From 95c7532cc199c749e4ec359934aaa61bf08f3d82 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Thu, 28 Sep 2023 03:31:02 +0000 Subject: [PATCH 1/3] Bump versions of software used in CI tests to latest This patch updates the versions of software used in CI tests to the latest: - Fabric - GO - KIND, kubectl Signed-off-by: Tatsuya Sato --- .github/actions/fsat-setup/action.yaml | 4 ++-- .github/actions/test-network-setup/action.yaml | 6 +++--- .github/workflows/lint.yaml | 2 +- full-stack-asset-transfer-guide/check.sh | 4 ++-- .../infrastructure/kind_with_nginx.sh | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/actions/fsat-setup/action.yaml b/.github/actions/fsat-setup/action.yaml index 4adb50b830..8b0ff661b5 100644 --- a/.github/actions/fsat-setup/action.yaml +++ b/.github/actions/fsat-setup/action.yaml @@ -12,10 +12,10 @@ inputs: default: v0.25.3 fabric-version: description: Version of Hyperledger Fabric - default: '2.5.1' + default: '2.5.4' ca-version: description: Version of Hyperledger Fabric CA - default: '1.5.6' + default: '1.5.7' runs: using: "composite" diff --git a/.github/actions/test-network-setup/action.yaml b/.github/actions/test-network-setup/action.yaml index eb4eb392b3..af339aae59 100644 --- a/.github/actions/test-network-setup/action.yaml +++ b/.github/actions/test-network-setup/action.yaml @@ -3,7 +3,7 @@ description: Set up the Test Network Runtime inputs: go-version: description: Version of go - default: 1.19.6 + default: 1.20.7 node-version: description: Version of node default: 18.x @@ -12,10 +12,10 @@ inputs: default: 11.x fabric-version: description: Version of Hyperledger Fabric - default: 2.5.1 + default: 2.5.4 ca-version: description: Version of Hyperledger Fabric CA - default: 1.5.6 + default: 1.5.7 runs: using: "composite" diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 73795616b1..c31f3e8cc6 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -16,7 +16,7 @@ concurrency: cancel-in-progress: true env: - GO_VER: 1.19.6 + GO_VER: 1.20.7 NODE_VER: 18.x JAVA_VER: 11.x diff --git a/full-stack-asset-transfer-guide/check.sh b/full-stack-asset-transfer-guide/check.sh index 459843f44e..c3ec464102 100755 --- a/full-stack-asset-transfer-guide/check.sh +++ b/full-stack-asset-transfer-guide/check.sh @@ -12,7 +12,7 @@ else echo -e "${SUCCESS} Docker found:\t$(cat /tmp/cmdpath)" fi -KUBECTL_VERSION=v1.24.4 # $(curl -L -s https://dl.k8s.io/release/stable.txt) +KUBECTL_VERSION=v1.28.2 # $(curl -L -s https://dl.k8s.io/release/stable.txt) if ! command -v kubectl &> /tmp/cmdpath then echo "${WARN} Please install kubectl if you want to use k8s; suggested install commands:" @@ -46,7 +46,7 @@ else fi # Install kind -KIND_VERSION=0.14.0 +KIND_VERSION=0.20.0 if ! command -v kind &> /tmp/cmdpath then echo "${WARN} Please install kind; suggested install commands:" diff --git a/full-stack-asset-transfer-guide/infrastructure/kind_with_nginx.sh b/full-stack-asset-transfer-guide/infrastructure/kind_with_nginx.sh index 82bba90014..39ac1a58a2 100755 --- a/full-stack-asset-transfer-guide/infrastructure/kind_with_nginx.sh +++ b/full-stack-asset-transfer-guide/infrastructure/kind_with_nginx.sh @@ -21,7 +21,7 @@ set -eo pipefail set -x KIND_CLUSTER_NAME=kind -KIND_CLUSTER_IMAGE=${KIND_CLUSTER_IMAGE:-kindest/node:v1.24.4} # Important! k8s v1.25.0 brings breaking changes. +KIND_CLUSTER_IMAGE=${KIND_CLUSTER_IMAGE:-kindest/node:v1.28.0} # Important! k8s v1.25.0 brings breaking changes. KIND_API_SERVER_ADDRESS=${KIND_API_SERVER_ADDRESS:-127.0.0.1} KIND_API_SERVER_PORT=${KIND_API_SERVER_PORT:-8888} CONTAINER_REGISTRY_NAME=${CONTAINER_REGISTRY_NAME:-kind-registry} From 83302d9e1a68bae709161567db8177b2bbe2d172 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Thu, 28 Sep 2023 11:27:07 +0000 Subject: [PATCH 2/3] FSAT: Update fabric-operator for compatibility with v1.25.x This patch updates fabric-operator to utilize PodSecurity Admission controller for Kubernetes v1.25.x. This change is based on the following PR: https://github.com/hyperledger-labs/fabric-operator/pull/82 Signed-off-by: Tatsuya Sato --- .../rbac/fabric-operator-clusterrole.yaml | 8 ---- .../config/rbac/fabric-operator-psp.yaml | 48 ------------------- .../config/rbac/kustomization.yaml | 1 - .../sample-network/scripts/sample_network.sh | 3 ++ 4 files changed, 3 insertions(+), 57 deletions(-) delete mode 100644 full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-psp.yaml diff --git