Try SpotterManage a Hyperledger Fabric certificate authority
Authors: Simon Stone (@sstone1)
preview | supported by community
Install with ansible-galaxy collection install hyperledger.fabric_ansible_collection:==2.0.7
collections:
- name: hyperledger.fabric_ansible_collection
version: 2.0.7Create, update, or delete a Hyperledger Fabric certificate authority.
This module works with the IBM Support for Hyperledger Fabric software or the Hyperledger Fabric Open Source Stack running in a Red Hat OpenShift or Kubernetes cluster.
- name: Create certificate authority
hyperledger.fabric_ansible_collection.certificate_authority:
state: present
api_endpoint: https://console.example.org:32000
api_authtype: basic
api_key: xxxxxxxx
api_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: Org1 CA
config_override:
ca:
registry:
maxenrollments: -1
identities:
- name: admin
pass: adminpw
type: client
maxenrollments: -1
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
- name: Create certificate authority with custom resources and storage
hyperledger.fabric_ansible_collection.certificate_authority:
state: present
api_endpoint: https://console.example.org:32000
api_authtype: basic
api_key: xxxxxxxx
api_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: Org1 CA
config_override:
ca:
registry:
maxenrollments: -1
identities:
- name: admin
pass: adminpw
type: client
maxenrollments: -1
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
resources:
ca:
requests:
cpu: 200m
memory: 400M
storage:
ca:
size: 40Gi
class: ibmc-file-gold
- name: Create certificate authority that uses an HSM
hyperledger.fabric_ansible_collection.certificate_authority:
state: present
api_endpoint: https://console.example.org:32000
api_authtype: basic
api_key: xxxxxxxx
api_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: Org1 CA
config_override:
ca:
registry:
maxenrollments: -1
identities:
- name: admin
pass: adminpw
type: client
maxenrollments: -1
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
hsm:
pkcs11endpoint: tcp://pkcs11-proxy.example.org:2345
label: Org1 CA label
pin: 12345678
- name: Destroy certificate authority
hyperledger.fabric_ansible_collection.certificate_authority:
state: absent
api_endpoint: https://console.example.org:32000
api_authtype: basic
api_key: xxxxxxxx
api_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: Org1 CA
hsm:
description:
- 'The PKCS #11 compliant HSM configuration to use for the certificate authority.'
suboptions:
label:
description:
- The HSM label that the certificate authority should use.
type: str
pin:
description:
- The HSM pin that the certificate authority should use.
type: str
pkcs11endpoint:
description:
- The HSM proxy endpoint that the certificate authority should use.
type: str
type: dict
name:
description:
- The name of the certificate authority.
required: true
type: str
zone:
description:
- The Kubernetes zone for this certificate authority.
- If you do not specify a Kubernetes zone, and multiple Kubernetes zones are available,
then a random Kubernetes zone will be selected for you.
- 'See the Kubernetes documentation for more information: https://kubernetes.io/docs/setup/best-practices/multiple-zones/'
type: str
state:
choices:
- absent
- present
default: present
description:
- C(absent) - A certificate authority matching the specified name will be stopped
and removed.
- C(present) - Asserts that a certificate authority matching the specified name and
configuration exists. If no certificate authority matches the specified name, a
certificate authority will be created. If a certificate authority matches the specified
name but the configuration does not match, then the certificate authority will be
updated, if it can be. If it cannot be updated, it will be removed and re-created
with the specified configuration.
type: str
api_key:
description:
- The API key for the Fabric operations console.
required: true
type: str
storage:
description:
- The Kubernetes storage configuration for the certificate authority.
suboptions:
ca:
description:
- The Kubernetes storage configuration for the certificate authority container.
suboptions:
class:
description:
- The Kubernetes storage class for the the Kubernetes persistent volume claim
for the certificate authority container.
