Expose new Admin endpoint on orderer

Move the channel participation API to use this endpoint. FAB-18246 #done Signed-off-by: Will Lahti <[email protected]>
hyperledger · Oct 26, 2020 · 6808c8e · 6808c8e
1 parent af1beb4
commit 6808c8e
Show file tree

Hide file tree

Showing 7 changed files with 83 additions and 13 deletions.
diff --git a/integration/channelparticipation/channel_participation.go b/integration/channelparticipation/channel_participation.go
@@ -25,7 +25,7 @@ import (
 func Join(n *nwo.Network, o *nwo.Orderer, channel string, block *common.Block, expectedChannelInfo ChannelInfo) {
 	blockBytes, err := proto.Marshal(block)
 	Expect(err).NotTo(HaveOccurred())
-	url := fmt.Sprintf("https://127.0.0.1:%d/participation/v1/channels", n.OrdererPort(o, nwo.OperationsPort))
+	url := fmt.Sprintf("https://127.0.0.1:%d/participation/v1/channels", n.OrdererPort(o, nwo.AdminPort))
 	req := GenerateJoinRequest(url, channel, blockBytes)
 	authClient, _ := nwo.OrdererOperationalClients(n, o)
 
@@ -75,7 +75,7 @@ type channelInfoShort struct {
 
 func List(n *nwo.Network, o *nwo.Orderer, expectedChannels []string, systemChannel ...string) {
 	authClient, unauthClient := nwo.OrdererOperationalClients(n, o)
-	listChannelsURL := fmt.Sprintf("https://127.0.0.1:%d/participation/v1/channels", n.OrdererPort(o, nwo.OperationsPort))
+	listChannelsURL := fmt.Sprintf("https://127.0.0.1:%d/participation/v1/channels", n.OrdererPort(o, nwo.AdminPort))
 
 	body := getBody(authClient, listChannelsURL)()
 	list := &channelList{}
@@ -139,7 +139,7 @@ type ChannelInfo struct {
 
 func ListOne(n *nwo.Network, o *nwo.Orderer, channel string) ChannelInfo {
 	authClient, _ := nwo.OrdererOperationalClients(n, o)
-	listChannelURL := fmt.Sprintf("https://127.0.0.1:%d/participation/v1/channels/%s", n.OrdererPort(o, nwo.OperationsPort), channel)
+	listChannelURL := fmt.Sprintf("https://127.0.0.1:%d/participation/v1/channels/%s", n.OrdererPort(o, nwo.AdminPort), channel)
 
 	body := getBody(authClient, listChannelURL)()
 	c := &ChannelInfo{}
@@ -150,7 +150,7 @@ func ListOne(n *nwo.Network, o *nwo.Orderer, channel string) ChannelInfo {
 
 func Remove(n *nwo.Network, o *nwo.Orderer, channel string) {
 	authClient, _ := nwo.OrdererOperationalClients(n, o)
-	url := fmt.Sprintf("https://127.0.0.1:%d/participation/v1/channels/%s", n.OrdererPort(o, nwo.OperationsPort), channel)
+	url := fmt.Sprintf("https://127.0.0.1:%d/participation/v1/channels/%s", n.OrdererPort(o, nwo.AdminPort), channel)
 
 	req, err := http.NewRequest(http.MethodDelete, url, nil)
 	Expect(err).NotTo(HaveOccurred())

diff --git a/integration/nwo/network.go b/integration/nwo/network.go
@@ -1669,6 +1669,7 @@ const (
 	ProfilePort    PortName = "Profile"
 	OperationsPort PortName = "Operations"
 	ClusterPort    PortName = "Cluster"
+	AdminPort      PortName = "Admin"
 )
 
 // PeerPortNames returns the list of ports that need to be reserved for a Peer.
@@ -1679,7 +1680,7 @@ func PeerPortNames() []PortName {
 // OrdererPortNames  returns the list of ports that need to be reserved for an
 // Orderer.
 func OrdererPortNames() []PortName {
-	return []PortName{ListenPort, ProfilePort, OperationsPort, ClusterPort}
+	return []PortName{ListenPort, ProfilePort, OperationsPort, ClusterPort, AdminPort}
 }
 
