Add fabproxy removal example

Signed-off-by: Chris Elder <[email protected]>

examples/fabproxy-removal/01-migrate-all-ca-addresses.yml

@@ -0,0 +1,37 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Renew the TLS Certificate for all Certificate Authorities and Associated Nodes
+  hosts: localhost
+  vars_files:
+      - common-vars.yml
+  tasks:
+      - name: Get the ALL Certificate Authorities
+        hyperledger.fabric_ansible_collection.certificate_authority_list_info:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+        register: result
+
+      - name: Store the Certificate Authorities in a file
+        copy:
+            content: "{{ result.certificate_authorities | to_nice_json }}"
+            dest: "All_CAs.json"
+
+      - name: List Certificate Authorities
+        debug: "msg='Found Certificate Authority {{ certificate_authority.name}}'"
+        loop: "{{ result.certificate_authorities }}"
+        loop_control:
+            loop_var: certificate_authority
+            label: "{{ certificate_authority.name }}"
+
+      - name: Update CA Metadata
+        include_tasks: tasks/01-update-ca-metadata.yml
+        loop: "{{ result.certificate_authorities }}"
+        loop_control:
+          loop_var: certificate_authority
+          label: "{{ certificate_authority.name }}"
+        when: certificate_authority.imported == False

examples/fabproxy-removal/02-update-associated-nodes.yml

@@ -0,0 +1,31 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Renew the TLS Certificate for all Certificate Authorities and Associated Nodes
+  hosts: localhost
+  vars_files:
+      - common-vars.yml
+  tasks:
+      - name: Get the ALL Certificate Authorities
+        hyperledger.fabric_ansible_collection.certificate_authority_list_info:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+        register: result
+
+      - name: List Certificate Authorities
+        debug: "msg='Found Certificate Authority {{ certificate_authority.name}}'"
+        loop: "{{ result.certificate_authorities }}"
+        loop_control:
+            loop_var: certificate_authority
+            label: "{{ certificate_authority.name }}"
+
+      - name: Renew TLS Certificates for Certificate Authorities
+        include_tasks: tasks/02-create-crypto-update.yml
+        loop: "{{ result.certificate_authorities }}"
+        loop_control:
+            loop_var: certificate_authority
+            label: "{{ certificate_authority.name }}"

examples/fabproxy-removal/03-migrate-peer-and-imported-addresses.yml

@@ -0,0 +1,31 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Renew the TLS Certificate for all Certificate Authorities and Associated Nodes
+  hosts: localhost
+  vars_files:
+      - common-vars.yml
+  tasks:
+      - name: Get the ALL Certificate Authorities
+        hyperledger.fabric_ansible_collection.certificate_authority_list_info:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+        register: result
+
+      - name: List Certificate Authorities
+        debug: "msg='Found Certificate Authority {{ certificate_authority.name}}'"
+        loop: "{{ result.certificate_authorities }}"
+        loop_control:
+            loop_var: certificate_authority
+            label: "{{ certificate_authority.name }}"
+
+      - name: Get Peers for the CA
+        include_tasks: tasks/03-get-all-nodes-for-ca.yml
+        loop: "{{ result.certificate_authorities }}"
+        loop_control:
+            loop_var: certificate_authority
+            label: "{{ certificate_authority.name }}"

