test-network-k8s: Introduce initial support for BFT orderers

This patch adds initial support for BFT orderers in the test-network-k8s.
When `TEST_NETWORK_ORDERER_TYPE` is set to `bft`, the network launches
four orderers configured with SmartBFT.

Signed-off-by: Tatsuya Sato <[email protected]>

test-network-k8s/config/org0/configtx-template.yaml

@@ -169,7 +169,7 @@ Capabilities:
     # not able to participate in channels at v2.0 application capability.
     # Prior to enabling V2.0 application capabilities, ensure that all
     # peers on channel are at v2.0.0 or later.
-    V2_0: true
+    V2_5: true
 
 ################################################################################
 #

test-network-k8s/kube/org0/org0-orderer4.yaml

@@ -0,0 +1,160 @@
+#
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: org0-orderer4-tls-cert
+  namespace: ${ORG0_NS}
+spec:
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  dnsNames:
+    - localhost
+    - org0-orderer4
+    - org0-orderer4.${ORG0_NS}.svc.cluster.local
+    - org0-orderer4.${DOMAIN}
+    - org0-orderer4-admin.${DOMAIN}
+  ipAddresses:
+    - 127.0.0.1
+  secretName: org0-orderer4-tls-cert
+  issuerRef:
+    name: org0-tls-cert-issuer
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: org0-orderer4-env
+data:
+  FABRIC_CFG_PATH: /var/hyperledger/fabric/config
+  FABRIC_LOGGING_SPEC: INFO # debug:cauthdsl,policies,msp,common.configtx,common.channelconfig=info
+  ORDERER_GENERAL_LISTENADDRESS: 0.0.0.0
+  ORDERER_GENERAL_LISTENPORT: "6050"
+  ORDERER_GENERAL_LOCALMSPID: OrdererMSP
+  ORDERER_GENERAL_LOCALMSPDIR: /var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer4.org0.example.com/msp
+  ORDERER_GENERAL_TLS_ENABLED: "true"
+  ORDERER_GENERAL_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt
+  ORDERER_GENERAL_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt
+  ORDERER_GENERAL_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key
+  ORDERER_GENERAL_BOOTSTRAPMETHOD: none
+  ORDERER_CHANNELPARTICIPATION_ENABLED: "true"
+  ORDERER_ADMIN_TLS_ENABLED: "true"
+  ORDERER_ADMIN_TLS_CERTIFICATE: /var/hyperledger/fabric/config/tls/tls.crt
+  ORDERER_ADMIN_TLS_ROOTCAS: /var/hyperledger/fabric/config/tls/ca.crt
+  ORDERER_ADMIN_TLS_PRIVATEKEY: /var/hyperledger/fabric/config/tls/tls.key
+  # Authenticate client connections with the org's ecert / admin user enrollments
+  ORDERER_ADMIN_TLS_CLIENTROOTCAS: "[/var/hyperledger/fabric/organizations/ordererOrganizations/org0.example.com/orderers/org0-orderer4.org0.example.com/msp/cacerts/org0-ca.pem]"
+  ORDERER_FILELEDGER_LOCATION: /var/hyperledger/fabric/data/orderer4
+  ORDERER_CONSENSUS_WALDIR: /var/hyperledger/fabric/data/orderer4/etcdraft/wal
+  ORDERER_CONSENSUS_SNAPDIR: /var/hyperledger/fabric/data/orderer4/etcdraft/wal
+  ORDERER_OPERATIONS_LISTENADDRESS: 0.0.0.0:8443
+  ORDERER_ADMIN_LISTENADDRESS: 0.0.0.0:9443
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: org0-orderer4
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: org0-orderer4
+  template:
+    metadata:
+      labels:
+        app: org0-orderer4
+    spec:
+      containers:
+        - name: main
+          image: ${FABRIC_CONTAINER_REGISTRY}/fabric-orderer:${FABRIC_VERSION}
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - configMapRef:
+                name: org0-orderer4-env
+          ports:
+            - containerPort: 6050
+            - containerPort: 8443
+            - containerPort: 9443
+          volumeMounts:
+            - name: fabric-volume
+              mountPath: /var/hyperledger
+            - name: fabric-config
+              mountPath: /var/hyperledger/fabric/config
+            - name: tls-cert-volume
+              mountPath: /var/hyperledger/fabric/config/tls
+              readOnly: true
+      volumes:
+        - name: fabric-volume
+          persistentVolumeClaim:
+            claimName: fabric-org0
+        - name: fabric-config
+          configMap:
+            name: org0-config
+        - name: tls-cert-volume
+          secret:
+            secretName: org0-orderer4-tls-cert
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: org0-orderer4
+spec:
+  ports:
+    - name: general
+      port: 6050
+      protocol: TCP
+    - name: operations
+      port: 8443
+      protocol: TCP
+    - name: admin
+      port: 9443
+      protocol: TCP
+  selector:
+    app: org0-orderer4
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+  labels:
+    app: org0-orderer4
+  name: org0-orderer4
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: org0-orderer4.${DOMAIN}
+      http:
+        paths:
+          - backend:
+              service:
+                name: org0-orderer4
+                port:
+                  name: general
+            path: /
+            pathType: ImplementationSpecific
+    - host: org0-orderer4-admin.${DOMAIN}
+      http:
+        paths:
+          - backend:
+              service:
+                name: org0-orderer4
+                port:
+                  name: admin
+            path: /
+            pathType: ImplementationSpecific
+  tls:
+    - hosts:
+        - org0-orderer4.${DOMAIN}
+    - hosts:
+        - org0-orderer4-admin.${DOMAIN}

