search

Substra / hlf-k8s

Initializes an Hyperledger Fabric network (orchestrator distributed mode)
https://docs.substra.org
Apache License 2.0
31 stars 20 forks source link

Update crshost to use *.org for potential new chaincodes #106

Closed Kelvin-M closed 3 years ago

Kelvin-M commented 3 years ago

Description

If a user add a new chaincode after deployment, he may run into issue because crshost for certificate is defined at the deployment. Use wildcard in the examples to show that we can generate certificate for a domain.

Closes issue(s)

None

Companion PRs

None

How to test / repro

Launch one of the examples.

Screenshots / Trace

Changes include

Checklist

Other comments

None

inelgnu commented 3 years ago

@Kelvin-M I wondering if this doesn't introduce a security breach as using a wildcard could lead to trusting a certificate from whatever could match the wildcard?

Does this aim to be only for development or also for production?

ClementGautier commented 3 years ago

@Kelvin-M I wondering if this doesn't introduce a security breach as using a wildcard could lead to trusting a certificate from whatever could match the wildcard?

Does this aim to be only for development or also for production?

@inalgnu I'm currently using this in production. IMO it's not a security breach as .namespace or .cluster.local for example will always resolve locally to the cluster in a Kubernetes context. Also, if you are the owner of a domain, I don't see why you shouldn't use a wildcard on this domain. Also those are only example so by itself it's not really an issue.

If you want to read more about that you can look at https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/deployguide/cadeploy.html#enroll-bootstrap-user-with-tls-ca It describe how to use wildcard in this context