examples/fabproxy-removal/04-migrate-ordering-node-addresses.yml

@@ -0,0 +1,85 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Migrate Ordering Service Node
+  hosts: localhost
+  vars_files:
+      - common-vars.yml
+      - channels.yml
+  tasks:
+
+      - name: Reenroll Ordering Service Node "{{ ordering_service_node_name }}" TLS
+        hyperledger.fabric_ansible_collection.ordering_service_node_action:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            name: "{{ ordering_service_node_name }}"
+            action: 'reenroll'
+            type: 'tls_cert'
+        register: result
+
+      - name: Fail if the Certificate Authority did not accept the message
+        fail:
+            msg: result.response
+        when: not result.accepted
+
+      - name: Temporarily change Ordering Service Node "{{ ordering_service_node_name }}" to use the new URLs and record settings
+        hyperledger.fabric_ansible_collection.ordering_service_node_metadata:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+            name: "{{ ordering_service_node_name }}"
+            preferred_url: "{{ preferred_url_os }}"
+        register: ordering_node_new_url
+
+      - name: Change Ordering Node "{{ ordering_service_node_name }}" to use the legacy URLs
+        hyperledger.fabric_ansible_collection.ordering_service_node_metadata:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+            name: "{{ ordering_service_node_name }}"
+            preferred_url: "{{ preferred_url_legacy }}"
+        register: ordering_node_legacy_url
+
+      - name: Store the ordering service node to a file
+        copy:
+            content: "{{ ordering_node_new_url.ordering_service_node | to_nice_json }}"
+            dest: "{{ ordering_service_node_name }}.json"
+
+      - name: Remove the previous channels directory if it exists
+        ansible.builtin.file:
+            path: channels
+            state: absent
+
+      - name: Remove the previous completed channels
+        ansible.builtin.file:
+            path: completed_channels.txt
+            state: absent
+
+      - name: Update channels
+        include_tasks: tasks/04-update-channel.yml
+        loop: "{{ channel_names }}"
+        loop_control:
+            loop_var: channel_name
+
+      - name: Change Ordering Service Node "{{ ordering_service_node_name }}" to use the new URLs
+        hyperledger.fabric_ansible_collection.ordering_service_node_metadata:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+            name: "{{ ordering_service_node_name }}"
+            preferred_url: "{{ preferred_url_os }}"
+        when: not (dry_run | bool)
+
+      - name: Warn if dry run
+        debug:
+            msg: Dry run, not signing or applying channel configuration update
+        when: (dry_run | bool)

examples/fabproxy-removal/05-update_anchor_peers.yml

@@ -0,0 +1,35 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Update anchor peers
+  hosts: localhost
+  vars_files:
+      - common-vars.yml
+      - channels.yml
+  tasks:
+
+      - name: Create the local msp for all organizations
+        hyperledger.fabric_ansible_collection.membership_service_provider_local:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+            operation: "create"
+
+      - name: Remove the previous channels directory if it exists
+        ansible.builtin.file:
+            path: channels_anchor
+            state: absent
+
+      - name: Remove the previous completed channels
+        ansible.builtin.file:
+            path: completed_channels.txt
+            state: absent
+
+      - name: Update channels
+        include_tasks: tasks/05-update-channel.yml
+        loop: "{{ channel_names }}"
+        loop_control:
+            loop_var: channel_name

examples/fabproxy-removal/README.md

@@ -0,0 +1,5 @@
+# Fabproxy Removal
+
+This is a support project for removing Fabproxy from migrated instances from IBM Blockchain Platform Software as a Service.
+
+Many techniques and processes can be adapted for normal ongoing maintenance processes.

examples/fabproxy-removal/channels.yml

@@ -0,0 +1,7 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+channel_names:
+  - testchainid
+  - channel1

examples/fabproxy-removal/common-vars.yml

@@ -0,0 +1,16 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+api_endpoint: https://ibp-console.example.org:32000
+api_authtype: basic
+api_key: xxxxxxxx
+api_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+preferred_url_os: "os"
+preferred_url_legacy: "legacy"
+ordering_service_name: "Orderer"
+ordering_service_node_name: "Orderer_1"
+ordering_service_admin_identity: "Orderer MSP Admin_identity.json"
+ordering_service_msp_id: osmsp
+dry_run: false
+wait_timeout: 600

examples/fabproxy-removal/tasks/01-renew-ca-tls.yml

@@ -0,0 +1,20 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Renew the TLS Certificate for the Certificate Authority "{{ certificate_authority.name }}"
+  hyperledger.fabric_ansible_collection.certificate_authority_action:
+      api_endpoint: "{{ api_endpoint }}"
+      api_authtype: "{{ api_authtype }}"
+      api_key: "{{ api_key }}"
+      api_secret: "{{ api_secret | default(omit) }}"
+      api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+      name: "{{ certificate_authority.name }}"
+      action: 'renew'
+  register: result
+  when: certificate_authority.imported == False
+
+- name: Fail if the Certificate Authority "{{ certificate_authority.name }}" did not accept the message
+  fail:
+      msg: result.response
+  when: not result.accepted

