Hashicorp Vault Integration (#260)

* Start the implementation of Hashicorp Vault for bevel operator fabric

Signed-off-by: David VIEJO <[email protected]>

* Update in implementation vault

Signed-off-by: dviejokfs <[email protected]>

* CA controller integration with Hashicorp Vault

Signed-off-by: dviejokfs <[email protected]>

* Modify types for impl

Signed-off-by: dviejokfs <[email protected]>

* Progress on HLF vault

Signed-off-by: David VIEJO <[email protected]>

* Update

Signed-off-by: dviejokfs <[email protected]>

* Implement vault in identity_controller

Signed-off-by: dviejokfs <[email protected]>

* Update

Signed-off-by: David VIEJO <[email protected]>

* Update

Signed-off-by: dviejokfs <[email protected]>

* Fix go.mod/go.sum

Signed-off-by: dviejokfs <[email protected]>

* Update

Signed-off-by: dviejokfs <[email protected]>

* Update

Signed-off-by: David VIEJO <[email protected]>

* Update

Signed-off-by: David VIEJO <[email protected]>

* Fix tests

Signed-off-by: David VIEJO <[email protected]>

* Fix tests

Signed-off-by: David VIEJO <[email protected]>

* Fix tests

Signed-off-by: David VIEJO <[email protected]>

* Update

Signed-off-by: David VIEJO <[email protected]>

* Enhance Fabric CA configuration by making replicas field nullable and updating related logic

- Updated the Fabric CA CRD to allow the `replicas` field to be nullable, providing more flexibility in deployment configurations.
- Modified the peer controller to use `Caname` instead of `Enrollid` for naming enroll requests.
- Refactored the credential store handling in the crypto material creation function to use a switch statement for better clarity and maintainability.

These changes improve the usability and robustness of the Fabric CA deployment and its associated components.

Signed-off-by: David VIEJO <[email protected]>

* Fix tests

Signed-off-by: David VIEJO <[email protected]>

* Update dependencies and remove unused client examples

- Added `golang.org/x/oauth2` and `github.com/consensys/gnark-crypto` to `go.mod`.
- Removed unused Go and Node.js client example files, including `main.go`, `connection-org.yaml`, and related scripts.
- Cleaned up `go.mod` and `go.sum` by deleting unnecessary entries.

These changes streamline the project by updating dependencies and removing obsolete client implementations.

Signed-off-by: David VIEJO <[email protected]>

* Update dependencies in go.mod and go.sum

- Removed unused versions of `golang.org/x/oauth2` and `github.com/consensys/gnark-crypto`.
- Added indirect dependencies for `github.com/bits-and-blooms/bitset`, `github.com/consensys/bavard`, and updated `github.com/consensys/gnark-crypto` to v0.12.1.
- Updated `golang.org/x/oauth2` to v0.27.0.

These changes streamline the dependency management and ensure compatibility with the latest versions.

Signed-off-by: David VIEJO <[email protected]>

* Update

Signed-off-by: David VIEJO <[email protected]>

---------

Signed-off-by: David VIEJO <[email protected]>
Signed-off-by: dviejokfs <[email protected]>

Author: dviejokfs

.github/workflows/test-kubectl-plugin.yml

@@ -173,7 +173,7 @@ jobs:
           export CA_IMAGE=hyperledger/fabric-ca
           export CA_VERSION=1.5.13
 
-          kubectl hlf ca create --image=$CA_IMAGE --version=$CA_VERSION --storage-class=standard --capacity=2Gi --name=org1-ca \
+          kubectl hlf ca create  --credential-store=kubernetes --image=$CA_IMAGE --version=$CA_VERSION --storage-class=standard --capacity=2Gi --name=org1-ca \
               --enroll-id=enroll --hosts=org1-ca.localho.st --enroll-pw=enrollpw
           kubectl wait --timeout=240s --for=condition=Running fabriccas.hlf.kungfusoftware.es --all    
 
@@ -182,7 +182,7 @@ jobs:
           --enroll-id enroll --enroll-secret=enrollpw --mspid Org1MSP
 
 
-          kubectl hlf peer create --statedb=couchdb --image=$PEER_IMAGE --version=$PEER_VERSION \
+          kubectl hlf peer create  --credential-store=kubernetes --statedb=couchdb --image=$PEER_IMAGE --version=$PEER_VERSION \
                   --storage-class=standard --enroll-id=peer --mspid=Org1MSP \
                   --enroll-pw=peerpw --hosts=peer0-org1.localho.st --capacity=5Gi --name=org1-peer0 --ca-name=org1-ca.default
           kubectl wait --timeout=240s --for=condition=Running fabricpeers.hlf.kungfusoftware.es --all
@@ -194,14 +194,14 @@ jobs:
           export CA_IMAGE=hyperledger/fabric-ca
           export CA_VERSION=1.5.13
 
-          kubectl hlf ca create --image=$CA_IMAGE --version=$CA_VERSION --storage-class=standard --capacity=2Gi --name=ord-ca \
+          kubectl hlf ca create --credential-store=kubernetes --image=$CA_IMAGE --version=$CA_VERSION --storage-class=standard --capacity=2Gi --name=ord-ca \
               --enroll-id=enroll --enroll-pw=enrollpw --hosts=ord-ca.localho.st
 
           kubectl wait --timeout=240s --for=condition=Running fabriccas.hlf.kungfusoftware.es --all
           kubectl hlf ca register --name=ord-ca --user=orderer --secret=ordererpw \
               --type=orderer --enroll-id enroll --enroll-secret=enrollpw --mspid=OrdererMSP
 