- By default, the Kubernetes storage class for the Fabric operations console
is used.
type: str
size:
default: 20Gi
description:
- The size of the Kubernetes persistent volume claim for the certificate authority
container.
type: str
type: dict
type: dict
version:
description:
- The version of Hyperledger Fabric to use for this certificate authority.
- If you do not specify a version, the default Hyperledger Fabric version will be
used for a new certificate authority.
- If you do not specify a version, an existing certificate authority will not be upgraded.
- If you specify a new version, an existing certificate authority will be automatically
upgraded.
- The version can also be specified as a version range specification, for example
C(>=2.2,<3.0), which will match Hyperledger Fabric v2.2 and greater, but not Hyperledger
Fabric v3.0 and greater.
- 'See the C(semantic_version) Python module documentation for more information: https://python-semanticversion.readthedocs.io/en/latest/reference.html#semantic_version.SimpleSpec'
type: str
replicas:
description:
- The number of replicas that the Kubernetes deployment should have for this certificate
authority.
- If you want to use more than one replica, you must also use PostgreSQL as the database
for this certificate authority.
type: int
resources:
description:
- The Kubernetes resource configuration for the certificate authority.
suboptions:
ca:
description:
- The Kubernetes resource configuration for the certificate authority container.
suboptions:
requests:
description:
- The Kubernetes resource requests for the certificate authority container.
suboptions:
cpu:
default: 100m
description:
- The Kubernetes CPU resource request for the certificate authority container.
type: str
memory:
default: 200M
description:
- The Kubernetes memory resource request for the certificate authority
container.
type: str
type: str
type: dict
type: dict
api_secret:
description:
- The API secret for the Fabric operations console.
- Only required when I(api_authtype) is C(basic).
type: str
api_timeout:
default: 60
description:
- The timeout, in seconds, to use when interacting with the Fabric operations console.
type: int
api_authtype:
description:
- C(basic) - Authenticate to the Fabric operations console using basic authentication.
You must provide both a valid API key using I(api_key) and API secret using I(api_secret).
required: true
type: str
api_endpoint:
description:
- The URL for the Fabric operations console.
required: true
type: str
wait_timeout:
default: 60
description:
- The timeout, in seconds, to wait until the certificate authority is available.
type: int
config_override:
description:
- The configuration overrides for the root certificate authority and the TLS certificate
authority.
- If configuration overrides are provided for the root certificate authority, but
not the TLS certificate authority, then the configuration overrides for the root
certificate authority will be copied for the TLS certificate authority.
suboptions:
ca:
description:
- The configuration overrides for the root certificate authority.
- 'See the Hyperledger Fabric documentation for available options: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/serverconfig.html'
type: dict
tlsca:
description:
- The configuration overrides for the TLS certificate authority.
- 'See the Hyperledger Fabric documentation for available options: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/serverconfig.html'
type: dict
type: dict
certificate_authority:
contains:
api_url:
description:
- The URL for the API of the certificate authority.
sample: https://org1ca-api.example.org:32000
type: str
ca_name:
description:
- The certificate authority name to use for enrollment requests.
sample: ca
type: str
ca_url:
description:
- The URL for the API of the certificate authority.
sample: https://org1ca-api.example.org:32000
type: str
location:
description:
- The location of the certificate authority.
sample: ibmcloud
type: str
name:
description:
- The name of the certificate authority.
sample: Org1 CA
type: str
operations_url:
description:
- The URL for the operations service of the certificate authority.
sample: https://org1ca-operations.example.org:32000
type: str
pem:
description:
- The TLS certificate chain for the certificate authority.
- The TLS certificate chain is returned as a base64 encoded PEM.
sample: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...
type: str
tls_cert:
description:
- The TLS certificate chain for the certificate authority.
- The TLS certificate chain is returned as a base64 encoded PEM.
sample: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...
type: str
tlsca_name:
description:
- The certificate authority name to use for TLS enrollment requests.
sample: tlsca
type: str
description:
- The certificate authority.
returned: when I(state) is C(present)
type: dict