search

hyperledger-labs / fabric-operator

Hyperledger Fabric Kubernetes Operator
Apache License 2.0
66 stars 37 forks source link

hardcod settings `Issuer` and `Subject`(pkix.Name) on `TLSCrypto` #75

Open bjwswang opened 2 years ago

bjwswang commented 2 years ago

When dig into IBPCA reconcile logic, found the TLSCrypto hardcoded Issuer and Subject to IBM. This make tlsroot certficate only can be IBM related settings.


    template := x509.Certificate{
        SerialNumber: serialNumber,
        Issuer: pkix.Name{
            Country:            []string{"US"},
            Province:           []string{"North Carolina"},
            Locality:           []string{"Durham"},
            Organization:       []string{"IBM"},
            OrganizationalUnit: []string{"Blockchain"},
            CommonName:         endpoints.API,
        },
        Subject: pkix.Name{
            Country:            []string{"US"},
            Province:           []string{"North Carolina"},
            Locality:           []string{"Durham"},
            Organization:       []string{"IBM"},
            OrganizationalUnit: []string{"Blockchain"},
            CommonName:         endpoints.API,
        },

        NotBefore: notBefore,
        NotAfter:  notAfter,
    }

https://github.com/hyperledger-labs/fabric-operator/blob/main/pkg/offering/base/ca/ca.go#L785

For people who use fabric-operator on their own products, this is not good.

bjwswang commented 2 years ago

CSRInfo in pkg/apis/ca/v1/ca.go.CAConfig.Names contains Crypto settings related to pkix.Name,but not working in genTLSCrypto. How about we switch this on?