Bevel Fabric Operator v1.10: FabricIdentity & More
TL;DR: Bevel Fabric Operator v1.10.0 adds FabricIdentity for automated user management with certificate renewal, FabricNetworkConfig for declarative network configuration, and secret-based TLS enrollment for peers and orderers.
New changes
The following pull requests have been merged
- FabricIdentity: Manage the registering and enrolling of users automatically (including renewal)
- FabricNetworkConfig: Manage the network configuration based on the Bevel Fabric Operator and external configuration
- Enrollment for peers/orderers/identities now accepts a secret reference to get the TLS Cert of the FabricCA
- FabricCA supports initialization from custom certificate authority referenced from secret
- Minor bug fixes
FabricIdentity
You can now manage the registering and enrolling of users automatically. This includes renewal of the user certificates.
This is an example on how to create a FabricIdentity:
# This identity will register and enroll the user for org1 kubectl hlf identity create --name org1-admin --namespace default \ --ca-name org1-ca --ca-namespace default \ --ca ca --mspid Org1MSP --enroll-id explorer-admin --enroll-secret explorer-adminpw \ --ca-enroll-id=enroll --ca-enroll-secret=enrollpw --ca-type=admin
FabricNetworkConfig
You can now manage the network configuration based on the Bevel Fabric Operator and external configuration.
This CRD will react to changes in the Identities and FabricCASecrets and update the network configuration accordingly.
This is an example on how to create a FabricNetworkConfig:
kubectl hlf networkconfig create --name=org1-cp \ -o Org1MSP -o OrdererMSP -c demo \ --identities=org1-admin.default --secret=org1-cp
Enrollment for peers/orderers/identities
You can now use a secret reference to get the TLS Cert of the FabricCA, instead of having to specify the certificate in the CRD.
apiVersion: hlf.kungfusoftware.es/v1alpha1 kind: FabricPeer metadata: # <your metadata> spec: ... secret: enrollment: component: cahost: org1-ca.default caname: ca caport: 7054 catls: cacert: '' secretRef: key: tls.crt name: org1-ca--tls-cryptomaterial namespace: default enrollid: peer enrollsecret: peerpw external: null tls: cahost: org1-ca.default caname: tlsca caport: 7054 catls: cacert: '' secretRef: key: tls.crt name: org1-ca--tls-cryptomaterial namespace: default csr: cn: peer01 hosts: - 127.0.0.1 - localhost - peer01.org1.default enrollid: peer enrollsecret: peerpw external: null ...
FabricCA supports initialization from custom certificate authority
You can now initialize the FabricCA from a custom certificate authority referenced from a secret.
This includes support for both CAs, the signing CA and the TLS CA.
You can check the following example:
apiVersion: hlf.kungfusoftware.es/v1alpha1 kind: FabricCA metadata: name: org1-ca namespace: default spec: ca: ca: cert: '' chain: '' key: '' secret: name: org1-ca--tls-cryptomaterial tlsCA: ... ca: cert: '' chain: '' key: '' secret: name: <your secret containing the certfile, chainfile, keyfile>
Related Posts
- What is Hyperledger Fabric? — Overview of Fabric's architecture and use cases
- Hyperledger Fabric on Kubernetes — Step-by-step deployment tutorial
- BFT consensus in Hyperledger Fabric 3.0 — SmartBFT consensus explained
References
- Bevel Fabric Operator on GitHub — Source code and documentation
- Hyperledger Fabric Documentation — Official Fabric docs
- kubectl-hlf Plugin — CLI plugin for managing Fabric on Kubernetes