Falcon: The Hyperledger Fabric Deployment Helper for Kubernetes is an open-source project designed to streamline the deployment and management of Hyperledger Fabric based blockchain networks on K8.
v1.1.0 Release note including new features and changes to the existing values/configurations.
Updates/Changes on existing charts
Common changes that affects all charts.
Changed default ImagepullPolicy from Always to IfNotPresent on all charts.
Added additionalLabels for every charts to include more labels. For orderers and peers the value will be per orderer/peer or you can set it globally as well (.Values.global.additionalLabels), for the rest of the charts it will be .Values.additionalLabels.
Removed the unecessary peer identity enrollment from most of the channel/chaincode related fabric-ops jobs which improved the overall job execution time. (Reduced to 50% of the previous execution time)
All charts have been updated with Readme with complete list of parameters.
Chart : fabric-ops
Separated all fabric-ops jobs and configmaps to different template files for easy management.
Filestore fileupload/download are now separated into functions in the common script.
Fixed bug on the filestore upload as it was reporting successful upload even if the uploads were failing.
Restructured the common functions such as enrollment function to support msp/tls enrollments.
Removed the dependency on identity_type to decide whether tls/msp enrollement is needed.
From now on, you don't need to add a step to download the CA server public key explicitly using fabric_public_key_fetch function if you're using the common enrollment function. When you call the common enroll function by passing 10 parameters, it will handle the public key fetch itself.
All the above common functions are now in fabric_enroll.sh which is default when rendering this chart. All jobs can source this file and start using it, so that no separate enrollment script is needed as it supports most of the use cases.
Job: approve-chaincode
Removed job_type: chaincode_ops and only .Values.fabric_actions.approve_chaincode to true is required.
Modified .Values.ca.tlss_ca_endpoint to .Values.tlsca_endpoint
Modified .Values.ca.ca_endpoint to .Values.ica_endpoint
Modified .Values.identities to .Values.admin_identity and removed identity_type field. Also added additional fields require_msp_enrollment & require_tls_enrollment. Only the Org admin credentials are required to perform chaincode approval operations.
New parameter required .Values.core_peer_address
Job: channel-create
Removed job_type: chaincode_ops and only .Values.fabric_actions.create_channel to true is required.
Modified .Values.ca.tlss_ca_endpoint to .Values.tlsca_endpoint
Modified .Values.ca.ca_endpoint to .Values.ica_endpoint
Modified .Values.identities to .Values.admin_identity and removed identity_type field. Also added additional fields require_msp_enrollment & require_tls_enrollment. Only the Org admin credentials are required to perform the channel creation operation.
Job: commit-chaincode
Removed job_type: chaincode_ops and only .Values.fabric_actions.commit_chaincode to true is required.
Modified .Values.ca.tlss_ca_endpoint to .Values.tlsca_endpoint
Modified .Values.ca.ca_endpoint to .Values.ica_endpoint
Modified .Values.identities to .Values.admin_identity and removed identity_type field. Also added additional fields require_msp_enrollment & require_tls_enrollment. Only the Org admin credentials are required to perform the chaincode commit operation.
New parameter required .Value.core_peer_address
Job: configure-org-channel
Removed job_type: chaincode_ops and only .Values.fabric_actions.configure_org_channel to true is required.
Modified .Values.ca.tlss_ca_endpoint to .Values.tlsca_endpoint
Modified .Values.ca.ca_endpoint to .Values.ica_endpoint
Modified .Values.identities to .Values.admin_identity and removed identity_type field. Also added additional fields require_msp_enrollment & require_tls_enrollment. Only the Org admin credentials are required to perform org addition operations.
New Org's ica username/password is not required to add it to the channel. Instead only an admin user credentials are required instead of ica user.
New Org's msp_dir will be taken from the chart default. You don't have to specify it unless there is a reason.
Job: Identities
Removed job_type: chaincode_ops and only .Values.fabric_actions.identity to true is required.
Modified .Values.ca.tlss_ca_endpoint to .Values.tlsca_endpoint
Modified .Values.ca.ca_endpoint to .Values.ca_endpoint
Modified .Values.ca.admin_secret to .Values.ca_secret
Added hlf_domain to support common enrollment function.
Job: install-chaincode
Removed job_type: chaincode_ops and only .Values.fabric_actions.install_chaincode to true is required.
Modified .Values.ca.tlss_ca_endpoint to .Values.tlsca_endpoint
Modified .Values.ca.ca_endpoint to .Values.ica_endpoint
Modified .Values.identities to .Values.admin_identity and removed identity_type field. Also added additional fields require_msp_enrollment & require_tls_enrollment. Only the Org admin credentials are required to perform chaincode installation. And no peer identities and enrollments are required.