-          kubectl hlf ordnode create --image=$ORDERER_IMAGE --version=$ORDERER_VERSION \
+          kubectl hlf ordnode create --credential-store=kubernetes --image=$ORDERER_IMAGE --version=$ORDERER_VERSION \
               --storage-class=standard --enroll-id=orderer --mspid=OrdererMSP --hosts=orderer0-ord.localho.st --admin-hosts=admin-orderer0-ord.localho.st \
               --enroll-pw=ordererpw --capacity=2Gi --name=ord-node1 --ca-name=ord-ca.default
           kubectl wait --timeout=240s --for=condition=Running fabricorderernodes.hlf.kungfusoftware.es --all

.github/workflows/test.yml

@@ -7,7 +7,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [ 1.23.1 ]
+        go-version: [ 1.23.5 ]
         os: [ ubuntu-latest ]
     runs-on: ${{ matrix.os }}
     steps:

README.md

@@ -222,13 +222,13 @@ EOF
 
 ```bash
 export PEER_IMAGE=hyperledger/fabric-peer
-export PEER_VERSION=3.0.0
+export PEER_VERSION=3.1.0
 
 export ORDERER_IMAGE=hyperledger/fabric-orderer
-export ORDERER_VERSION=3.0.0
+export ORDERER_VERSION=3.1.0
 
 export CA_IMAGE=hyperledger/fabric-ca
-export CA_VERSION=1.5.13
+export CA_VERSION=1.5.15
 ```
 
 ### Configure Internal DNS

config/crd/bases/hlf.kungfusoftware.es_fabriccas.yaml

@@ -647,13 +647,13 @@ spec:
                             attrs:
                               properties:
                                 hf.AffiliationMgr:
-                                  default: true
+                                  default: false
                                   type: boolean
                                 hf.GenCRL:
-                                  default: true
+                                  default: false
                                   type: boolean
                                 hf.IntermediateCA:
-                                  default: true
+                                  default: false
                                   type: boolean
                                 hf.Registrar.Attributes:
                                   default: '*'
@@ -665,7 +665,7 @@ spec:
                                   default: '*'
                                   type: string
                                 hf.Revoker:
-                                  default: true
+                                  default: false
                                   type: boolean
                               required:
                               - hf.AffiliationMgr
@@ -826,6 +826,12 @@ spec:
                 - enabled
                 - origins
                 type: object
+              credentialStore:
+                default: kubernetes
+                enum:
+                - kubernetes
+                - vault
+                type: string
               db:
                 properties:
                   datasource:
@@ -1050,6 +1056,7 @@ spec:
                 type: object
               replicas:
                 default: 1
+                nullable: true
                 type: integer
               resources:
                 properties:
@@ -1336,13 +1343,13 @@ spec:
                             attrs:
                               properties:
                                 hf.AffiliationMgr:
-                                  default: true
+                                  default: false
                                   type: boolean
                                 hf.GenCRL:
-                                  default: true
+                                  default: false
                                   type: boolean
                                 hf.IntermediateCA:
-                                  default: true
+                                  default: false
                                   type: boolean
                                 hf.Registrar.Attributes:
                                   default: '*'
@@ -1354,7 +1361,7 @@ spec:
                                   default: '*'
                                   type: string
                                 hf.Revoker:
-                                  default: true
+                                  default: false
                                   type: boolean
                               required:
                               - hf.AffiliationMgr
@@ -1546,6 +1553,120 @@ spec:
                 required:
                 - entryPoints
                 type: object
+              vault:
+                nullable: true
+                properties:
+                  request:
+                    properties:
+                      pki:
+                        type: string
+                      role:
+                        type: string
+                      ttl:
+                        default: 8760h
+                        type: string
+                      userIDs:
+                        default: []
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                    required:
+                    - pki
+                    - role
+                    type: object
+                  vault:
+                    properties:
+                      authPath:
+                        default: kubernetes
+                        nullable: true
+                        type: string
+                      backend:
+                        default: kv
+                        type: string
+                      caCert:
+                        type: string
+                      clientCert:
+                        type: string
+                      clientKey:
+                        properties:
+                          key:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                        required:
+                        - key
+                        - name
+                        - namespace
+                        type: object
+                      kvVersion:
+                        default: 2
+                        type: integer
+                      maxRetries:
+                        default: 2
+                        type: integer
+                      path:
+                        nullable: true
+                        type: string
+                      role:
+                        nullable: true
+                        type: string
+                      secretIdSecretRef:
+                        nullable: true
+                        properties:
+                          key:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                        required:
+                        - key
+                        - name
+                        - namespace
+                        type: object
+                      serverCert:
+                        nullable: true
+                        type: string
+                      serverName:
+                        type: string
+                      serviceAccountTokenPath:
+                        nullable: true
+                        type: string
+                      timeout:
+                        default: 30s
+                        type: string
+                      tlsSkipVerify:
+                        default: false
+                        type: boolean
+                      tokenSecretRef:
+                        nullable: true
+                        properties:
+                          key:
+                            type: string
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                        required:
+                        - key
+                        - name
+                        - namespace
+                        type: object
+                      url:
+                        type: string
+                    required:
+                    - maxRetries
+                    - timeout
+                    - tlsSkipVerify
+                    - url
+                    type: object
+                required:
+                - request
+                - vault
+                type: object
               version:
                 minLength: 1
                 type: string
@@ -1558,7 +1679,6 @@ spec:
             - hosts
             - image
             - metrics
-            - replicas
             - resources
             - rootCA
             - service