test-network-k8s/network

@@ -47,6 +47,7 @@ context ORG1_NS                       ${NS}
 context ORG2_NS                       ${NS}
 context DOMAIN                        localho.st
 context CHANNEL_NAME                  mychannel
+context ORDERER_TYPE                  raft                  # or bft for BFT Orderer (for Fabric v3.0+)
 context ORDERER_TIMEOUT               10s                   # see https://github.com/hyperledger/fabric/issues/3372
 context TEMP_DIR                      ${PWD}/build
 context CHAINCODE_BUILDER             ccaas                 # see https://github.com/hyperledgendary/fabric-builder-k8s/blob/main/docs/TEST_NETWORK_K8S.md
@@ -77,6 +78,7 @@ function print_help() {
   log "Network name       \t\t: ${NETWORK_NAME}"
   log "Ingress domain     \t\t: ${DOMAIN}"
   log "Channel name       \t\t: ${CHANNEL_NAME}"
+  log "Orderer type       \t\t: ${ORDERER_TYPE}"
   log
   log "--- Cluster Information"
   log "Cluster runtime      \t: ${CLUSTER_RUNTIME}"

test-network-k8s/scripts/channel.sh

@@ -150,9 +150,12 @@ function create_channel_MSP() {
   create_channel_org_MSP org1 peer $ORG1_NS
   create_channel_org_MSP org2 peer $ORG2_NS
 
-  extract_orderer_tls_cert org0 orderer1
-  extract_orderer_tls_cert org0 orderer2
-  extract_orderer_tls_cert org0 orderer3
+  extract_orderer_cert org0 orderer1
+  extract_orderer_cert org0 orderer2
+  extract_orderer_cert org0 orderer3
+  if  [ "${ORDERER_TYPE}" == "bft" ]; then
+      extract_orderer_cert org0 orderer4
+  fi
 
   pop_fn
 }
@@ -185,13 +188,13 @@ function create_channel_org_MSP() {
   create_msp_config_yaml ${ca_name} ca-signcert.pem ${ORG_MSP_DIR}
 }
 
-# Extract an orderer's TLS signing certificate for inclusion in the channel config block
-function extract_orderer_tls_cert() {
+# Extract an orderer's signing certificate for inclusion in the channel config block
+function extract_orderer_cert() {
   local org=$1
   local orderer=$2
   local ns=$ORG0_NS
 