examples/fabproxy-removal/tasks/01-update-ca-metadata.yml

@@ -0,0 +1,28 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Update the Certificate Authority metadata for "{{ certificate_authority.name }}"
+  hyperledger.fabric_ansible_collection.certificate_authority_metadata:
+      api_endpoint: "{{ api_endpoint }}"
+      api_authtype: "{{ api_authtype }}"
+      api_key: "{{ api_key }}"
+      api_secret: "{{ api_secret | default(omit) }}"
+      api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+      name: "{{ certificate_authority.name }}"
+      preferred_url: "{{ preferred_url_os }}"
+  register: update_result
+
+- name: Fail if the Certificate Authority "{{ certificate_authority.name }}" was not updated
+  fail:
+      msg: "Certificate Authority {{ certificate_authority.name }} was not updated"
+  when: not update_result.changed
+
+- name: Write the updated certficate authority "{{ certificate_authority.name }}" to a file
+  copy:
+      content: "{{ update_result.certificate_authority | to_nice_json }}"
+      dest: "updated_certficat_authority.json"
+
+- name: Renew TLS Certificates for Certificate Authorities
+  include_tasks: tasks/01-renew-ca-tls.yml
+  when: certificate_authority.imported == False

examples/fabproxy-removal/tasks/02-create-crypto-update.yml

@@ -0,0 +1,66 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Get the Certificate Authority
+  hyperledger.fabric_ansible_collection.certificate_authority_info:
+      api_endpoint: "{{ api_endpoint }}"
+      api_authtype: "{{ api_authtype }}"
+      api_key: "{{ api_key }}"
+      api_secret: "{{ api_secret | default(omit) }}"
+      api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+      name: "{{ certificate_authority.name }}"
+  register: result
+
+- name: Configure the crypto update
+  set_fact:
+      crypto:
+          enrollment:
+              ca:
+                  host: "{{ result.certificate_authority.api_url | urlsplit('hostname') }}"
+                  port: "{{ result.certificate_authority.api_url | urlsplit('port') }}"
+                  tls_cert: "{{ result.certificate_authority.msp.component.tls_cert }}"
+              tlsca:
+                  host: "{{ result.certificate_authority.api_url | urlsplit('hostname') }}"
+                  port: "{{ result.certificate_authority.api_url | urlsplit('port') }}"
+                  tls_cert: "{{result.certificate_authority.msp.component.tls_cert}}"
+
+- name: Get the Nodes associated with the Certificate Authority "{{ certificate_authority.name }}"
+  hyperledger.fabric_ansible_collection.certificate_authority_associated_nodes:
+      api_endpoint: "{{ api_endpoint }}"
+      api_authtype: "{{ api_authtype }}"
+      api_key: "{{ api_key }}"
+      api_secret: "{{ api_secret | default(omit) }}"
+      api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+      certificate_authority: "{{ certificate_authority.name }}"
+  register: nodes
+
+- name: List the Ordering Nodes
+  debug: "msg='Found Ordering Node {{ ordering_service_node.name}}'"
+  loop: "{{ nodes.ordering_service_nodes }}"
+  loop_control:
+      loop_var: ordering_service_node
+      label: "{{ ordering_service_node.name }}"
+
+- name: Update Ordering Nodes associated with "{{ certificate_authority.name }}"
+  include_tasks: tasks/02-update-ordering-node.yml
+  loop: "{{ nodes.ordering_service_nodes }}"
+  loop_control:
+      loop_var: ordering_service_node
+      label: "{{ ordering_service_node.name }}"
+  when: ordering_service_node.imported == False
+
+- name: List the Peers
+  debug: "msg='Found Peer {{ peer.name}}'"
+  loop: "{{ nodes.peers }}"
+  loop_control:
+      loop_var: peer
+      label: "{{ peer.name }}"
+
+- name: Update Peers associated with "{{ certificate_authority.name }}"
+  include_tasks: tasks/02-update-peer.yml
+  loop: "{{ nodes.peers }}"
+  loop_control:
+      loop_var: peer
+      label: "{{ peer.name }}"
+  when: peer.imported == False