME/fabric-ca-server-config.yaml
sed -i "s|<<<DB_DATASOURCE>>>|${DB_DATASOURCE:-"fabric-ca-server.db"}|g" $FABRIC_CA_HOME/fabric-ca-server-config.yaml
echo ">\033[0;35m fabric-ca-server start \033[0m"
fabric-ca-server start
envFrom:
- secretRef:
name: network-org-1-peer-1-ca--ca
- configMapRef:
name: network-org-1-peer-1-ca--db
- configMapRef:
name: network-org-1-peer-1-ca--ca
env:
ports:
- name: ca-port
containerPort: 7054
protocol: TCP
livenessProbe:
httpGet:
path: /cainfo
port: 7054
readinessProbe:
httpGet:
path: /cainfo
port: 7054
volumeMounts:
- name: data
mountPath: /var/hyperledger
- name: ca-config
readOnly: true
mountPath: /var/hyperledger/ca_config
resources:
{}
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.29.7
component: "controller"
heritage: Tiller
release: network-org-1-peer-1
name: network-org-1-peer-1-nginx-ingress-controller
annotations:
{}
spec:
selector:
matchLabels:
app: nginx-ingress
release: network-org-1-peer-1
replicas: 1
revisionHistoryLimit: 10
strategy:
{}
minReadySeconds: 0
template:
metadata:
labels:
app: nginx-ingress
component: "controller"
release: network-org-1-peer-1
spec:
dnsPolicy: ClusterFirst
containers:
- name: nginx-ingress-controller
image: "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.28.0"
imagePullPolicy: "IfNotPresent"
args:
- /nginx-ingress-controller
- --default-backend-service=org-1/network-org-1-peer-1-nginx-ingress-default-backend
- --election-id=ingress-controller-leader
- --ingress-class=nginx
- --configmap=org-1/network-org-1-peer-1-nginx-ingress-controller
- --watch-namespace=org-1
- --enable-ssl-passthrough
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 101
allowPrivilegeEscalation: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
resources:
{}
hostNetwork: false
serviceAccountName: network-org-1-peer-1-nginx-ingress
terminationGracePeriodSeconds: 60
---
# Source: hlf-k8s/charts/nginx-ingress/templates/default-backend-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.29.7
component: "default-backend"
heritage: Tiller
release: network-org-1-peer-1
name: network-org-1-peer-1-nginx-ingress-default-backend
spec:
selector:
matchLabels:
app: nginx-ingress
release: network-org-1-peer-1
replicas: 1
revisionHistoryLimit: 10
template:
metadata:
labels:
app: nginx-ingress
component: "default-backend"
release: network-org-1-peer-1
spec:
containers:
- name: nginx-ingress-default-backend
image: "k8s.gcr.io/defaultbackend-amd64:1.5"
imagePullPolicy: "IfNotPresent"
args:
securityContext:
runAsUser: 65534
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
ports:
- name: http
containerPort: 8080
protocol: TCP
resources:
{}
serviceAccountName: network-org-1-peer-1-nginx-ingress-backend
terminationGracePeriodSeconds: 60
---
# Source: hlf-k8s/charts/peer/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: network-org-1-peer-1
labels:
app: peer
heritage: "Tiller"
release: "network-org-1-peer-1"
chart: peer-1.3.0
spec:
replicas: 1
selector:
matchLabels:
app: peer
release: network-org-1-peer-1
# Ensure we allow our pod to be unavailable, so we can upgrade
strategy:
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
app: peer
heritage: "Tiller"
release: "network-org-1-peer-1"
chart: peer-1.3.0
spec:
volumes:
- name: data
emptyDir: {}
- name: dockersocket
hostPath:
path: /var/run/docker.sock
- name: id-cert
secret:
secretName: hlf-msp-cert-user
- name: id-key
secret:
secretName: hlf-msp-key-user
- name: cacert
secret:
secretName: hlf-cacert
- name: tls
secret:
secretName: hlf-tls-admin
- name: tls-rootcert
secret:
secretName: hlf-cacert
- name: tls-client
secret:
secretName: hlf-tls-user
- name: tls-clientrootcert
secret:
secretName: hlf-cacert
- name: admin-cert
secret:
secretName: hlf-msp-cert-admin
- name: admin-key
secret:
secretName: hlf-msp-key-admin
- name: ord-tls-rootcert
secret:
secretName: ord-tls-rootcert
containers:
- name: peer
image: "hyperledger/fabric-peer:1.4.2"
imagePullPolicy: IfNotPresent
ports:
- name: request
containerPort: 7051
protocol: TCP
- name: event
containerPort: 7053
protocol: TCP
livenessProbe:
exec:
command:
- ls
- /var/hyperledger
initialDelaySeconds: 5
periodSeconds: 5
# TODO: Improve readiness probe (ideally `ps aux | awk '$11=="orderer"'`)
readinessProbe:
exec:
command:
- ls
- /var/hyperledger
initialDelaySeconds: 15
command:
- bash
- -c
- |
# To avoid having separate secrets for CouchDB and HLF
export CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=$COUCHDB_USER
export CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=$COUCHDB_PASSWORD
while [ ! -d /var/hyperledger/admin_msp/admincerts ] || [ -z "$(ls -A /var/hyperledger/admin_msp/admincerts)" ];