-  echo "Extracting TLS cert for $org $orderer"
+  echo "Extracting cert for $org $orderer"
 
   ORDERER_TLS_DIR=${TEMP_DIR}/channel-msp/ordererOrganizations/${org}/orderers/${org}-${orderer}/tls
   mkdir -p $ORDERER_TLS_DIR/signcerts
@@ -200,14 +203,33 @@ function extract_orderer_tls_cert() {
     | jq -r .data.\"tls.crt\" \
     | base64 -d \
     > ${ORDERER_TLS_DIR}/signcerts/tls-cert.pem
+
+  # For the orderer type is BFT, retrieve the enrollment certificate from the pod
+  POD_NAME=$(kubectl -n $ns get pods -l app=${org}-${orderer} -o jsonpath="{.items[0].metadata.name}")
+  # - Check if the pod exists before proceeding
+  if [ -z "$POD_NAME" ]; then
+    fatalln "Error: No Pod found with label app=${org}-${orderer} in namespace $ns"
+  fi
+  # - Copy the enrollment certificate from the pod to the local machine
+  kubectl -n $ns cp ${POD_NAME}:var/hyperledger/fabric/organizations/ordererOrganizations/${org}.example.com/orderers/${org}-${orderer}.${org}.example.com/msp/signcerts/cert.pem ${TEMP_DIR}/channel-msp/ordererOrganizations/${org}/orderers/${org}-${orderer}/cert.pem
 }
 
 function create_genesis_block() {
   push_fn "Creating channel genesis block"
+
+  # Define the default channel configtx and profile
+  local profile="TwoOrgsApplicationGenesis"
   cat ${PWD}/config/org0/configtx-template.yaml | envsubst > ${TEMP_DIR}/configtx.yaml
+
+  # Overwrite configtx and profile for bft orderer
+  if  [ "${ORDERER_TYPE}" == "bft" ]; then
+    cat ${PWD}/config/org0/bft/configtx-template.yaml | envsubst > ${TEMP_DIR}/configtx.yaml
+    profile="ChannelUsingBFT"
+  fi
+
   FABRIC_CFG_PATH=${TEMP_DIR} \
     configtxgen \
-      -profile      TwoOrgsApplicationGenesis \
+      -profile      $profile \
       -channelID    $CHANNEL_NAME \
       -outputBlock  ${TEMP_DIR}/genesis_block.pb
 
@@ -222,6 +244,9 @@ function join_channel_orderers() {
   join_channel_orderer org0 orderer1
   join_channel_orderer org0 orderer2
   join_channel_orderer org0 orderer3
+  if  [ "${ORDERER_TYPE}" == "bft" ]; then
+    join_channel_orderer org0 orderer4
+  fi
 
   # todo: readiness / liveiness equivalent for channel?  Needs a little bit to settle before peers can join.
   sleep 10

test-network-k8s/scripts/test_network.sh

@@ -16,6 +16,11 @@ function launch_orderers() {
   kubectl -n $ORG0_NS rollout status deploy/org0-orderer2
   kubectl -n $ORG0_NS rollout status deploy/org0-orderer3
 
+  if  [ "${ORDERER_TYPE}" == "bft" ]; then
+    apply_template kube/org0/org0-orderer4.yaml $ORG0_NS
+    kubectl -n $ORG0_NS rollout status deploy/org0-orderer4
+  fi
+
   pop_fn
 }
 
@@ -115,6 +120,9 @@ function create_local_MSP() {
   create_orderer_local_MSP org0 orderer1
   create_orderer_local_MSP org0 orderer2
   create_orderer_local_MSP org0 orderer3
+  if  [ "${ORDERER_TYPE}" == "bft" ]; then
+    create_orderer_local_MSP org0 orderer4
+  fi
 
   create_peer_local_MSP org1 peer1 $ORG1_NS
   create_peer_local_MSP org1 peer2 $ORG1_NS