 // BrokerPortNames returns the list of ports that need to be reserved for a

diff --git a/integration/nwo/orderer_template.go b/integration/nwo/orderer_template.go
@@ -121,6 +121,17 @@ Metrics:
     {{- end }}
     WriteInterval: 5s
     Prefix: {{ ReplaceAll (ToLower Orderer.ID) "." "_" }}
+Admin:
+  ListenAddress: 127.0.0.1:{{ .OrdererPort Orderer "Admin" }}
+  TLS:
+    Enabled: {{ .TLSEnabled }}
+    PrivateKey: {{ $w.OrdererLocalTLSDir Orderer }}/server.key
+    Certificate: {{ $w.OrdererLocalTLSDir Orderer }}/server.crt
+    RootCAs:
+    -  {{ $w.OrdererLocalTLSDir Orderer }}/ca.crt
+    ClientAuthRequired: {{ $w.ClientAuthRequired }}
+    ClientRootCAs:
+    -  {{ $w.OrdererLocalTLSDir Orderer }}/ca.crt
 {{- end }}
 ChannelParticipation:
   Enabled: {{ .Consensus.ChannelParticipationEnabled }}

diff --git a/integration/raft/channel_participation_test.go b/integration/raft/channel_participation_test.go
@@ -912,7 +912,7 @@ type errorResponse struct {
 func channelparticipationJoinFailure(n *nwo.Network, o *nwo.Orderer, channel string, block *common.Block, expectedStatus int, expectedError string) {
 	blockBytes, err := proto.Marshal(block)
 	Expect(err).NotTo(HaveOccurred())
-	url := fmt.Sprintf("https://127.0.0.1:%d/participation/v1/channels", n.OrdererPort(o, nwo.OperationsPort))
+	url := fmt.Sprintf("https://127.0.0.1:%d/participation/v1/channels", n.OrdererPort(o, nwo.AdminPort))
 	req := channelparticipation.GenerateJoinRequest(url, channel, blockBytes)
 	authClient, _ := nwo.OrdererOperationalClients(n, o)
 
@@ -935,7 +935,7 @@ func doBodyFailure(client *http.Client, req *http.Request, expectedStatus int, e
 
 func channelparticipationRemoveFailure(n *nwo.Network, o *nwo.Orderer, channel string, expectedStatus int, expectedError string) {
 	authClient, _ := nwo.OrdererOperationalClients(n, o)
-	url := fmt.Sprintf("https://127.0.0.1:%d/participation/v1/channels/%s", n.OrdererPort(o, nwo.OperationsPort), channel)
+	url := fmt.Sprintf("https://127.0.0.1:%d/participation/v1/channels/%s", n.OrdererPort(o, nwo.AdminPort), channel)
 
 	req, err := http.NewRequest(http.MethodDelete, url, nil)
 	Expect(err).NotTo(HaveOccurred())

diff --git a/orderer/common/localconfig/config.go b/orderer/common/localconfig/config.go
@@ -29,6 +29,7 @@ type TopLevel struct {
 	Operations           Operations
 	Metrics              Metrics
 	ChannelParticipation ChannelParticipation
+	Admin                Admin
 }
 
 // General contains config which should be common among all orderer types.
@@ -198,6 +199,12 @@ type Statsd struct {
 	Prefix        string
 }
 
+// Admin configures the admin endpoint for the orderer.
+type Admin struct {
+	ListenAddress string
+	TLS           TLS
+}
+
 // ChannelParticipation provides the channel participation API configuration for the orderer.
 // Channel participation uses the same ListenAddress and TLS settings of the Operations service.
 type ChannelParticipation struct {
@@ -283,6 +290,9 @@ var Defaults = TopLevel{
 		Enabled:            false,
 		MaxRequestBodySize: 1024 * 1024,
 	},
+	Admin: Admin{
+		ListenAddress: "127.0.0.1:0",
+	},
 }
 