do
echo "\033[0;31m /var/hyperledger/admin_msp/admincerts must contain Peer admin certificates files \033[0m"
sleep 60
done
while [ ! -d ${CORE_PEER_MSPCONFIGPATH}/signcerts ];
do
echo "\033[0;31m ${CORE_PEER_MSPCONFIGPATH}/signcerts directory must exist \033[0m"
sleep 60
done
if [ ! -d ${FABRIC_CFG_PATH} ]
then
mkdir -p ${FABRIC_CFG_PATH}
cp -r /etc/hyperledger/fabric/core.yaml ${FABRIC_CFG_PATH}
ls ${FABRIC_CFG_PATH}
fi
if [ $CORE_PEER_TLS_CLIENTAUTHREQUIRED ]
then
export CORE_PEER_TLS_CLIENTROOTCAS_FILES=$(ls -d $CORE_PEER_TLS_CLIENTROOTCAS_FILES)
fi
echo ">\033[0;35m peer node start \033[0m"
peer node start
envFrom:
- configMapRef:
name: network-org-1-peer-1--peer
volumeMounts:
- mountPath: /var/hyperledger
name: data
- mountPath: /host/var/run/docker.sock
name: dockersocket
- mountPath: /var/hyperledger/msp/signcerts
name: id-cert
- mountPath: /var/hyperledger/msp/keystore
name: id-key
- mountPath: /var/hyperledger/msp/cacerts
name: cacert
- mountPath: /var/hyperledger/admin_msp/cacerts
name: cacert
- mountPath: /var/hyperledger/tls/server/pair
name: tls
- mountPath: /var/hyperledger/tls/server/cert
name: tls-rootcert
- mountPath: /var/hyperledger/tls/client/pair
name: tls-client
- mountPath: /var/hyperledger/tls/client/cert
name: tls-clientrootcert
- mountPath: /var/hyperledger/tls/ord/cert
name: ord-tls-rootcert
- mountPath: /var/hyperledger/admin_msp/admincerts
name: admin-cert
- mountPath: /var/hyperledger/admin_msp/signcerts
name: admin-cert
- mountPath: /var/hyperledger/msp/admincerts
name: admin-cert
- mountPath: /var/hyperledger/admin_msp/keystore
name: admin-key
resources:
{}
---
# Source: hlf-k8s/templates/deployment-application-channel-operator.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: network-org-1-peer-1-hlf-k8s-application-channel-operator
labels:
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/instance: network-org-1-peer-1
helm.sh/chart: hlf-k8s-1.1.1
app.kubernetes.io/name: hlf-k8s
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: hlf-k8s-application-channel-operator
app.kubernetes.io/instance: network-org-1-peer-1
template:
metadata:
labels:
app.kubernetes.io/name: hlf-k8s-application-channel-operator
app.kubernetes.io/instance: network-org-1-peer-1
spec:
serviceAccountName: network-org-1-peer-1-hlf-k8s
containers:
- name: fabric-tools
image: substrafoundation/hlf-k8s:0.0.11-66-gc89731f-dirty
command: ['sh', '-c']
args:
- |
## Update CA certs
update-ca-certificates
## Check connection with the Orderer
printf "[DEBUG] Testing the connection with the Orderer (network-orderer.orderer:7050)\n"
until $(nc -z network-orderer.orderer 7050); do
printf "[DEBUG] Orderer (network-orderer.orderer:7050) is not reacheable, retry in 5s\n"
sleep 5
done
## Add orgs to the application channel
while true; do
## Create and join application channel
until grep -e "existing.*mychannel" -e "FORBIDDEN" channel.created > /dev/null; do
printf "[DEBUG] Create and join the application channel (mychannel)\n"
## Create channel
configtxgen -profile OrgsChannel --outputCreateChannelTx channel.tx -channelID mychannel -asOrg MyOrg1
peer channel create -f channel.tx --outputBlock channel.block -c mychannel -o network-orderer.orderer:7050 --tls --clientauth --cafile /var/hyperledger/tls/ord/cert/cacert.pem --keyfile /var/hyperledger/tls/client/pair/tls.key --certfile /var/hyperledger/tls/client/pair/tls.crt 2> channel.created
## Create and add anchor
configtxgen -profile OrgsChannel --outputAnchorPeersUpdate anchor.tx -channelID mychannel -asOrg MyOrg1
peer channel update -f anchor.tx -c mychannel -o network-orderer.orderer:7050 --tls --clientauth --cafile /var/hyperledger/tls/ord/cert/cacert.pem --keyfile /var/hyperledger/tls/client/pair/tls.key --certfile /var/hyperledger/tls/client/pair/tls.crt
sleep 1
done
## Join Application Channel
until grep "mychannel" channel.list > /dev/null; do
printf "[DEBUG] Fetching application channel block\n"
peer channel fetch oldest channeljoin.block -c mychannel -o network-orderer.orderer:7050 --tls --clientauth --cafile /var/hyperledger/tls/ord/cert/cacert.pem --keyfile /var/hyperledger/tls/client/pair/tls.key --certfile /var/hyperledger/tls/client/pair/tls.crt
printf "[DEBUG] Joining channel\n"
peer channel join -b channeljoin.block
## Fetch channel list
peer channel list -o network-orderer.orderer:7050 --tls --clientauth --cafile /var/hyperledger/tls/ord/cert/cacert.pem --keyfile /var/hyperledger/tls/client/pair/tls.key --certfile /var/hyperledger/tls/client/pair/tls.crt > channel.list
sleep 1
done
