Jean-Gaël Dominé <jgdomine@...>
I would like to expose some ideas to have your feelings and ideas about the generation and sharing of the artifacts because I'm not sure about which path to take.
In my network (deployed in Kubernetes) I have a batch that generates all the certificates and keys (TLS included) of the admins, peers, orderers, genesis block, ... by connecting to the CA using fabric-ca-client.
Then I export all these artifacts as secrets in K8S so that the components have access to them.
This works fine but it does not look like production mode to me.
So I was trying to think of how this process would be handled in production. Here are some ideas:
1) Peers and orderers enroll themselves at startup:
But an issue I foresee is the management in case the component restarts, we must avoid going through the registration/enrollment again since it was already done. How can this be achieved?
Also the LCM of the certificates could be an issue
Besides this would become more complex to add a new organization.
In case a new organization is added, I don't see how to automate it since the system channel configuration must be updated...
So if anyone has a better idea on how to handle this part of Fabric, I'd be happy to learn about it :)