 // Load parses the orderer YAML file and environment, producing

diff --git a/orderer/common/server/main.go b/orderer/common/server/main.go
@@ -96,6 +96,10 @@ func Main() {
 	}
 
 	opsSystem := newOperationsSystem(conf.Operations, conf.Metrics)
+	if err = opsSystem.Start(); err != nil {
+		logger.Panicf("failed to start operations subsystem: %s", err)
+	}
+	defer opsSystem.Stop()
 	metricsProvider := opsSystem.Provider
 	logObserver := floggingmetrics.NewObserver(metricsProvider)
 	flogging.SetObserver(logObserver)
@@ -244,15 +248,16 @@ func Main() {
 		tlsCallback,
 	)
 
-	opsSystem.RegisterHandler(
+	adminServer := newAdminServer(conf.Admin)
+	adminServer.RegisterHandler(
 		channelparticipation.URLBaseV1,
 		channelparticipation.NewHTTPHandler(conf.ChannelParticipation, manager),
-		conf.Operations.TLS.Enabled,
+		conf.Admin.TLS.Enabled,
 	)
-	if err = opsSystem.Start(); err != nil {
-		logger.Panicf("failed to start operations subsystem: %s", err)
+	if err = adminServer.Start(); err != nil {
+		logger.Panicf("failed to start admin server: %s", err)
 	}
-	defer opsSystem.Stop()
+	defer adminServer.Stop()
 
 	mutualTLS := serverConfig.SecOpts.UseTLS && serverConfig.SecOpts.RequireClientCert
 	server := NewServer(
@@ -874,6 +879,20 @@ func newOperationsSystem(ops localconfig.Operations, metrics localconfig.Metrics
 	})
 }
 
+func newAdminServer(admin localconfig.Admin) *fabhttp.Server {
+	return fabhttp.NewServer(fabhttp.Options{
+		Logger:        flogging.MustGetLogger("orderer.admin"),
+		ListenAddress: admin.ListenAddress,
+		TLS: fabhttp.TLS{
+			Enabled:            admin.TLS.Enabled,
+			CertFile:           admin.TLS.Certificate,
+			KeyFile:            admin.TLS.PrivateKey,
+			ClientCertRequired: admin.TLS.ClientAuthRequired,
+			ClientCACertFiles:  admin.TLS.ClientRootCAs,
+		},
+	})
+}
+
 // caMgr manages certificate authorities scoped by channel
 type caManager struct {
 	sync.Mutex

diff --git a/sampleconfig/orderer.yaml b/sampleconfig/orderer.yaml
@@ -310,7 +310,7 @@ Operations:
 
 ################################################################################
 #
-#   Metrics  Configuration
+#   Metrics Configuration
 #
 #   - This configures metrics collection for the orderer
 #
@@ -334,6 +334,35 @@ Metrics:
       # The prefix is prepended to all emitted statsd metrics
       Prefix:
 
+################################################################################
+#
+#   Admin Configuration
+#
+#   - This configures the admin server endpoint for the orderer
+#
+################################################################################
+Admin:
+    # host and port for the admin server
+    ListenAddress: 127.0.0.1:9443
+
+    # TLS configuration for the admin endpoint
+    TLS:
+        # TLS enabled
+        Enabled: false
+
+        # Certificate is the location of the PEM encoded TLS certificate
+        Certificate:
+
+        # PrivateKey points to the location of the PEM-encoded key
+        PrivateKey:
+
+        # Most admin service endpoints require client authentication when TLS
+        # is enabled. ClientAuthRequired requires client certificate authentication
+        # at the TLS layer to access all resources.
+        ClientAuthRequired: false
+
+        # Paths to PEM encoded ca certificates to trust for client authentication
+        ClientRootCAs: []
 
 ################################################################################
 #