## Add organizations to application channel
while IFS=" " read -r org configUrl ; do
## Delete stale channel configuration files
rm -rf \
channel.block \
channel-cfg.block \
channel-cfg.json
## Fetch up-to-date channel configuration block
until [ -f "channel.block" ] && [ -s "channel.block" ]; do
printf "[DEBUG] Fetching the channel (mychannel) configuration block\n"
peer channel fetch config channel.block -c mychannel -o network-orderer.orderer:7050 --tls --clientauth --cafile /var/hyperledger/tls/ord/cert/cacert.pem --keyfile /var/hyperledger/tls/client/pair/tls.key --certfile /var/hyperledger/tls/client/pair/tls.crt > /tmp/out.txt 2>&1 || cat /tmp/out.txt
sleep 3
done
## Check if update has been already sent
printf "[DEBUG] Check if $org is in the application channel \n"
configtxlator proto_decode --input channel.block --type common.Block | jq .data.data[0].payload.data.config > channel-$org-hasjoined.json
if grep "$org" channel-$org-hasjoined.json > /dev/null; then
printf "[DEBUG] $org is already in the application channel\n"
rm -f /data/proposal-$org.pb
sleep 5
continue
else
printf "[DEBUG] $org is not in the application channel\n"
## Remove all configuration files because of edge cases (network issue, proposal issue).
## We prefer to delete all and retry all steps to avoid side effect.
rm -f *-$org.*
fi
## Extract application channel configuration
until [ -f "channel-cfg.block" ] && [ -s "channel-cfg.block" ]; do
configtxlator proto_decode --input channel.block --type common.Block | jq .data.data[0].payload.data.config > channel-cfg.json
configtxlator proto_encode --input channel-cfg.json --type common.Config --output channel-cfg.block
sleep 2
done
## Fetch organization configuration
if ! ([ -f "configOrg-$org.json" ] && [ -s "configOrg-$org.json" ]); then
printf "[DEBUG] Fetch the organization ($org) configuration from $configUrl\n"
curl --fail -L --output ./configOrg-$org.json $configUrl || continue # continue to next org if curl fails
fi
## Fetch update proposal from external orgs if exists
while IFS=" " read -r orgProposal proposalServerUrl ; do
# Don't need to network-fetch proposals made by ourselves
if [ "$orgProposal" = "MyOrg1" ]; then continue; fi
printf "[DEBUG] Fetch the update proposal built by organization ($orgProposal) for organization ($org) from $proposalServerUrl/proposal-$org.pb \n"
curl --fail -L --output ./external-$orgProposal-proposal-$org.pb $proposalServerUrl/proposal-$org.pb
## Compare external proposal file with local one, keep the largest (more signatures) between them as the only difference will be the number of signatures
if [ -s "external-$orgProposal-proposal-$org.pb" ]
then
if [ -s "proposal-$org.pb" ] ; then
if [ $(stat -c %s "external-$orgProposal-proposal-$org.pb") -gt $(stat -c %s "proposal-$org.pb") ] ; then
printf "[DEBUG] Use the $org update proposal from $orgProposal as there are more signatures in it !\n"
cp external-$orgProposal-proposal-$org.pb proposal-$org.pb
fi
else
printf "[DEBUG] Use the $org update proposal from $orgProposal \n"
cp external-$orgProposal-proposal-$org.pb proposal-$org.pb
fi
fi
done < /proposal/application-proposal-organizations
## Create proposal if not fetched
until [ -f "proposal-$org.pb" ]; do
printf "[DEBUG] Create application channel update for $org \n"
## Add the Organization in the Applciation group
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups":{"'$org'":.[1]}}}}}' channel-cfg.json configOrg-$org.json > new-channel-cfg-$org.json
configtxlator proto_encode --input new-channel-cfg-$org.json --type common.Config --output channelupdate-$org.block
## Compute update between channel old configuration and the updated one
configtxlator compute_update --channel_id mychannel --original channel-cfg.block --updated channelupdate-$org.block | configtxlator proto_decode --type common.ConfigUpdate | jq . > compute_update-$org.json
## Create the update proposal
echo '{"payload":{"header":{"channel_header":{"channel_id": "mychannel", "type":2}},"data":{"config_update":'$(cat compute_update-$org.json)'}}}' | jq . > proposal-$org.json
configtxlator proto_encode --input proposal-$org.json --type common.Envelope --output proposal-$org.pb
sleep 2
done
## Validate proposal application version
PROPOSAL_APP_VERSION=$(cat channel-cfg.json | jq '.channel_group.groups.Application.version')
CHANNEL_APP_VERSION=$(configtxlator proto_decode --input proposal-$org.pb --type common.Envelope | jq '.payload.data.config_update.read_set.groups.Application.version')
printf "[DEBUG] Proposal application version: $CHANNEL_APP_VERSION. Channel application version: $PROPOSAL_APP_VERSION\n"