Added .Values.peer_identities array for target peers on which chaincode needs to be installed.
Added .peer_endpoint field to peer_identities array, so that chaincode can be installed remotely (Optionally). By default it will be {{ .identity_name }}:{{ $.Values.peer_internal_service_port }}
Job: Update-anchor-peer
Removed job_type: chaincode_ops and only .Values.fabric_actions.update_anchor_peer to true is required.
Modified .Values.ca.tlss_ca_endpoint to .Values.tlsca_endpoint
Modified .Values.ca.ca_endpoint to .Values.ica_endpoint
Modified .Values.identities to .Values.admin_identity and removed identity_type field. Also added additional fields require_msp_enrollment & require_tls_enrollment. Only the Org admin credentials are required to perform anchor peer update.
Job: Cryptogen
Removed job_type: chaincode_ops and only .Values.fabric_actions.cryptogen to true is required.
Orderer orgname can be completely managed from values. Previously it was hardcoded to OrdererMSP in the template.
No need to expose the Orderer Org OR Initialpeer Org ICA credentials. Instead, provide any user credentials that has admin privileges.
Initial network organization array has been simplfied and eliminated many repetitve items, it's clean and more readable than the previous version. Previously the orderer organization and peer org name were mentioned twice in the values file. Now with a single .Values.organizations array, you can specify the Orderer org, its identities & Peer org and its anchor peer list. All you need to do is mark org_type as "orderer" for orderer organization and org_type as "peerorg" for initial peer org.
Removed .Values.orderer_org_name & .Values.peer_org_name since this is now handled in .Values.organizations array.
Removed .Values.anchorPeers since this can be handled under .Values.organizations array.
Removed .Values.orderer_port since it is not used anywhere.
Removed .Values.orderer_identities since this can be handled under .Values.organizations array.
Modified .Values.tls.ca_endpoint to .Values.tlsca_endpoint and .Values.tls.cert_path will be handled by default values.
Chart : fabric-orderer
Modified .Values.global.enroll_on_every_pod_recreation to .Values.global.require_certs_dir_persistence which is more readable. This can be set per orderer or globally.
Changed .Values.block_file to .Values.global.block_file. This can be overridden using .block_file per orderer when deploying new orderers with different genesis blockfile.
Added .tls_cert_archive field per orderer incase if the orderer want to use a non-default tls_cert_archive file from the filestore. Default is <orderer-identity>-tls-certs.tar.gz in the filestore.
Added .renew_orderer_certs for re-generating certs. This will delete the existing certs and do new enrollment on pod startup.
Added .use_existing_pvc_data, this option will allow you to use an existing pvc for your orderer. This only handles the kubernetes part of mouting an existing pvc to the falcon managed orderer. But it is your responsibility to make sure that data inside the existing pvc matching to the new orderer in terms of all other configurations.
Ingress resource is now optional, you can turn it off using ingressEnabled true/false globally or per orderer.
Modified .Values.ca.ica_endpoint to .Values.global.ica_endpoint
Modified .Values.ca.tlsca_endpoint to .Values.global.tlsca_endpoint
Removed env variable ORDERER_GENERAL_LOCALMSPID from values file and added new parameter .Values.MspIdOverride if you want to override the default value, which is .Values.nameOverride. This env is now part of deployment template.
Removed env variable ORDERER_GENERAL_GENESISFILE from values file since this value needs to be customised per orderer using (.block_file). This env is now part of deployment template.
Added new field .additionalEnvironmentVars for indiviaul orderes if required to add custom env variable unique to orderers.
livenessprobe, readinessprobes & startupprobes can now be handled per orderer or to Chart default from .Values.livenessprobe, .Values.readinessprobes & .Values.startupprobes.
affinities, tolerations, nodeselectors & resources can also be handled per orderer or globally using .Values.global.affinities etc.
To disable default livenessprobe, use .disableDefaultLivenessProbe per orderer or under .Values.global.disableDefaultLivenessProbe. Similarly, use disableDefaultStartupProbe, disableDefaultReadinessProbe, disableGlobalTolerations, disableGlobalAffinity & disableGlobalNodeSelector to disable them.
Chart : fabric-peer
Modified .Values.enroll_on_every_pod_recreation to .Values.global.require_certs_dir_persistence. This can be specified under global or per peer.
Added .renew_peer_certs for re-generating certs. This will delete the existing certs and do new enrollment. This has to be specified per peer.
Added new field .additionalEnvironmentVars for individual peers if required to add custom env variable unique to peer. This can be specified per peer or globally.
Ingress resource is now optional, you can turn it off using ingressEnabled true/false globally or per peer.
