Skip to content

Latest commit

 

History

History
159 lines (100 loc) · 4.59 KB

File metadata and controls

159 lines (100 loc) · 4.59 KB

Gateway Client Application

PREV: Install Chaincode <==> NEXT: Teardown


In this final workshop exercise, we will port the Gateway Client routines you developed in the ApplicationDev module to run on a cloud-native Fabric network.

In order to query the ledger and submit transactions to the asset-transfer smart contract, the client application must run with an identity certificate and key pair issued by the organization's CA. Once the user identity has been enrolled with the CA, we'll use the new identity to create, transfer, and exchange virtual "token" assets on a shared ledger.

Gateway Client Application

Ready?

just check-chaincode

Register and enroll a new user at the org CA

# User organization MSP ID
export MSP_ID=Org1MSP        
export ORG=org1
export USERNAME=org1user
export PASSWORD=org1userpw
ADMIN_MSP_DIR=$WORKSHOP_CRYPTO/enrollments/${ORG}/users/rcaadmin/msp
USER_MSP_DIR=$WORKSHOP_CRYPTO/enrollments/${ORG}/users/${USERNAME}/msp
PEER_MSP_DIR=$WORKSHOP_CRYPTO/channel-msp/peerOrganizations/${ORG}/msp

fabric-ca-client  register \
  --id.name       $USERNAME \
  --id.secret     $PASSWORD \
  --id.type       client \
  --url           https://$WORKSHOP_NAMESPACE-$ORG-ca-ca.$WORKSHOP_INGRESS_DOMAIN \
  --tls.certfiles $WORKSHOP_CRYPTO/cas/$ORG-ca/tls-cert.pem \
  --mspdir        $WORKSHOP_CRYPTO/enrollments/$ORG/users/rcaadmin/msp

fabric-ca-client enroll \
  --url           https://$USERNAME:$PASSWORD@$WORKSHOP_NAMESPACE-$ORG-ca-ca.$WORKSHOP_INGRESS_DOMAIN \
  --tls.certfiles $WORKSHOP_CRYPTO/cas/$ORG-ca/tls-cert.pem \
  --mspdir        $WORKSHOP_CRYPTO/enrollments/$ORG/users/$USERNAME/msp

mv $USER_MSP_DIR/keystore/*_sk $USER_MSP_DIR/keystore/key.pem

Go Bananas

  • Set the gateway client to connect to the org1-peer1 as the newly enrolled ${USERNAME}:
# Path to private key file
export PRIVATE_KEY=${USER_MSP_DIR}/keystore/key.pem

# Path to user certificate file
export CERTIFICATE=${USER_MSP_DIR}/signcerts/cert.pem

# Path to CA certificate
export TLS_CERT=${PEER_MSP_DIR}/tlscacerts/tlsca-signcert.pem

# Gateway peer SSL host name override
export HOST_ALIAS=${WORKSHOP_NAMESPACE}-${ORG}-peer1-peer.${WORKSHOP_INGRESS_DOMAIN}

# Gateway endpoint
export ENDPOINT=$HOST_ALIAS:443
pushd applications/trader-typescript

npm install
# Create a yellow banana token owned by appleman@org1 
npm start create banana bananaman yellow

npm start getAllAssets

# Transfer the banana among users / orgs 
npm start transfer banana appleman Org1MSP

npm start getAllAssets

# Transfer the banana among users / orgs 
npm start transfer banana bananaman Org2MSP

# Error! Which org owns the banana? 
npm start transfer banana bananaman Org1MSP

popd

Take it Further

Gateway Load Balancing

In the example above, the gateway client connects directly to a peer using the specific peer node's gRPCs URL. This can be extended with a level of fail-over and load balancing, by instructing the gateway client to connect at a virtual host Ingress and Kubernetes Service. When connecting in this fashion, Gateway client connections are load balanced across the org's peers in the network, with the gateway peer further dispatching transaction requests to peers while maintaining a balanced ledger height.

Fabric Gateway deployment

To set up a load-balanced Gateway Service and Ingress URL in Kubernetes:

  • Create a virtual host name / Ingress endpoint for the org peers:
pushd applications/trader-typescript

kubectl kustomize \
  ../../infrastructure/sample-network/config/gateway \
  | envsubst \
  | kubectl -n ${WORKSHOP_NAMESPACE} apply -f -  
  • Run the gateway client application, using the load-balanced Gateway service. When the gateway client connects to the network, the gRPCs connections will be distributed across peers in the org:
unset HOST_ALIAS
export ENDPOINT=${WORKSHOP_NAMESPACE}-org1-peer-gateway.${WORKSHOP_INGRESS_DOMAIN}:443

npm start getAllAssets

popd

Note that in order to support ingress and host access with the new virtual domain, the peer CRDs have been instructed to designate an additional SAN alias / host name when provisioning the node TLS certificate with the CA.


PREV: Install Chaincode <==> NEXT: Teardown