if [ $CHANNEL_APP_VERSION != $PROPOSAL_APP_VERSION ] ; then
# Proposal update should have a readset application version matching config application version.
# That suggests the proposal update is not up to date with the latest ledger state.
printf "[DEBUG] Application version mismatch. Delete proposal for '$org'.\n"
rm -f /data/proposal-$org.pb proposal-$org.pb
continue
fi
## Sign update proposal
peer channel signconfigtx -f proposal-$org.pb -o network-orderer.orderer:7050 --tls --clientauth --cafile /var/hyperledger/tls/ord/cert/cacert.pem --keyfile /var/hyperledger/tls/client/pair/tls.key --certfile /var/hyperledger/tls/client/pair/tls.crt
## Update proposal in /data
cp proposal-$org.pb /data/proposal-$org.pb
chmod +r /data/proposal-$org.pb
## Submit proposal
NUM_SIGNATURES=$(configtxlator proto_decode --input proposal-$org.pb --type common.Envelope | jq '.payload.data.signatures | map(.signature_header.creator.mspid) | unique | length')
NUM_APPLICATION_ORGS=$(wc -l /proposal/application-proposal-organizations | cut -c 1)
printf "[DEBUG] Submit channel update for '$org' with $NUM_SIGNATURES signatures (out of $NUM_APPLICATION_ORGS organizations)\n"
peer channel update -f proposal-$org.pb -c mychannel -o network-orderer.orderer:7050 --tls --clientauth --cafile /var/hyperledger/tls/ord/cert/cacert.pem --keyfile /var/hyperledger/tls/client/pair/tls.key --certfile /var/hyperledger/tls/client/pair/tls.crt
sleep 5
done < /config/application-organizations
## Instantiate chaincode
until grep "mycc" chaincode.list | grep "1.0" > /dev/null; do
printf "[DEBUG] Instantiate chaincode mycc 1.0 on channel mychannel with policy : OR('MyOrg1MSP.member')\n"
peer chaincode instantiate -C mychannel -n mycc -v 1.0 -c '{"Args":["init"]}' -P "OR('MyOrg1MSP.member')" -o network-orderer.orderer:7050 --tls --clientauth --cafile /var/hyperledger/tls/ord/cert/cacert.pem --keyfile /var/hyperledger/tls/client/pair/tls.key --certfile /var/hyperledger/tls/client/pair/tls.crt
sleep 5
peer chaincode -C mychannel list --instantiated > chaincode.list
done
sleep 10
done
resources:
null
env:
- name: CORE_PEER_MSPCONFIGPATH
value: /var/hyperledger/admin_msp
- name: GODEBUG
value: "netdns=go+1"
volumeMounts:
- mountPath: /etc/hyperledger/fabric
name: fabric-config
readOnly: true
- mountPath: /config
name: application-organizations
readOnly: true
- mountPath: /proposal
name: application-proposal-organizations
readOnly: true
- mountPath: /var/hyperledger/msp/signcerts
name: id-cert
- mountPath: /var/hyperledger/msp/keystore
name: id-key
- mountPath: /var/hyperledger/msp/cacerts
name: cacert
- mountPath: /var/hyperledger/msp/tlscacerts
name: cacert
- mountPath: /var/hyperledger/msp/admincerts
name: admin-cert
- mountPath: /var/hyperledger/tls/server/pair
name: tls
- mountPath: /var/hyperledger/tls/server/cert
name: tls-rootcert
- mountPath: /var/hyperledger/tls/client/pair
name: tls-client
- mountPath: /var/hyperledger/tls/client/cert
name: tls-clientrootcert
- mountPath: /var/hyperledger/tls/ord/cert
name: ord-tls-rootcert
- mountPath: /var/hyperledger/admin_msp/signcerts
name: admin-cert
- mountPath: /var/hyperledger/admin_msp/keystore
name: admin-key
- mountPath: /var/hyperledger/admin_msp/cacerts
name: cacert
- mountPath: /var/hyperledger/admin_msp/tlscacerts
name: cacert
- mountPath: /var/hyperledger/admin_msp/admincerts
name: admin-cert
- mountPath: /data
name: data
- name: nginx
image: nginx:1.17.6
ports:
- containerPort: 80
volumeMounts:
- mountPath: /usr/share/nginx/html/proposal
name: data
volumes:
- name: application-organizations
configMap:
name: network-org-1-peer-1-hlf-k8s-application-organizations
- name: application-proposal-organizations
configMap:
name: network-org-1-peer-1-hlf-k8s-application-proposal-organizations
- name: fabric-config
configMap:
name: network-org-1-peer-1-hlf-k8s-fabric
- name: id-cert
secret:
secretName: hlf-msp-cert-user
- name: id-key
secret:
secretName: hlf-msp-key-user
- name: cacert
secret:
secretName: hlf-cacert
- name: tls
secret:
secretName: hlf-tls-admin
- name: tls-rootcert
secret:
secretName: hlf-cacert
- name: tls-client
secret:
secretName: hlf-tls-user
- name: tls-clientrootcert
secret:
secretName: hlf-cacert
- name: admin-cert
secret:
secretName: hlf-msp-cert-admin
- name: admin-key
secret:
secretName: hlf-msp-key-admin
- name: ord-tls-rootcert
secret:
secretName: ord-tls-rootcert
- name: data
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: network-org-1-peer-1-hlf-k8s-application-channel-operator
labels:
