Merge remote-tracking branch 'origin/main' into feat/implement-hashicorp-vault

Signed-off-by: dviejokfs <[email protected]>

Author: dviejokfs

go.mod

@@ -1,8 +1,6 @@
 module github.com/kfsoftware/hlf-operator
 
-go 1.23.0
-
-toolchain go1.23.5
+go 1.23.5
 
 require (
 	github.com/IBM/idemix v0.0.0-20220113150823-80dd4cb2d74e
@@ -238,5 +236,5 @@ require (
 
 replace (
 	github.com/hyperledger/fabric-config => github.com/kfsoftware/fabric-config v0.0.0-20240819184344-a0b16ca530c2
-	github.com/hyperledger/fabric-sdk-go => github.com/kfsoftware/fabric-sdk-go v0.0.0-20240114221414-98466038585d
-)
+	github.com/hyperledger/fabric-sdk-go => github.com/kfsoftware/fabric-sdk-go v0.0.0-20250318193343-db7cb6f42306
+)

go.sum

@@ -528,6 +528,8 @@ github.com/kfsoftware/fabric-config v0.0.0-20240819184344-a0b16ca530c2 h1:6wb4m/
 github.com/kfsoftware/fabric-config v0.0.0-20240819184344-a0b16ca530c2/go.mod h1:1ZfjDrsuMoM4IPKezQgTByy2vXUj8bgTXaOXaGXK5O4=
 github.com/kfsoftware/fabric-sdk-go v0.0.0-20240114221414-98466038585d h1:HcMV8Lve3QkZUIWYHP+rVIR4xtTdDPooj7Id0IdBj0o=
 github.com/kfsoftware/fabric-sdk-go v0.0.0-20240114221414-98466038585d/go.mod h1:JRplpKBeAvXjsBhOCCM/KvMRUbdDyhsAh80qbXzKc10=
+github.com/kfsoftware/fabric-sdk-go v0.0.0-20250318193343-db7cb6f42306 h1:1HeRlKS4qdrC26HAe8ZqRiuBUPiGFDY7taHuehyraRE=
+github.com/kfsoftware/fabric-sdk-go v0.0.0-20250318193343-db7cb6f42306/go.mod h1:JRplpKBeAvXjsBhOCCM/KvMRUbdDyhsAh80qbXzKc10=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=

kubectl-hlf/cmd/channel/inspect.go

@@ -5,7 +5,9 @@ import (
 	"fmt"
 	"io"
 
+	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger/fabric-config/protolator"
+	"github.com/hyperledger/fabric-protos-go/common"
 	"github.com/hyperledger/fabric-sdk-go/pkg/client/resmgmt"
 	"github.com/hyperledger/fabric-sdk-go/pkg/core/config"
 	"github.com/hyperledger/fabric-sdk-go/pkg/fab/resource"
@@ -20,6 +22,8 @@ type inspectChannelCmd struct {
 	channelName string
 	userName    string
 	ordererName string
+	raw         bool
+	genesis     bool
 }
 
 func (c *inspectChannelCmd) validate() error {
@@ -56,10 +60,35 @@ func (c *inspectChannelCmd) run(out io.Writer) error {
 	if c.ordererName != "" {
 		resmgmtOptions = append(resmgmtOptions, resmgmt.WithOrdererEndpoint(c.ordererName))
 	}
-	block, err := resClient.QueryConfigBlockFromOrderer(c.channelName, resmgmtOptions...)
-	if err != nil {
-		return err
+
+	var block *common.Block
+	if c.genesis {
+		block, err = resClient.GenesisBlock(c.channelName, resmgmtOptions...)
+		if err != nil {
+			return fmt.Errorf("failed to fetch genesis block: %v", err)
+		}
+	} else {
+		// Fetch latest config block
+		block, err = resClient.QueryConfigBlockFromOrderer(c.channelName, resmgmtOptions...)
+		if err != nil {
+			return fmt.Errorf("failed to fetch config block: %v", err)
+		}
 	}
+
+	if c.raw {
+		// Output raw block
+		blockBytes, err := proto.Marshal(block)
+		if err != nil {
+			return err
+		}
+		_, err = out.Write(blockBytes)
+		if err != nil {
+			return err
+		}
+		return nil
+	}
+
+	// Output JSON format (default)
 	cmnConfig, err := resource.ExtractConfigFromBlock(block)
 	if err != nil {
 		return err
@@ -92,6 +121,8 @@ func newInspectChannelCMD(out io.Writer, errOut io.Writer) *cobra.Command {
 	persistentFlags.StringVarP(&c.channelName, "channel", "c", "", "Channel name")
 	persistentFlags.StringVarP(&c.configPath, "config", "", "", "Configuration file for the SDK")
 	persistentFlags.StringVarP(&c.ordererName, "orderer", "o", "", "Orderer endpoint to fetch config from (optional)")
+	persistentFlags.BoolVarP(&c.raw, "raw", "r", false, "Output raw block instead of JSON format")
+	persistentFlags.BoolVarP(&c.genesis, "genesis", "g", false, "Fetch genesis block (block 0) instead of config block")
 	cmd.MarkPersistentFlagRequired("channel")
 	cmd.MarkPersistentFlagRequired("user")
 	cmd.MarkPersistentFlagRequired("peer")

