[CE-418]Add option to reuse certs in cello/ansible

Providing an option in cello/ansible to use the existing certs or
regenerate certs using a parameter generate_certs.

Creating a new parameter for composer in configuration files.

Remove duplicate certs or tx files in use and
generate fabric-ca-server-config file as part of cert generation.

Change-Id: Ie105b840700db39d7a295c108124c5a3d3a92cf2
Signed-off-by: Surya <[email protected]>

src/agent/ansible/roles/deploy_compose/certsetup/tasks/apply.yml

@@ -35,12 +35,14 @@
     dest: "{{ fabricworkdir }}/keyfiles/{{ item }}/connection.json"
   with_items: "{{ allorgs }}"
   tags: "composer"
+  when: fabric.composer == true
 
 - name: Create endorsement policy file
   template:
     src: "{{ playbook_dir }}/../deploy_compose/certsetup/templates/policy.j2"
     dest: "{{ fabricworkdir }}/keyfiles/policy.json"
   tags: "composer"
+  when: fabric.composer == true
 
 - name: Rename admin private key
   shell: >-
@@ -49,6 +51,7 @@
     chdir: "{{ fabricworkdir }}/keyfiles/{{ item }}/users/Admin@{{ item }}/msp/keystore"
   with_items: "{{ allorgs }}"
   tags: "composer"
+  when: fabric.composer == true
 
 - name: Rename ca private key
   shell: >-
@@ -57,6 +60,7 @@
     chdir: "{{ fabricworkdir }}/keyfiles/{{ item }}/ca"
   with_items: "{{ allorgs }}"
   tags: "composer"
+  when: fabric.composer == true
 
 - name: Rename ca tls private key
   shell: >-
@@ -65,6 +69,7 @@
     chdir: "{{ fabricworkdir }}/keyfiles/{{ item }}/tlsca"
   with_items: "{{ allorgs }}"
   tags: "composer"
+  when: fabric.composer == true
 
 - name: Upload bna file
   copy:
@@ -73,6 +78,7 @@
   with_fileglob:
       - "{{ playbook_dir }}/../../secrets/networks/*.bna"
   tags: "composer"
+  when: fabric.composer == true
 
 - name: Create core.yml file for every peer
   template:
@@ -96,26 +102,11 @@
     chdir: "{{ fabricworkdir }}"
   when: allorderers | length > 0
 
-- name: Define the anchor peer for organizations
-  shell: >-
-    export FABRIC_CFG_PATH={{ fabricworkdir }} &&
-    {{ fabricpath }}/build/bin/configtxgen -profile OrgChannel
-    -outputAnchorPeersUpdate keyfiles/{{ item }}.anchor.tx
-    -channelID firstchannel -asOrg {{ item }}
-  args:
-    chdir: "{{ fabricworkdir }}"
-  with_items: "{{ peerorgs }}"
-
-- name: Duplicate genesis and transaction block to each peer
-  shell: >-
-    cp {{ fabricworkdir }}/keyfiles/genesis.block
-    {{ fabricworkdir }}/keyfiles/{{ item.org }}/peers/{{ item.name }}.{{ item.org }} &&
-    cp {{ fabricworkdir }}/keyfiles/firstchannel.tx
-    {{ fabricworkdir }}/keyfiles/{{ item.org }}/peers/{{ item.name }}.{{ item.org }}
-  args:
-    chdir: "{{ fabricworkdir }}"
-  when: allorderers | length > 0
-  with_items: "{{ allpeers }}"
+- name: Create ca config file
+  template:
+    src: "{{ playbook_dir }}/../deploy_compose/certsetup/templates/fabric-ca-server-config.j2"
+    dest: "{{ fabricworkdir }}/run/keyfiles/{{ item.org }}/ca/fabric-ca-server-config.yaml"
+  with_items: "{{ cas }}"
 
 - name: Create a zip file of all certificates
   archive:

src/agent/ansible/roles/deploy_compose/fabricsetup/templates/fabric-ca-server-config.j2 → src/agent/ansible/roles/deploy_compose/certsetup/templates/fabric-ca-server-config.j2