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/instance: network-org-1-peer-1
helm.sh/chart: hlf-k8s-1.1.1
app.kubernetes.io/name: hlf-k8s
spec:
type: ClusterIP
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
app.kubernetes.io/name: hlf-k8s-application-channel-operator
app.kubernetes.io/instance: network-org-1-peer-1
---
---
# Source: hlf-k8s/templates/deployment-chaincode-operator.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: network-org-1-peer-1-hlf-k8s-chaincode-operator-0
labels:
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/instance: network-org-1-peer-1
helm.sh/chart: hlf-k8s-1.1.1
app.kubernetes.io/name: hlf-k8s-chaincode-operator-0
app.kubernetes.io/part-of: network-org-1-peer-1
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: hlf-k8s-chaincode-operator
app.kubernetes.io/instance: network-org-1-peer-1
template:
metadata:
labels:
app.kubernetes.io/name: hlf-k8s-chaincode-operator
app.kubernetes.io/instance: network-org-1-peer-1
spec:
serviceAccountName: network-org-1-peer-1-hlf-k8s
containers:
- name: fabric-tools
image: substrafoundation/hlf-k8s:0.0.11-66-gc89731f-dirty
command: ['bash', '-c']
args:
- |
## Update CA certs
update-ca-certificates
## Install chaincode on peer
while true; do
until grep mycc chaincode.list | grep 1.0 > /dev/null; do
printf "[DEBUG] Installing chaincode mycc 1.0 from https://github.com/SubstraFoundation/substra-chaincode/archive/master.tar.gz ...\n"
## Clean potential remaining artifacts
rm -rf substra-chaincode
mkdir substra-chaincode
rm -rf /opt/gopath/src/github.com/hyperledger
mkdir -p /opt/gopath/src/github.com/hyperledger
rm -rf /opt/gopath/src/chaincode
## Fetch chaincode src
curl -L https://github.com/SubstraFoundation/substra-chaincode/archive/master.tar.gz -o chaincode.tar.gz
tar -C substra-chaincode -xzf chaincode.tar.gz --strip-components=1
mv substra-chaincode/chaincode /opt/gopath/src/chaincode
## Install chaincode
peer chaincode install -n mycc -v 1.0 -p chaincode
peer chaincode list --installed > chaincode.list
sleep 10
done
sleep 10
done
resources:
null
env:
- name: CORE_PEER_MSPCONFIGPATH
value: /var/hyperledger/admin_msp
- name: GODEBUG
value: "netdns=go+1"
volumeMounts:
- mountPath: /etc/hyperledger/fabric
name: fabric-config
readOnly: true
- mountPath: /var/hyperledger/msp/signcerts
name: id-cert
- mountPath: /var/hyperledger/msp/keystore
name: id-key
- mountPath: /var/hyperledger/msp/cacerts
name: cacert
- mountPath: /var/hyperledger/msp/tlscacerts
name: cacert
- mountPath: /var/hyperledger/msp/admincerts
name: admin-cert
- mountPath: /var/hyperledger/tls/server/pair
name: tls
- mountPath: /var/hyperledger/tls/server/cert
name: tls-rootcert
- mountPath: /var/hyperledger/tls/client/pair
name: tls-client
- mountPath: /var/hyperledger/tls/client/cert
name: tls-clientrootcert
- mountPath: /var/hyperledger/tls/ord/cert
name: ord-tls-rootcert
- mountPath: /var/hyperledger/admin_msp/signcerts
name: admin-cert
- mountPath: /var/hyperledger/admin_msp/keystore
name: admin-key
- mountPath: /var/hyperledger/admin_msp/cacerts
name: cacert
- mountPath: /var/hyperledger/admin_msp/tlscacerts
name: cacert
- mountPath: /var/hyperledger/admin_msp/admincerts
name: admin-cert
- mountPath: /data
name: data
volumes:
- name: fabric-config
configMap:
name: network-org-1-peer-1-hlf-k8s-fabric
- name: id-cert
secret:
secretName: hlf-msp-cert-user
- name: id-key
secret:
secretName: hlf-msp-key-user
- name: cacert
secret:
secretName: hlf-cacert
- name: tls
secret:
secretName: hlf-tls-admin
- name: tls-rootcert
secret:
secretName: hlf-cacert
- name: tls-client
secret:
secretName: hlf-tls-user
- name: tls-clientrootcert
secret:
secretName: hlf-cacert
- name: admin-cert
secret:
secretName: hlf-msp-cert-admin
- name: admin-key
secret:
secretName: hlf-msp-key-admin
- name: ord-tls-rootcert
secret:
secretName: ord-tls-rootcert
- name: data
emptyDir: {}
---
# Source: hlf-k8s/templates/deployment-config-operator.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: network-org-1-peer-1-hlf-k8s-config-operator
labels:
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/instance: network-org-1-peer-1
helm.sh/chart: hlf-k8s-1.1.1
app.kubernetes.io/name: hlf-k8s
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: hlf-k8s-config-operator
app.kubernetes.io/instance: network-org-1-peer-1
template:
metadata:
labels:
app.kubernetes.io/name: hlf-k8s-config-operator
app.kubernetes.io/instance: network-org-1-peer-1
spec:
serviceAccountName: network-org-1-peer-1-hlf-k8s
containers:
- name: fabric-tools