website-docs/docs/grpc-proxy/enable-orderers.md

@@ -1,4 +1,4 @@
-
+# Enable GRPC proxy on the orderers
 ## Enable GRPC proxy for Fabric Operations Console
 
 In order to enable the GRPC Web, needed to connect the peer to the Fabric Operations console, we need to add the `grpcProxy` property with the following attributes:

website-docs/docs/grpc-proxy/enable-peers.md

@@ -1,4 +1,4 @@
-
+# Enable GRPC proxy on the peers
 ## Enable GRPC proxy for Fabric Operations Console
 
 In order to enable the GRPC Web, needed to connect the peer to the Fabric Operations console, we need to add the `grpcProxy` property with the following attributes:

website-docs/docs/security/_category_.json

@@ -0,0 +1,3 @@
+{
+	"label": "Security"
+}

website-docs/docs/security/revoke-identities.md

@@ -0,0 +1,88 @@
+---
+id: revoke-identities
+title: Revoking Identity Credentials
+---
+
+> **Note:** This feature requires HLF Operator version 1.12.0 or later.
+
+# Revoking Identity Credentials
+
+This guide walks you through the process of revoking identity credentials in a Hyperledger Fabric network managed by HLF Operator. Identity revocation is a critical security operation when credentials are compromised or when users leave your organization.
+
+## Before You Begin
+
+To revoke credentials, you must have an admin identity with the proper permissions. The following attributes are required:
+
+```yaml
+identities:
+  - affiliation: ''
+    attrs:
+      hf.AffiliationMgr: false
+      hf.GenCRL: true
+      hf.IntermediateCA: false
+      hf.Registrar.Attributes: '*'
+      hf.Registrar.Roles: '*'
+      hf.Registrar.DelegateRoles: '*'
+      hf.Revoker: true
+    name: ${ADMIN_NAME}
+    pass: ${ADMIN_PASSWORD}
+    type: admin
+```
+
+The critical attributes for revocation are:
+- `hf.GenCRL: true` - Allows generation of Certificate Revocation Lists
+- `hf.Revoker: true` - Grants permission to revoke certificates
+- `hf.Registrar.Roles: '*'` - Manages roles for the CA
+
+## Step-by-Step Revocation Process
+
+### 1. Configure Environment Variables
+
+First, set up your environment to connect to the Certificate Authority:
+
+```bash
+# Set CA URL
+export FABRIC_CA_CLIENT_URL=https://${CA_HOST}:${CA_PORT}
+
+# Set TLS certificate path
+# You can obtain this from the `status.tls_cert` field of the CA custom resource
+export FABRIC_CA_CLIENT_TLS_CERTFILES=${PWD}/${TLS_CERT_FILE}
+```
+
+### 2. Authenticate as Admin
+
+Enroll the admin user that has revocation privileges:
+
+```bash
+fabric-ca-client enroll -u https://${ADMIN_NAME}:${ADMIN_PASSWORD}@${CA_HOST}:${CA_PORT}
+```
+
+### 3. Execute the Revocation
+
+Revoke the target identity using its enrollment ID:
+
+```bash
+fabric-ca-client revoke -e ${TARGET_IDENTITY}
+```
+
+### 4. Generate and Apply the CRL
+
+After revoking the identity, create a Certificate Revocation List:
+
+```bash
+fabric-ca-client gencrl
+```
+
+Apply the generated CRL to your FabricFollowerChannel custom resource:
+
+```yaml
+apiVersion: hlf.kungfusoftware.es/v1alpha1
+kind: FabricFollowerChannel
+metadata:
+  name: ${CHANNEL_NAME}
+spec:
+  # ...other configuration...
+  revocationList:
+    - |
+      <CRL_GENERATED_ABOVE>
+```

website-docs/sidebars.ts

@@ -38,6 +38,9 @@ const sidebars: SidebarsConfig = {
 			"chaincode-development/architecture",
 			"chaincode-development/getting-started",
 		],
+		"Security": [
+			"security/revoke-identities",
+		],
 		"Chaincode deployment": [
 			"chaincode-deployment/getting-started",
 			"chaincode-deployment/external-chaincode-as-a-service",