@@ -1,3 +1,9 @@
+{% if fabric.baseimage_tag == 'stable' or fabric.baseimage_tag == 'latest' %}
+{% set project_version = fabric.baseimage_tag %}
+{% else %}
+{% set tag = fabric.baseimage_tag.split('-') %}
+{% set project_version = tag[1] %}
+{% endif %}
 registry:
   # Maximum number of times a password/secret can be reused for enrollment
   # (default: -1, which means there is no limit)
@@ -11,11 +17,15 @@ registry:
        affiliation: ""
        maxenrollments: -1
        attrs:
-          hf.Registrar.Roles: "client,user,peer,validator,auditor"
-          hf.Registrar.DelegateRoles: "client,user,validator,auditor"
+          hf.Registrar.Roles: "*"
+          hf.Registrar.DelegateRoles: "*"
           hf.Revoker: true
           hf.IntermediateCA: true
-
+{% if project_version is version_compare('1.1.0','>=') or 'stable' in project_version or project_version == 'latest' %}
+          hf.GenCRL: true
+          hf.Registrar.Attributes: "*"
+          hf.AffiliationMgr: true
+{% endif %}
 ldap:
   enabled: false
 

src/agent/ansible/roles/deploy_compose/plays.yml

@@ -17,6 +17,7 @@
     - "./../../vars/{{ env }}.yml"
   tasks:
     - include_tasks: "certsetup/tasks/{{ mode }}.yml"
+      when: fabric.generate_certs == true
   tags: "certsetup"
 
 - name: setup fabric network
@@ -37,4 +38,5 @@
     - "./../../vars/{{ env }}.yml"
   tasks:
     - include_tasks: "composersetup/tasks/{{ mode }}.yml"
+      when: fabric.composer == true
   tags: "composersetup"

src/agent/ansible/roles/deploy_k8s/fabricsetup/tasks/apply.yml

@@ -49,6 +49,7 @@
   args:
     chdir: "{{ playbook_dir }}/../../vars/"
   tags: "createcertspod"
+  when: fabric.generate_certs == true
 
 - name: Query initialization container status
   command: >-
@@ -61,6 +62,7 @@
   retries: 5
   delay: 10
   tags: "querypvc"
+  when: fabric.generate_certs == true
 
 - name: Check the status of secret for pulling images
   command: >-
@@ -96,6 +98,7 @@
   args:
     chdir: "{{ playbook_dir }}/../../vars/"
   tags: "cleancerts"
+  when: fabric.generate_certs == true
 
 - name: Copy certs onto the persistent volume
   command: >-
@@ -106,6 +109,7 @@
     - "{{ fabricworkdir }}/certs.tgz"
     - "{{ playbook_dir }}/../deploy_k8s/fabricsetup/templates/firstcode.go"
   tags: "placecerts"
+  when: fabric.generate_certs == true
 
 - name: Copy channel operation script onto the persistent volume
   command: >-
@@ -114,7 +118,7 @@
     chdir: "{{ playbook_dir }}/../../vars/"
   with_items:
     - "{{ fabricworkdir }}/keyfiles/dochannel.sh"
-  when: (allorderers | length > 0) and (allpeers | length > 0)
+  when: (allorderers | length > 0) and (allpeers | length > 0) and fabric.generate_certs == true
   tags: "placecerts"
 
 - name: Untar certs.tgz in the Persistent volume
@@ -124,6 +128,7 @@
   args:
     chdir: "{{ playbook_dir }}/../../vars/"
   tags: "untarcerts"
+  when: fabric.generate_certs == true
 
 - name: Change certs permissions
   command: >-
@@ -132,13 +137,15 @@
   args:
     chdir: "{{ playbook_dir }}/../../vars/"
   tags: "changecertspermission"
+  when: fabric.generate_certs == true
 
 - name: Removing the certs pod
   command: >-
     ./kubectl --kubeconfig kubeconfig delete -f ../run/certssetup.yaml
   args:
     chdir: "{{ playbook_dir }}/../../vars/"
   tags: "deletecertspod"
+  when: fabric.generate_certs == true
 
 - name: Deploy chaincode container endpoint daemon set
   command: >-

src/agent/ansible/roles/deploy_k8s/plays.yml

@@ -19,6 +19,7 @@
     - "./../../vars/{{ env }}.yml"
   tasks:
     - include_tasks: "../deploy_compose/certsetup/tasks/{{ mode }}.yml"
+      when: fabric.generate_certs == true
   tags: "certsetup"
 
 - name: setup fabric network
@@ -41,4 +42,5 @@
     - "./../../vars/{{ env }}.yml"
   tasks:
     - include_tasks: "composersetup/tasks/{{ mode }}.yml"
+      when: fabric.composer == true
   tags: "composersetup"

src/agent/ansible/vars/bc1st.yml

@@ -18,6 +18,8 @@ fabric: {
   # options are "goleveldb", "CouchDB", default is goleveldb
   peer_db: "CouchDB",
   tls: false,
+  generate_certs: true,
+  composer: false,
   logging_level: "ERROR",
   k8s: {
     exposeserviceport: False,

src/agent/ansible/vars/vb1st.yml

@@ -18,6 +18,8 @@ fabric: {
   # options are "goleveldb", "CouchDB", default is goleveldb
   peer_db: "goleveldb",
   tls: false,
+  generate_certs: true,
+  composer: false,
   logging_level: "ERROR",
   k8s: {
     exposeserviceport: True,