fix: resolve CA client FD leak & enhance kubectl-hlf to generate declarative secretRefs#319
Open
Mau-MR wants to merge 6 commits into
Open
fix: resolve CA client FD leak & enhance kubectl-hlf to generate declarative secretRefs#319Mau-MR wants to merge 6 commits into
Mau-MR wants to merge 6 commits into
Conversation
… leaks Signed-off-by: Mauricio E. Merida Rivera <mauricio@rubidex.ai>
…oning Signed-off-by: Mauricio E. Merida Rivera <mauricio@rubidex.ai>
… location After the project migrated from kfsoftware/hlf-helm-charts to hyperledger-bevel/bevel-operator-fabric, the release_charts.yml workflow was updated to publish charts under the new GitHub Pages URL. This commit updates the README installation instructions to reflect that change: - Repo URL: kfsoftware.github.io/hlf-helm-charts → hyperledger-bevel.github.io/bevel-operator-fabric/ - Repo alias: kfs → bevel - Fixed stray `--` in the helm install command that would cause a parse error Signed-off-by: Mauricio E. Merida Rivera <mauricio@rubidex.ai>
This updates the plugin commands (peer create, ordnode create, identity create, and identity update) to configure the generated resources with a referencing the CA's secret instead of embedding a raw base64-encoded string. Benefits: 1. True declarative/GitOps-friendly deployments without needing to look up certs at templating/applying time. 2. Portability and native support for CA certificate rotations. Signed-off-by: Mauricio E. Merida Rivera <mauricio@rubidex.ai>
Since version 1.14 of the operator, the authentication and authorization for the metrics endpoint are now handled directly by the controller manager server (using filters.WithAuthenticationAndAuthorization). The `kube-rbac-proxy` sidecar is deprecated and no longer needed. This commit removes the remaining Kustomize and Helm configurations for the `kube-rbac-proxy` to fix the `test-kubectl-plugin.yml` CI pipeline, which was failing with an `ImagePullBackOff` error when trying to pull the proxy image. Changes include: - Removing the proxy sidecar patch from config/default/kustomization.yaml - Removing proxy-related RBAC and service resources from config/rbac/kustomization.yaml - Adding tokenreviews and subjectaccessreviews RBAC markers to main.go to ensure make manifests correctly generates the required permissions in config/rbac/role.yaml - Cleaning up leftover proxy cluster roles and bindings from the Helm chart (chart/hlf-operator/templates/rbac.yaml) Signed-off-by: Mauricio E. Merida Rivera <mauricio@rubidex.ai>
The previous commit introduced a bug where the generated SecretRef for the CA TLS used `fabricCA.Name` or `certAuth.Name`. These properties are populated by `MapClusterCA` with the format `<name>.<namespace>`. This caused the secret name to incorrectly include the namespace, resulting in names like `org1-ca.default--tls-cryptomaterial`. This fix updates the CLI to use the raw Kubernetes object name via `Item.Name` so that the secret name matches what the CA controller generates (e.g., `org1-ca--tls-cryptomaterial`). Signed-off-by: Mauricio E. Merida Rivera <mauricio@rubidex.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
This PR delivers key reliability fixes and declarative GitOps enhancements to the Hyperledger Bevel Fabric Operator and its corresponding
kubectl-hlfCLI plugin:Failed to get client TLS config: Failed to process certificate from file .... This was caused by the temporary CA certificate file not being flushed and closed before passing its path to the underlying Fabric-CA SDK library./tmpdirectory and were never cleaned up, resulting in long-term disk leaks.caHomeDirwhere the operator's existing cleanup routine takes care of automatic pruning.kubectl-hlfCLI):kubectl-hlfCLI commands (for peers, orderers, and identities) imperatively fetched the target CA, read its.status.tlsCert, and embedded it as a static base64-encodedcacertblock. This broke declarative/GitOps pipelines (like ArgoCD) because resources could not be template-generated or applied before the CA was fully up and running.kubectl hlf peer create,kubectl hlf ordnode create,kubectl hlf identity create, andkubectl hlf identity updateto natively output asecretRefpointing to the CA's deterministic<ca-name>--tls-cryptomaterialsecret (under keytls.crt).cacertis preserved as an explicit empty string (""). This enables true offline manifest rendering and automatic CA certificate rotation!README.mdto point to the new officially-managedhyperledger-bevelcharts registry (https://hyperledger-bevel.github.io/bevel-operator-fabric/) instead of the deprecatedkfsoftwareendpoints.Which issue(s) this PR fixes:
Fixes #318 (#318)
Special notes for your reviewer:
The core operator changes are centered in
controllers/certs/provision_certs.go:caCertFile.Close()to ensure data integrity before the library reads.ioutil.TempFileto usecaHomeDirinstead of""(system tmp) to ensure proper clean up.The CLI plugin enhancements are centered in:
kubectl-hlf/cmd/peer/create.gokubectl-hlf/cmd/ordnode/create.gokubectl-hlf/cmd/identity/create.gokubectl-hlf/cmd/identity/update.goHow to reproduce the problem exactly:
controllers/certs/provision_certs.go(removecaCertFile.Close()).go test -v ./controllers/certs/ -run TestGetClient_ValidCertFile -count 10.started with 6, ended with 7).Failed to get client TLS config: Failed to process certificate from file /tmp/ca-cert....Does this PR introduce a user-facing change?
As the kubectl hlf plugin now handles identity enrollment as well as peer and orderer enrollment, the plugin only needs to be updated when the Operator Controller Manager running in the cluster has also been updated. This is because the hlf plugin now performs enrollment directly using secretRef instead of fetching the secrets at runtime. Therefore, identity enrollment will only work with the corresponding updated Operator version that supports the secretRef field introduced in this change.
Additional documentation, usage docs, etc.:
controllers/certs/provision_certs_test.goverify successful CA client initialization and guarantee that file descriptors and temporary files are fully closed and cleaned up.