image: substrafoundation/hlf-k8s:0.0.11-66-gc89731f-dirty
command: ['sh', '-c']
args:
- |
## Create configuration files (public keys) for the organization
while true; do
until [ -f "/data/configOrg.json" ]; do
printf "[DEBUG] Create the organization config file\n"
configtxgen -printOrg MyOrg1 > /data/configOrg.json
sleep 1
done
until [ -f "/data/configOrgWithAnchors.json" ]; do
printf "[DEBUG] Create the org config anchor file\n"
jq -s '.[0] * {"values":{"AnchorPeers":{"mod_policy":"Admins", "value":{"anchor_peers":[{"host":"network-org-1-peer-1.org-1", "port":"7051"}]}, "version": "0"}}}' /data/configOrg.json > /data/configOrgWithAnchors.json
sleep 1
done
sleep 10
done
resources:
null
env:
- name: CORE_PEER_MSPCONFIGPATH
value: /var/hyperledger/admin_msp
- name: GODEBUG
value: "netdns=go+1"
volumeMounts:
- mountPath: /etc/hyperledger/fabric
name: fabric-config
readOnly: true
- mountPath: /var/hyperledger/msp/signcerts
name: id-cert
- mountPath: /var/hyperledger/msp/keystore
name: id-key
- mountPath: /var/hyperledger/msp/cacerts
name: cacert
- mountPath: /var/hyperledger/msp/tlscacerts
name: cacert
- mountPath: /var/hyperledger/msp/admincerts
name: admin-cert
- mountPath: /var/hyperledger/tls/server/pair
name: tls
- mountPath: /var/hyperledger/tls/server/cert
name: tls-rootcert
- mountPath: /var/hyperledger/tls/client/pair
name: tls-client
- mountPath: /var/hyperledger/tls/client/cert
name: tls-clientrootcert
- mountPath: /var/hyperledger/tls/ord/cert
name: ord-tls-rootcert
- mountPath: /var/hyperledger/admin_msp/signcerts
name: admin-cert
- mountPath: /var/hyperledger/admin_msp/keystore
name: admin-key
- mountPath: /var/hyperledger/admin_msp/cacerts
name: cacert
- mountPath: /var/hyperledger/admin_msp/tlscacerts
name: cacert
- mountPath: /var/hyperledger/admin_msp/admincerts
name: admin-cert
- mountPath: /data
name: data
- name: nginx
image: nginx:1.17.6
ports:
- containerPort: 80
volumeMounts:
- mountPath: /usr/share/nginx/html/config
name: data
volumes:
- name: fabric-config
configMap:
name: network-org-1-peer-1-hlf-k8s-fabric
- name: id-cert
secret:
secretName: hlf-msp-cert-user
- name: id-key
secret:
secretName: hlf-msp-key-user
- name: cacert
secret:
secretName: hlf-cacert
- name: tls
secret:
secretName: hlf-tls-admin
- name: tls-rootcert
secret:
secretName: hlf-cacert
- name: tls-client
secret:
secretName: hlf-tls-user
- name: tls-clientrootcert
secret:
secretName: hlf-cacert
- name: admin-cert
secret:
secretName: hlf-msp-cert-admin
- name: admin-key
secret:
secretName: hlf-msp-key-admin
- name: ord-tls-rootcert
secret:
secretName: ord-tls-rootcert
- name: data
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: network-org-1-peer-1-hlf-k8s-config-operator
labels:
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/instance: network-org-1-peer-1
helm.sh/chart: hlf-k8s-1.1.1
app.kubernetes.io/name: hlf-k8s
spec:
type: ClusterIP
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
app.kubernetes.io/name: hlf-k8s-config-operator
app.kubernetes.io/instance: network-org-1-peer-1
---
# Source: hlf-k8s/templates/deployment-enrollement-operator.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: network-org-1-peer-1-hlf-k8s-enrollment-operator
labels:
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/instance: network-org-1-peer-1
helm.sh/chart: hlf-k8s-1.1.1
app.kubernetes.io/name: hlf-k8s
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: hlf-k8s-enrollment-operator
app.kubernetes.io/instance: network-org-1-peer-1
template:
metadata:
labels:
app.kubernetes.io/name: hlf-k8s-enrollment-operator
app.kubernetes.io/instance: network-org-1-peer-1
spec:
serviceAccountName: network-org-1-peer-1-hlf-k8s
containers:
- name: fabric-tools
image: substrafoundation/hlf-k8s:0.0.11-66-gc89731f-dirty
command: ['sh', '-c']
args:
- |
## Update CA certs
update-ca-certificates
## Check connection with the Certificate Authority
printf "[DEBUG] Testing the connection with this node's Certificate Authority (http://network-org-1-peer-1-ca.org-1:7054)\n"
until fabric-ca-client getcainfo -u http://network-org-1-peer-1-ca.org-1:7054; do
printf "[DEBUG] Certificate Authority (http://network-org-1-peer-1-ca.org-1:7054) server is not reacheable, retry in 5s\n"
sleep 5
done
## Enroll CA administrator
printf "[DEBUG] Testing enrollment of CA admin\n"
until fabric-ca-client identity list -u http://caAdmin:[email protected]:7054 --id caAdmin; do
printf "[DEBUG] Certificate Authority admin is not enrolled, enrolling it now:\n"