Modified .Values.ica_tls_cert_file to .Values.ica_tls_certfile
Modified .Values.tlsca_tls_cert_file to .Values.tlsca_tls_certfile
Moved health check probes from .Values.global to .Values. since it is chart specific default. So that the custom values file will looks clean & shorter. But still it can be disabled from values file.
Chart : fabric-ca
Now supports additional domain name in csr. Use .Values.ca_server.additional_sans to provide list of additional tls domains if required.
Added PVC support to store intermediate-ca-cert when running in ICA mode. So that the pod does not have to fetch the parent ca certificate on every pod restart.
Added an option to delete the intermediate certificate and fetch a new public key cert of the parent server if required. Set .Values.recreate_intermediate_cert to true to do that, default value is false.
New Feature addition
Chart : fabric-ops
Orderer addition
Orderer addition in a running fabric network is now supported.
v1.1.0 Release note including new features and changes to the existing values/configurations.
Updates/Changes on existing charts
Common changes that affects all charts.
ImagepullPolicy
fromAlways
toIfNotPresent
on all charts.additionalLabels
for every charts to include more labels. For orderers and peers the value will be perorderer/peer
or you can set itglobally
as well(.Values.global.additionalLabels)
, for the rest of the charts it will be.Values.additionalLabels
.channel/chaincode
relatedfabric-ops
jobs which improved the overall job execution time. (Reduced to 50% of the previous execution time)Chart : fabric-ops
identity_type
to decide whether tls/msp enrollement is needed.fabric_public_key_fetch
function if you're using the common enrollment function. When you call the common enroll function by passing 10 parameters, it will handle the public key fetch itself.fabric_enroll.sh
which is default when rendering this chart. All jobs can source this file and start using it, so that no separate enrollment script is needed as it supports most of the use cases.Job:
approve-chaincode
job_type: chaincode_ops
and only.Values.fabric_actions.approve_chaincode
totrue
is required..Values.ca.tlss_ca_endpoint
to.Values.tlsca_endpoint
.Values.ca.ca_endpoint
to.Values.ica_endpoint
.Values.identities
to.Values.admin_identity
and removedidentity_type
field. Also added additional fieldsrequire_msp_enrollment
&require_tls_enrollment
. Only the Org admin credentials are required to perform chaincode approval operations..Values.core_peer_address
Job:
channel-create
job_type: chaincode_ops
and only.Values.fabric_actions.create_channel
totrue
is required..Values.ca.tlss_ca_endpoint
to.Values.tlsca_endpoint
.Values.ca.ca_endpoint
to.Values.ica_endpoint
.Values.identities
to.Values.admin_identity
and removedidentity_type
field. Also added additional fieldsrequire_msp_enrollment
&require_tls_enrollment
. Only the Org admin credentials are required to perform the channel creation operation.Job:
commit-chaincode
job_type: chaincode_ops
and only.Values.fabric_actions.commit_chaincode
totrue
is required..Values.ca.tlss_ca_endpoint
to.Values.tlsca_endpoint
.Values.ca.ca_endpoint
to.Values.ica_endpoint
.Values.identities
to.Values.admin_identity
and removedidentity_type
field. Also added additional fieldsrequire_msp_enrollment
&require_tls_enrollment
. Only the Org admin credentials are required to perform the chaincode commit operation..Value.core_peer_address
Job:
configure-org-channel
job_type: chaincode_ops
and only.Values.fabric_actions.configure_org_channel
totrue
is required..Values.ca.tlss_ca_endpoint
to.Values.tlsca_endpoint
.Values.ca.ca_endpoint
to.Values.ica_endpoint
.Values.identities
to.Values.admin_identity
and removedidentity_type
field. Also added additional fieldsrequire_msp_enrollment
&require_tls_enrollment
. Only the Org admin credentials are required to perform org addition operations.ica username/password
is not required to add it to the channel. Instead only anadmin
user credentials are required instead of ica user.msp_dir
will be taken from the chart default. You don't have to specify it unless there is a reason.Job:
Identities
job_type: chaincode_ops
and only.Values.fabric_actions.identity
totrue
is required..Values.ca.tlss_ca_endpoint
to.Values.tlsca_endpoint
.Values.ca.ca_endpoint
to.Values.ca_endpoint
.Values.ca.admin_secret
to.Values.ca_secret
hlf_domain
to support common enrollment function.Job:
install-chaincode
job_type: chaincode_ops
and only.Values.fabric_actions.install_chaincode
totrue
is required..Values.ca.tlss_ca_endpoint
to.Values.tlsca_endpoint
.Values.ca.ca_endpoint
to.Values.ica_endpoint
.Values.identities
to.Values.admin_identity
and removedidentity_type
field. Also added additional fieldsrequire_msp_enrollment
&require_tls_enrollment
. Only the Org admin credentials are required to perform chaincode installation. And no peer identities and enrollments are required..Values.peer_identities