a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-clusterrole.yaml b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-clusterrole.yaml index 3a775e7617..4c0619998b 100644 --- a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-clusterrole.yaml +++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-clusterrole.yaml @@ -27,14 +27,6 @@ metadata: app.kubernetes.io/instance: "ibm-hlfsupport" app.kubernetes.io/managed-by: "ibm-hlfsupport-operator" rules: - - apiGroups: - - extensions - resourceNames: - - ibm-hlfsupport-psp - resources: - - podsecuritypolicies - verbs: - - use - apiGroups: - apiextensions.k8s.io resources: diff --git a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-psp.yaml b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-psp.yaml deleted file mode 100644 index dcd53c72ee..0000000000 --- a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-psp.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# -# Copyright contributors to the Hyperledger Fabric Operator project -# -# SPDX-License-Identifier: Apache-2.0 -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: ibm-hlfsupport-psp -spec: - hostIPC: false - hostNetwork: false - hostPID: false - privileged: true - allowPrivilegeEscalation: true - readOnlyRootFilesystem: false - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - requiredDropCapabilities: - - ALL - allowedCapabilities: - - NET_BIND_SERVICE - - CHOWN - - DAC_OVERRIDE - - SETGID - - SETUID - - FOWNER - volumes: - - '*' diff --git a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/kustomization.yaml b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/kustomization.yaml index a6930c5dc5..bdb0039e94 100644 --- a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/kustomization.yaml +++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/kustomization.yaml @@ -19,7 +19,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - fabric-operator-psp.yaml - fabric-operator-serviceaccount.yaml - fabric-operator-clusterrole.yaml - fabric-operator-clusterrolebinding.yaml diff --git a/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/sample_network.sh b/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/sample_network.sh index 8a56e89240..8fd8d636b7 100644 --- a/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/sample_network.sh +++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/sample_network.sh @@ -60,6 +60,9 @@ metadata: name: ${NS} EOF + # https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ + kubectl label --overwrite namespace $NS pod-security.kubernetes.io/enforce=baseline + pop_fn } From d06bf9a96254d8b4a6b32ce554945f80a8779086 Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Thu, 28 Sep 2023 13:11:58 +0000 Subject: [PATCH 3/3] FSAT: Update ansible playbooks for compatibility with K8s v1.25.x The originally used image of Hyperledger Fabric Ansible Collection was not compatible with K8s v1.25.x. This patch replaces the image with the latest hyperledger-labs/fabric-ansible-collection. Additionally, deprecated notations in the latest Kustomize, patchesJson and patchesStrategicMerge, have been replaced with the recommended syntax to prevent ansible task execution failures. Signed-off-by: Tatsuya Sato --- .../templates/ingress/kustomization.yaml | 25 +++++++++---------- .../01-operator-install.yml | 2 +- .../02-console-install.yml | 2 +- full-stack-asset-transfer-guide/justfile | 18 ++++++------- 4 files changed, 23 insertions(+), 24 deletions(-) diff --git a/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/kustomization.yaml b/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/kustomization.yaml index 6d57058b52..e1392885b4 100644 --- a/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/kustomization.yaml +++ b/full-stack-asset-transfer-guide/infrastructure/kind_console_ingress/templates/ingress/kustomization.yaml @@ -19,19 +19,18 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - https://github.com/kubernetes/ingress-nginx.git/deploy/static/provider/cloud?ref=controller-v1.1.2 +- https://github.com/kubernetes/ingress-nginx.git/deploy/static/provider/cloud?ref=controller-v1.1.2 -patchesStrategicMerge: - - ingress-nginx-controller.yaml # Remove the port `appProtocol` attribute as this is not accepted by all cloud providers -patchesJson6902: - - target: - kind: Service - name: ingress-nginx-controller - version: v1 - patch: |- - - op: remove - path: "/spec/ports/0/appProtocol" - - op: remove - path: "/spec/ports/1/appProtocol" +patches: +- patch: |- + - op: remove + path: "/spec/ports/0/appProtocol" + - op: remove + path: "/spec/ports/1/appProtocol" + target: + kind: Service + name: ingress-nginx-controller + version: v1 +- path: ingress-nginx-controller.yaml diff --git a/full-stack-asset-transfer-guide/infrastructure/operator_console_playbooks/01-operator-install.yml b/full-stack-asset-transfer-guide/infrastructure/operator_console_playbooks/01-operator-install.yml index 256f98b99a..daba33ced2 100644 --- a/full-stack-asset-transfer-guide/infrastructure/operator_console_playbooks/01-operator-install.yml +++ b/full-stack-asset-transfer-guide/infrastructure/operator_console_playbooks/01-operator-install.yml @@ -10,4 +10,4 @@ state: present wait_timeout: 3600 roles: - - ibm.blockchain_platform.fabric_operator_crds + - hyperledger.fabric_ansible_collection.fabric_operator_crds diff --git a/full-stack-asset-transfer-guide/infrastructure/operator_console_playbooks/02-console-install.yml b/full-stack-asset-transfer-guide/infrastructure/operator_console_playbooks/02-console-install.yml index 13718bc2df..936621ffd6 100644 --- a/full-stack-asset-transfer-guide/infrastructure/operator_console_playbooks/02-console-install.yml +++ b/full-stack-asset-transfer-guide/infrastructure/operator_console_playbooks/02-console-install.yml @@ -10,4 +10,4 @@ state: present wait_timeout: 3600 roles: - - ibm.blockchain_platform.fabric_console + - hyperledger.fabric_ansible_collection.fabric_console diff --git a/full-stack-asset-transfer-guide/justfile b/full-stack-asset-transfer-guide/justfile index 6502b4c31b..782ee58d37 100644 --- a/full-stack-asset-transfer-guide/justfile +++ b/full-stack-asset-transfer-guide/justfile @@ -284,7 +284,7 @@ cloud-frontend: # ANSIBLE PLAYBOOK TARGETS # ############################################################################### -ansible_image := env_var_or_default("ANSIBLE_IMAGE", "ghcr.io/ibm-blockchain/ofs-ansibe:sha-ac6fd82") +ansible_image := env_var_or_default("ANSIBLE_IMAGE", "ghcr.io/hyperledger-labs/fabric-ansible:latest") namespace := env_var_or_default("WORKSHOP_NAMESPACE", "fabricinfra") # just set up everything with Ansible @@ -339,7 +339,7 @@ ansible-ingress: docker run \ --rm \ - -v ${HOME}/.kube/:/home/ibp-user/.kube/ \ + -v ${HOME}/.kube/:/home/hlf-user/.kube/ \ -v ${CWDIR}/_cfg:/_cfg \ -v $(pwd)/infrastructure/kind_console_ingress:/playbooks \ --network=host ${EXTRAS} \ @@ -361,7 +361,7 @@ ansible-operator: docker run \ --rm \ - -v ${HOME}/.kube/:/home/ibp-user/.kube/ \ + -v ${HOME}/.kube/:/home/hlf-user/.kube/ \ -v ${CWDIR}/_cfg:/_cfg \ -v $(pwd)/infrastructure/operator_console_playbooks:/playbooks ${EXTRAS} \ --network=host \ @@ -380,7 +380,7 @@ ansible-console: docker run \ --rm \ - -v ${HOME}/.kube/:/home/ibp-user/.kube/ \ + -v ${HOME}/.kube/:/home/hlf-user/.kube/ \ -v $(pwd)/infrastructure/operator_console_playbooks:/playbooks ${EXTRAS} \ -v ${CWDIR}/_cfg:/_cfg \ --network=host \ @@ -418,7 +418,7 @@ ansible-network: ansible-auth docker run \ --rm \ -u $(id -u) \ - -v ${HOME}/.kube/:/home/ibp-user/.kube/ \ + -v ${HOME}/.kube/:/home/hlf-user/.kube/ \ -v ${CWDIR}/infrastructure/fabric_network_playbooks:/playbooks ${EXTRAS} \ -v ${CWDIR}/_cfg:/_cfg \ --network=host \ @@ -469,7 +469,7 @@ ansible-deploy-chaincode: docker run \ --rm \ -u $(id -u) \ - -v ${HOME}/.kube/:/home/ibp-user/.kube/ \ + -v ${HOME}/.kube/:/home/hlf-user/.kube/ \ -v ${CWDIR}/infrastructure/production_chaincode_playbooks:/playbooks ${EXTRAS} \ -v ${CWDIR}/_cfg:/_cfg \ --network=host \ @@ -479,7 +479,7 @@ ansible-deploy-chaincode: docker run \ --rm \ -u $(id -u) \ - -v ${HOME}/.kube/:/home/ibp-user/.kube/ \ + -v ${HOME}/.kube/:/home/hlf-user/.kube/ \ -v ${CWDIR}/infrastructure/production_chaincode_playbooks:/playbooks ${EXTRAS} \ -v ${CWDIR}/_cfg:/_cfg \ --network=host \ @@ -489,7 +489,7 @@ ansible-deploy-chaincode: docker run \ --rm \ -u $(id -u) \ - -v ${HOME}/.kube/:/home/ibp-user/.kube/ \ + -v ${HOME}/.kube/:/home/hlf-user/.kube/ \ -v ${CWDIR}/infrastructure/production_chaincode_playbooks:/playbooks ${EXTRAS} \ -v ${CWDIR}/_cfg:/_cfg \ --network=host \ @@ -509,7 +509,7 @@ ansible-ready-application: docker run \ --rm \ -u $(id -u) \ - -v ${HOME}/.kube/:/home/ibp-user/.kube/ \ + -v ${HOME}/.kube/:/home/hlf-user/.kube/ \ -v ${CWDIR}/infrastructure/production_chaincode_playbooks:/playbooks ${EXTRAS} \ -v ${CWDIR}/_cfg:/_cfg \ --network=host \