fabric-ca-client enroll -d -u http://caAdmin:[email protected]:7054 -M /var/hyperledger/fabric-ca/msp
sleep 1
done
## Create CA cert kubernetes secret
## Note: The CA cert is shared between all identities (CA admin, admins, and users)
until kubectl get secret hlf-cacert > /dev/null; do
printf "[DEBUG] CA cacerts k8s secret not found, creating it now:\n"
kubectl create secret generic hlf-cacert --from-file=cacert.pem=$(find /var/hyperledger/fabric-ca/msp/cacerts -type f)
sleep 1
done
## Check connection with the Orderer Certificate Authority
printf "[DEBUG] Testing the connection with the Orderer Certificate Authority (http://network-orderer-ca.orderer:7054)\n"
until fabric-ca-client getcainfo -u http://network-orderer-ca.orderer:7054 -H /tmp/orderer; do
printf "[DEBUG] Orderer Certificate Authority (http://network-orderer-ca.orderer:7054) server is not reacheable, retry in 5s\n"
sleep 5
done
## Create Orderer CA Cert kubernetes secret
until kubectl get secret ord-tls-rootcert > /dev/null; do
printf "[DEBUG] Orderer CA cacerts k8s secret not found, creating it now:\n"
kubectl create secret generic ord-tls-rootcert --from-file=cacert.pem=$(find /tmp/orderer/msp/cacerts -type f)
sleep 1
done
## Enroll users
while true; do
while IFS=" " read -r name secret options; do
printf "[DEBUG] Checking enrollment of CA user $name\n"
## Register user
until fabric-ca-client identity list -u http://caAdmin:[email protected]:7054 --id $name; do
printf "[DEBUG] User $name is not registered, registering the user now:\n"
fabric-ca-client register -d -u http://caAdmin:[email protected]:7054 --id.name $name --id.secret $secret $options
sleep 1
done
## Enroll user (MSP)
until [ -d "/data/$name/msp" ]; do
printf "[DEBUG] MSP certificate not found: enrolling user '$name' now:\n"
fabric-ca-client enroll -d -u http://$name:[email protected]:7054 -M /data/$name/msp
sleep 1
done
## Enroll user (TLS)
until [ -d "/data/$name/tls" ]; do
printf "[DEBUG] TLS certificate not found: enrolling user '$name' with TLS profile now:\n"
fabric-ca-client enroll -d --enrollment.profile tls -u http://$name:[email protected]:7054 -M /data/$name/tls --csr.hosts network-org-1-peer-1.org-1
sleep 1
done
## Create secret: MSP cert
until kubectl get secret hlf-msp-cert-$name > /dev/null; do
printf "[DEBUG] User '$name' 'MSP cert' secret not found, creating it now:\n"
kubectl create secret generic hlf-msp-cert-$name --from-file=cert.pem=/data/$name/msp/signcerts/cert.pem
sleep 1
done
## Create secret: MSP key
until kubectl get secret hlf-msp-key-$name > /dev/null; do
printf "[DEBUG] User '$name' 'MSP key' secret not found, creating it now:\n"
kubectl create secret generic hlf-msp-key-$name --from-file=key.pem=$(find /data/$name/msp/keystore -type f)
sleep 1
done
## Create secret: TLS pair
until kubectl get secret hlf-tls-$name > /dev/null; do
printf "[DEBUG] User '$name' 'TLS pair' secret not found, creating it now:\n"
kubectl create secret tls hlf-tls-$name --key $(find /data/$name/tls/keystore -type f) --cert /data/$name/tls/signcerts/cert.pem
sleep 1
done
done < /config/enrollments
sleep 10
done
resources:
null
volumeMounts:
- mountPath: /etc/hyperledger/fabric
name: fabric-config
readOnly: true
- mountPath: /config
name: enrollment
readOnly: true
- mountPath: /data
name: data
volumes:
- name: fabric-config
configMap:
name: network-org-1-peer-1-hlf-k8s-fabric
- name: enrollment
configMap:
name: network-org-1-peer-1-hlf-k8s-enrollment
- name: data
emptyDir: {}
---
# Source: hlf-k8s/templates/deployment-toolbox.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: network-org-1-peer-1-hlf-k8s-toolbox
labels:
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/instance: network-org-1-peer-1
helm.sh/chart: hlf-k8s-1.1.1
app.kubernetes.io/name: network-org-1-peer-1-hlf-k8s-toolbox
app.kubernetes.io/part-of: network-org-1-peer-1
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: network-org-1-peer-1-hlf-k8s-toolbox
app.kubernetes.io/instance: network-org-1-peer-1
template:
metadata:
labels:
app.kubernetes.io/name: network-org-1-peer-1-hlf-k8s-toolbox
app.kubernetes.io/instance: network-org-1-peer-1
spec:
serviceAccountName: network-org-1-peer-1-hlf-k8s
containers:
- name: fabric-tools
image: "substrafoundation/hlf-k8s:0.0.11-66-gc89731f-dirty"
imagePullPolicy: "IfNotPresent"
command: ['sleep']
args:
- infinity
env:
- name: CORE_PEER_MSPCONFIGPATH
value: /var/hyperledger/admin_msp
- name: GODEBUG
value: "netdns=go+1"
- name: GITHUB_TOKEN
value: 82943306e1c1408d3b4a78e33bfbac58ca4b798a