array for target peers on which chaincode needs to be installed..peer_endpoint
field topeer_identities
array, so that chaincode can be installed remotely (Optionally). By default it will be{{ .identity_name }}:{{ $.Values.peer_internal_service_port }}
Job:
Update-anchor-peer
job_type: chaincode_ops
and only.Values.fabric_actions.update_anchor_peer
totrue
is required..Values.ca.tlss_ca_endpoint
to.Values.tlsca_endpoint
.Values.ca.ca_endpoint
to.Values.ica_endpoint
.Values.identities
to.Values.admin_identity
and removedidentity_type
field. Also added additional fieldsrequire_msp_enrollment
&require_tls_enrollment
. Only the Org admin credentials are required to perform anchor peer update.Job:
Cryptogen
job_type: chaincode_ops
and only.Values.fabric_actions.cryptogen
totrue
is required.OrdererMSP
in the template.organization
array has been simplfied and eliminated many repetitve items, it's clean and more readable than the previous version. Previously the orderer organization and peer org name were mentioned twice in the values file. Now with a single.Values.organizations
array, you can specify the Orderer org, its identities & Peer org and its anchor peer list. All you need to do is markorg_type
as"orderer"
for orderer organization andorg_type
as"peerorg"
for initial peer org..Values.orderer_org_name
&.Values.peer_org_name
since this is now handled in.Values.organizations
array..Values.anchorPeers
since this can be handled under.Values.organizations
array..Values.orderer_port
since it is not used anywhere..Values.orderer_identities
since this can be handled under.Values.organizations
array..Values.tls.ca_endpoint
to.Values.tlsca_endpoint
and.Values.tls.cert_path
will be handled by default values.Chart : fabric-orderer
.Values.global.enroll_on_every_pod_recreation
to.Values.global.require_certs_dir_persistence
which is more readable. This can be set per orderer or globally..Values.block_file
to.Values.global.block_file
. This can be overridden using.block_file
per orderer when deploying new orderers with different genesis blockfile..tls_cert_archive
field per orderer incase if the orderer want to use a non-defaulttls_cert_archive
file from the filestore. Default is<orderer-identity>-tls-certs.tar.gz
in the filestore..renew_orderer_certs
for re-generating certs. This will delete the existing certs and do new enrollment on pod startup..use_existing_pvc_data
, this option will allow you to use an existing pvc for your orderer. This only handles the kubernetes part of mouting an existing pvc to the falcon managed orderer. But it is your responsibility to make sure that data inside the existing pvc matching to the new orderer in terms of all other configurations.ingressEnabled
true/false globally or per orderer..Values.ca.ica_endpoint
to.Values.global.ica_endpoint
.Values.ca.tlsca_endpoint
to.Values.global.tlsca_endpoint
ORDERER_GENERAL_LOCALMSPID
from values file and added new parameter.Values.MspIdOverride
if you want to override the default value, which is.Values.nameOverride
. This env is now part of deployment template.ORDERER_GENERAL_GENESISFILE
from values file since this value needs to be customised per orderer using (.block_file). This env is now part of deployment template..additionalEnvironmentVars
for indiviaul orderes if required to add custom env variable unique to orderers.livenessprobe, readinessprobes & startupprobes
can now be handled per orderer or to Chart default from.Values.livenessprobe
,.Values.readinessprobes
&.Values.startupprobes
.affinities, tolerations, nodeselectors & resources
can also be handled per orderer or globally using.Values.global.affinities
etc..disableDefaultLivenessProbe
per orderer or under.Values.global.disableDefaultLivenessProbe
. Similarly, usedisableDefaultStartupProbe, disableDefaultReadinessProbe, disableGlobalTolerations, disableGlobalAffinity & disableGlobalNodeSelector
to disable them.Chart : fabric-peer
.Values.enroll_on_every_pod_recreation
to.Values.global.require_certs_dir_persistence
. This can be specified under global or per peer..renew_peer_certs
for re-generating certs. This will delete the existing certs and do new enrollment. This has to be specified per peer..additionalEnvironmentVars
for individual peers if required to add custom env variable unique to peer. This can be specified per peer or globally.ingressEnabled
true/false globally or per peer..Values.ica_tls_cert_file
to.Values.ica_tls_certfile
.Values.tlsca_tls_cert_file
to.Values.tlsca_tls_certfile
.Values.global
to.Values.
since it is chart specific default. So that the custom values file will looks clean & shorter. But still it can be disabled from values file.Chart : fabric-ca
.Values.ca_server.additional_sans
to provide list of additional tls domains if required..Values.recreate_intermediate_cert
totrue
to do that, default value is false.New Feature addition
Chart : fabric-ops
Orderer addition
Renew orderer TLS cert