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- mountPath: /etc/hyperledger/fabric
name: fabric-config
readOnly: true
- mountPath: /var/hyperledger/msp/signcerts
name: id-cert
- mountPath: /var/hyperledger/msp/keystore
name: id-key
- mountPath: /var/hyperledger/msp/cacerts
name: cacert
- mountPath: /var/hyperledger/msp/tlscacerts
name: cacert
- mountPath: /var/hyperledger/msp/admincerts
name: admin-cert
- mountPath: /var/hyperledger/tls/server/pair
name: tls
- mountPath: /var/hyperledger/tls/server/cert
name: tls-rootcert
- mountPath: /var/hyperledger/tls/client/pair
name: tls-client
- mountPath: /var/hyperledger/tls/client/cert
name: tls-clientrootcert
- mountPath: /var/hyperledger/tls/ord/cert
name: ord-tls-rootcert
- mountPath: /var/hyperledger/admin_msp/signcerts
name: admin-cert
- mountPath: /var/hyperledger/admin_msp/keystore
name: admin-key
- mountPath: /var/hyperledger/admin_msp/cacerts
name: cacert
- mountPath: /var/hyperledger/admin_msp/tlscacerts
name: cacert
- mountPath: /var/hyperledger/admin_msp/admincerts
name: admin-cert
volumes:
- name: fabric-config
configMap:
name: network-org-1-peer-1-hlf-k8s-fabric
- name: id-cert
secret:
secretName: hlf-msp-cert-user
- name: id-key
secret:
secretName: hlf-msp-key-user
- name: cacert
secret:
secretName: hlf-cacert
- name: tls
secret:
secretName: hlf-tls-admin
- name: tls-rootcert
secret:
secretName: hlf-cacert
- name: tls-client
secret:
secretName: hlf-tls-user
- name: tls-clientrootcert
secret:
secretName: hlf-cacert
- name: admin-cert
secret:
secretName: hlf-msp-cert-admin
- name: admin-key
secret:
secretName: hlf-msp-key-admin
- name: ord-tls-rootcert
secret:
secretName: ord-tls-rootcert
---
# Source: hlf-k8s/charts/ca/templates/ingress.yaml
---
# Source: hlf-k8s/charts/ca/templates/pvc.yaml
---
# Source: hlf-k8s/charts/ca/templates/secret--db.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/addheaders-configmap.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrole.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-createSecret.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/admission-webhooks/job-patch/psp.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/admission-webhooks/job-patch/role.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/admission-webhooks/job-patch/rolebinding.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/admission-webhooks/job-patch/serviceaccount.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/admission-webhooks/validating-webhook.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-configmap.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-daemonset.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-hpa.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-metrics-service.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-poddisruptionbudget.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-prometheusrules.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-psp.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-servicemonitor.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/controller-webhook-service.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/default-backend-poddisruptionbudget.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/default-backend-psp.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/default-backend-role.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/default-backend-rolebinding.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/proxyheaders-configmap.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/tcp-configmap.yaml
---
# Source: hlf-k8s/charts/nginx-ingress/templates/udp-configmap.yaml
---
# Source: hlf-k8s/charts/peer/templates/ingress.yaml
---
# Source: hlf-k8s/charts/peer/templates/pvc.yaml
---
# Source: hlf-k8s/templates/configmap-system-organizations.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Source: hlf-k8s/templates/deployment-genesis-operator.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Source: hlf-k8s/templates/deployment-monitor.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Source: hlf-k8s/templates/deployment-system-channel-operator.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Source: hlf-k8s/templates/ingress-application-channel.yaml
---
---
# Source: hlf-k8s/templates/ingress-config.yaml
---
---
# Source: hlf-k8s/templates/job-hook-delete-secrets.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Source: hlf-k8s/templates/job-hook-uninstall-chaincode.yaml
# Copyright 2018 Owkin, inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment