 Will it be available just after the So you're live. Sorry. What was the question? Will this be The YouTube stream will be available as a video after Yeah, so I'm gonna drop the use the live stream link here in zoom chat and that will be where the recording is as soon as this is over It's the same link as the live stream So when you when you want yeah, yeah go for it your life Okay, perfect So, thank you everyone for joining It's been like a half years After we did the the previous meetup, which was also a guide in order to get started with hyperlady fabric My name is David Viejo, I'm city of kung fu so where we're specializing building hyperlady fabric networks And also in building hyperlady fabric projects. We have been working with fabric for Over three years We are the main maintainers of the HLF operator, which is a project which is now in hyperlady labs And it's getting very good traction people are using it in order to ease the initial phase of building the Network for hyperlady fabric, which is highly complex to get started And you can if you have any questions any any concerns and any doubts or you want to reach me out For anything you can just contact me in LinkedIn And so the idea of these meetups, this is like This meetup is very similar to the one we did a year and a half ago But the idea for this meetup is to do also other meetups where West Plain The experience of building hyperlady fabric projects what we found out that it worked it didn't work The things that are not obvious As a person who is in or as a team who is introducing to this to these technologies And so this will be the second meetup. We don't have a date yet. And then The integration between databases and blockchain commonly known as of chain, which this is a common use case for projects that do not Have the capabilities in order to run all of the features on chain because you know that The blockchain cannot do what elastic search can do what postgres SQL can do So there is always a phase where some data in blockchain goes to a Database, most of chain and this meetup will be to talk about the experience and how We were able to do this So let's get to the to the topic of the of the meetup. What is hyperlady fabric most of you will know But hyperlady fabric is an open source blockchain platform designed to be modular highly configurable Is a permission of networks. So this means that not It's not a bitcoin. It's not like ethereum not all Organizations can join There needs to be a network form Commonly known as a channel It supports the use of smart contracts Smart contracts can be written in Go, Node.js, Java That is one of the best features because organization do not need to know Another language such as it's in ethereum, which you need to learn solidity It uses a consensus algorithm Plugable, this is not right now practical, but in 3.0, which will Hyperlady 4.0, which will come out this year, hopefully This will allow to have multiple consensus mechanisms, which right now is using the rough protocol in order to reach consensus and There will be some some improvements in this sense in order to Have a pliable consensus It allows the creation of private channels, which is that multiple organizations form a network and are able to exchange Confidence and information between them And also one of the features that is most used based on my experience is the use of private data collections Which is that a subset Of the participants that are part of the channel Can share information that is not Visible to the other participants or if we have a network of 10 participants We can create a private data collection That share the data between three participants and this is highly highly highly used in In this in this project Because there is almost always a use case in order to Have a control way of sharing data between the organizations that are there So the context for this meetup Hyperlady 2.4 will be used and also with the channel participation API which In before in 2.2 there was a need for Assistant channel so you needed in order to create a channel you needed also to have an assistant channel which made things way harder So for this we're using 2.0, which is not yet LTS There will be a version that is right now in alpha, which is Hyperlady 2.5 That will become LTS and 2.2 It's also LTS, but I think people will be Will be migrating from 2.2 to 2.5 also to ease the operations All of the operations will use the kubectl plugin from the channel operator kubectl plugin is a It's a code That is an extension from the kubectl kubectl is the CLI that allows someone to act as a Kubernetes cluster So we made this plugin in order to ease the introduction for people to to create a network All can be found in this link. It's also It will be in the youtube description if you are watching this on youtube or in or in the Meetup description and we're not using cryptogen So we are using the phoXCA in order to generate all of the certificates Cryptogen was a tool that made very easy to get started, but it was not meant for production. So everything that we do here With the right domain names, with the right scalability, with the right Kubernetes cluster this can run in production. In fact, we have multiple networks running Not with those commands, but very similar commands running in production So we're going to use a Kubernetes operator for Hyperlady, which is what we build Which is the project that is in Hyperlayer Labs. Why use a Kubernetes operator? Using a Kubernetes operator, we have a declarative way of creating Hyperlay for the components, which is create a PR, create an orderer, create a channel, create a chain code So all of this is extracted from from the From ourselves, we just declare what we want and the operator just deploys it So that is the that is the concept. You don't need to go to Docker compose, you just declare a Jamel and it gets deployed This is based on Kubernetes, which is a great abstraction because this can work either on premise or on cloud As long as you have a valid Kubernetes cluster and you can reach the PR from the outside Configuring the DNS and the public IP, you can deploy this anywhere that this is the word and there is a Kubernetes cluster And it's customizable for specific use cases which we have already implemented like certificate renewals Or other use cases such as creating a channel, which we have also implemented And feel free to go to the github of the operator and Propose new features that you need in your projects. This is not something that We decide and we implement. This is something that we want the community also to be to be involved in the in the creation Right now it has reached a stable phase or there hasn't been any feature added for the last five months, only bug fixes or minor improvements But the idea is to keep adding major features for the features So let's have a brief overview of the components in Hyperlakefabric So we have so we have The two main components which are the PR and the order and each component has its own certificates, TL certificates and sign certificates The TL certificates are used for the PR server same as the order are used for the order server And the sign certificates are used by the PR in order to sign transactions And the same for the order the sign certificates are used to sign transactions This is recommended to have multiple certificates, one for each one Because then you can have multiple certificates of authorities That can serve multiple purposes And then the SDK client connects to the PR Then the PR executes the chain code Then the response from the chain code goes all the way back to the SDK client Then the SDK client signs the transaction with the sign certificates And then it submits the transaction to the order This is the basic flow that we want to recreate in this meetup And we are going to describe briefly the three main components Which are the PR, order and Fabric CA So a happy life every PR is an order participating in a security or formal contract Within the happy life every network it can act as an endorser Which basically means that the PR has the chain code installed Or it can be a committing PR which doesn't have the chain code installed It just belongs to the channel and then it receives all the blocks This is good in order to have a backup for the blocks So imagine that you have three PRs in an organization And then two endorsers which have the chain code installed And then the third one is just itaq as a backup So all of the blocks goes to the third PR but it's just in case All of the PRs maintain a copy of the ledger The ledger if we remember correctly is the caosdb plus the blocks Or the worst state which can be caosdb It's usually caosdb for most of the projects because it offers more query capabilities But it can also be levelled everywhere It maintains a copy of the current state only It only updates the state based on the valid transactions This is very important So if a block has 10 transactions and one is invalid Then it will not update the worst state with that invalid transactions And the PRs in a channel can be anchor PRs Which are well-known PRs that are stored in the channel configuration We will see this later when we go to the code Or it can be a known anchor PR And it's just used in order to execute transactions But it is not used from other organizations An order service is a set of nodes that are responsible For ordering and delivering the transactions to the PRs The order node receives the transaction from the clients Or an order sheet into a block And then it broadcasts the block to all of the PRs Ensuring that all have the same copy of the ledger So basically the order service is the one that maintains the consensus on the network That is what the order service does An order service consists on one or multiple order nodes Ideally if you are starting a network don't start with one node Because if you are starting with one node You will not be able to migrate to three nodes without restarting the network And this is something that has happened to us in the past So the order service can be one node or a group of nodes that work together So it's that the order and delivery of transactions is performed in a reliable way But keep in mind that start with three nodes or five nodes reproduction In this tutorial, in this meetup we are going to use three nodes In order to not use the development environment So each organization as we'll see here As we see here which is the end goal for each organization will have two PRs In order to ensure high availability So you can deploy this workshop, you can deploy it in the cloud And it will be highly available So let's go back to the Fabric CA The Fabric CA is a component that is provided by Hyperday Fabric And mainly manages the users that are able to generate certificates And these certificates are used to authenticate and authorize the network Basically with one certificate you can go to the network and execute the transaction Depending on your role There are four types of roles that the Fabric CA has One is the client, admin, PR and order In fact we will see this in the workshop The CA node provides an enrolment service that allows it to request and obtain digital certificates This is the enrolling part A user can register once and then it can enroll multiple digital certificates for the same user And the CA node also provides a revocation service That basically allows the CA to generate a CRL Which is a certificate revocation list Based on my experience this service is not commonly used In most of the projects I have never personally used this CRL service But it's something that is in the best practice to use So based on that we have seen that we can deploy peers, orders, Fabric CA This is what we need to deploy And we're going to have a look at different operator resources So different resources that the operator allows you to create On the left we have the physical resources So resources that you create And the operator creates a pod, a deployment in Kubernetes Creates resources in the Kubernetes And there are logical resources In this case the Fabric main channel and the Fabric follower channel That allows you to create a channel and maintain the channel So on the left we have the PR, we can deploy PRs, we can deploy orders We can deploy certificate authorities, chain codes The operator UI which we haven't had the time in order to include it into this workshop But we will include it later And the Fabric operations console Which is the console that IBM open sourced the last year Which is the user interface that they are using for the IVP IBM blockchain platform And you can deploy it also with the cell operator I think you can deploy it also with their operator And then we have the logical components Which are the Fabric main channel and the Fabric follower channel The Fabric main channel allows you to create the channel And maintain the properties and the configuration of the channel Such as how many transactions we want to be as a maximum in the block How many concenters are in the network How many PR organizations are in the network And once we have created the Fabric main channel Then we can create the Fabric follower channel Which needs to be created per every PR organization Which is basically joining the PRs to the channel Which is what the operator does and then configuring the PRs Which are the PRs that are going on to the channel We will see this more in detail in the code Then we have a little diagram in order to explain all of the components that are created So we will be these users in the left With the QCTL plugin that we create The common resource definitions in the Kubernetes cluster And then the operator will manage all of these resources Will manage the Fabric CA, the orderer, the PR The Fabric follower channel, the Fabric main channel Chankos and the visualization CRDs Which are these three operator UI, operator API, operations console If you want to deploy any of these Which is not covered in today's meetup You will be able to find this in the documentation of the actual operator Which we will link in the YouTube or in the Zoom We will link it soon So what skills do you need to follow this workshop? You are free to, as we go, to also execute the commands And if you have any problem, just send it in chat or in the YouTube comments So you need cryptography, public infrastructure So you can make this workshop work without knowing cryptography But if you have any problem, then you will have to dig in and debug the network So cryptography is highly recommended to have in the skill set You will need to know how to deploy a Kubernetes cluster It's in the instructions in order to create it with kind But just in case, you will need to know how to use Docker How to use Node.js with TypeScript Since the client and the chinko that we will be writing will be with this technology You will need to be able to execute the commands I highly recommend to use either Ubuntu or Mac OS I have this test that we're going to do Will be with Mac M1 So if you have a Mac M1, it will work perfectly And it will work also with Normal Mac and Ubuntu server And based on networking concepts, DNS, TLS We will explain this in detail later So let's go for the goal of this demo After we explain the goal, we will just jump Well, we will do a Q&A in order to know if there is any question That needs to be answered and then we will go to the demo But the goal for the end of this meetup is to have two organizations Or one MSP and two MSP These two organizations will have two peers Both will be on core peers And then we have a chinko deployed inside the Kubernetes cluster And then there will be an order of organizations with three nodes And all of these three organizations will be joined into a channel Which we have here at the top left Which will be the demo channel The demo channel And this is the Arrows in Red That interconnect these three organizations And then at the left we have this decay client in TypeScript Which will be an API that we will run locally And we will execute a transaction In this hyperlifer in network that we have just created And demo time But first let's check if there is any question Or anything that you want to be clarified I don't know if David is wrong, well you are there in order to help me with this Will you stream this on YouTube as well? This will be streamed Will CRL come into play? I'm reading the chat here Will CRL come into play when an org leaves the consortium? CRLs now are part of the fight and remember core relief from the channel also There is a property there to specify the ones that are the certificates that are debunked And you can also include this in the PRs, in the notes Some CRL comes into play when you want to disable a client Yes, exactly When maybe you have like a user and there has been some certificates Enrolled for that user and you want to just disable the user To access the network And this is something that doesn't usually happen That some user is leaked Has anyone upgraded from 1.4? Well it's not, I cannot answer this right now but yes, this is possible To upgrade from 1.4 to 2.2 How many orders will we use? Three, we will use as we saw here We will use three orders and one order organization So and this is divided So we don't have the org one MSP running one order So there is one order organization that runs all of the orders And then the PRs are in the other two organizations Okay, so if no one has any more questions then I think we can We can start with them So this is the QR for the github I will also paste this in Zoom This QR This is the one Let me know if you can access it I have just pasted it into the Zoom chat here Let me know Can someone give me okay if they can access Okay, perfect So let's start Let's go to the Visual Studio code So first, basic structure of the of the meat of the of this repository We have the MSP, we will remove this These were folders that were created by the QCTL but were empty So we have the asset transfer bus basic This is the smart contract that we want to deploy because we were thinking either to have a docker image that was already Built or to build the image during the meet And we thought that it would be better to show an end to end How to deploy a chain code that we have here That we have the source code here We can build the docker image in our machine And you can deploy any chain code So if you modify the words in order to instead of deploying this Asset transfer basic to deploy another Then just free to Just free to deploy it Then we have the client which is the API which will access the Will access the network and will access if we see the environment variables We will access the chain code name asset in the channel name demo MSPID or MSP and this will be the parameters for the API And then we have the resources which will be the folder which is Get ignored in order to keep all of the resources such as the certificates etc And that is the basic structure and in the read me if we go to the start We have all of the All of the commands see this is how many lines 800 lines so with this and With the read me of the client we will be able to run this workshop So let's start first thing what do we need We need to create the coordinate cluster And to start deploying we need to have a coordinate cluster We will use kind in case you don't know Let's go quickly here Is a project from the coordinate is Infrastructure group and it allows basically to To deploy coordinates in Docker So right now I have Docker in my mac n1 And then I can deploy a coordinate is now with kind even with multiple nodes You can also use mini quiff but there is Something that needs to be taken care of And that is that we're using domains in order to access the ps which we will explain later So we need these two ports open 80 and 443 And this is why we have this configuration for from kind Basically, we'll have one node which is the control plane If this were a if this was a Acquired that is clustering production that we will need to have multiple nodes of course But this is for testing And we will just save this configuration in the resources kind config And we will create the cluster kind of cluster with this configuration This will take 30 seconds There is a question the IBM blockchain platform plugin for this code was discontinued in 13th of December I haven't personally used this one The IBM blockchain platform plugin But if you take a look after this meetup You will be able to do what I think that IBM Platform plugin does which is basically a secure transactions So I think it will help you better Okay, so this has been Created I have to save it in key for kind and then let's Go to lens Which lens is a tool In order to visualize the network So we have now the kind configuring the in the lens And we have No High PLA for the components deployed here of course We have the core DNS the kind of proxies or an empty We have an empty word in this cluster right now But the first thing that we need to do is deploy install the coordinate as operator So What what this step will do is to install the the CRDs the common Restore the resource definition to deploy fabric PRs CA etc And deploy the program to deploy the node so we will deploy a A path that will listen to the CRDs So when a PR is created then the operator will Get into into action to deploy these nodes So first since the health charts are deployed here we need to add this health chart as a repository A force update this is very important because maybe there is a new Health chart that was deployed There is a newer version and you want to ensure that you have access to the newer version So we just install the operator that will take a few seconds And Then we can check in lens so this is being deployed Apart from this so we have at the at the left in the custom resources lens can also show you the custom resources that have been defined There will be a lot more because we will install also Istio which will explain what is what is to is And we have all of the resources that we can that we can deploy fabric CA fabric chain code, fabric explorers Follow our channel my channel network config This is to generate a network config on the cluster as a secret fabric operation UI API these two Are integrated Fabric order node and fabric PR. This is not to use fabric ordering service. This was for the early Early versions of the cell operator. This is the pre-created So let's see in the pods if this has been created. Yeah, this is green right now. So this means that this has been created. Perfect Then we need to install the QCTL plugin For this We will need to install Clio So Clio is a repository of plugins we can see it in Also, I think he's part of the co-ordinators Infrastructure, yeah This is to install. This is basically a repository for the For a lot of plugins. So you can Install this install Clio You can find distractions here Quick start so You can install and set it up in Mac Also in windows and Also in well, this is for mac and linux or mac and linux and windows So you just install this Clio program and then you just execute this command in order to Install the QCTL plugin. What this will allow you is to have a sub command So usually we have QCTL get pods or QCTL get deployments But we but we will have right now QCTL href which has A lot of commands that we will use. So for example, it has a sub command that is the CA And if we do QCTL href CA help Then we have the operations that we can do to a CA which is basically create a forex CA Deleted enroll and register So this is just to ensure that you can Execute the next commands Then we will install Istio And the reason we need Istio is because we need an ingress I think I don't have a here picture of the Istio But basically let's do one now because we we have time So we have Quarantest cluster here But we have a lot of ps here. So we can have ps0 Or one We can have ps0 or two we can have also Or zero or one And so on or one So many nodes And we have a client is here Which we want to connect to all of these nodes, but we need an entry point We need an entry point, which is the ingress which in this case is Istio. It is called Istio ingress gateway And this will redirect The traffic to each of these nodes So we will have here for example And you will go to the Or one and this is what this will want to the order one and this client SDK will connect to this Istio ingress gateway This is the this is the goal. So this Imagine that we have our domain name to be pr1kfs.pr0.kfs.test and we have also pr1kfs.test and we have a wildcard that All That is behind kfs.test maps it to replies to one two three four And then this Istio ingress gateway is listening in that IP This is this needs to be a public IP of course So we can create any orders or any peer behind this Istio because All of the traffic will go here. We'll go to the We will go to the Istio ingress gateway and then the Istio ingress gateway will redirect based on the sni So routine based on sni. That is why we need The Istio ingress gateway So if we have pr0kfs.test it will redirect to pr0. We have pr1kfs.test it will redirect to pr1 and this is what Istio will do based on the configuration that we Uh That we do in the in this workshop we will see So let's install this is why we need Istio basically it's a load balancer for the Kubernetes So let's install the Istio CTL the version 116.1 and it Has here the sport path Which has the full path you will want to add this to the To your csh RC or bus RC, but We can export it here and add it to the path And that's it And this is to be able to create the namespace for the Istio system and to initialize the Istio operator And this if we go to the lens This We'll start to deploy the Istio operator. Let's restart. Yeah It has already started to deploy this operator and we will find also Yeah, we see here a custom resource for the Istio operator, which is what we will What we will create in the next step And is to ingress gateway And this is the qctl applied that we're going to do. So we will create a Istio operator Name a kind of Istio operator and instance which we will call Istio gateway in the next space Istio system It has some configuration. We're not going to get deep into into Istio. We just want to configure it But basically we'll have one ingress gateway Min replicas one you can deploy it to be highly available. So you can have two Two ingress gateways to two pods for the same ingress gateway And then you can configure the resources and this is the tricky part the service ports Because remember that we have created In the right we have that the container port 30 941 maps to the host port 80 And then we have here in the line 114 we have here that the node port will be The 30 949 and this is why we need to specify this So any request that we do to the 80 this will redirect to the to the Istio So imagine that we have q or 1 ca local host st 443 this will redirect to Istio And if we do it with hcttps then it will redirect to this port which then will redirect to the port Where Istio is Designing with hcttps And that is basically it so We will understand this when When we see it working, but this is the the basic experience So we have deployed right now the The Istio operator then just we're going to create this instance of the Istio operator And then let's go to the lens We we can go here to install Istio Istio and then Edit the Jamel we can see here the all of the fields that we have Created also with the ports This is usually a better view For the for the resources who are in the test. This is now in a state to reconciling And if we go to the ports then the Istio is great way. Well, it has been now created So we will be fine And the Istio operators are now healthy So next part Next part Will be the player organization But we need to configure the environment variables And this is where if you are having a mac n1, you will want to go with these environment variables The the reason why we're using fxca 1.5.6 beta is because this is supported also in In a ARM so in mac n1 And it works just as the one point the the previous version. So This is why we have chosen to use this and the order rmpr image for mac n1 until Hyperlake factory 2.5 comes out then we're using some compiled images that Someone has created for for ARM So in this case as I'm using mac n1, I will continue with the With this environment variables Then we can define them here And configure internal dns So in order to understand this we need to Know what this localhost st domain means So let's go to dnsgoogle.com and let's Let's say pr0 localhost.st This is something that the jos from IBM gave me this idea because I saw some tutorial from them That he was using this one in order to emulate a domain name in localhost So basically if I ask the dns To give me the the ip of this Of pr0 localhost st It will give me my loop back ip and this is a hack. So this is you can put whatever in front of localhost st And So operator dot pr0 and it will always return We can have multiple It will always return The loop back ip and why do we need this? because We want that when We access this dca in the port 443 what we're doing in fact is doing localhost 443 which then redirects to kind 443 port and then redirects to the hto ingress gateway HTTPS and this is how we're able to to manage the domain names We have in the presentation After the demo, I don't know if you saw I need to well, okay So the local dns architecture So this is the developer machine The the huge box and then we have the kubernetes cluster listening on 80 443 And the fabric sdk client connects to local network via localhost st But in the case of the chelo operator are or and in the other pr and orders They cannot access Localhost because localhost is a container a docker container and it doesn't have access to the hto ingress gateway So we are patching the core dns in order to modify the logic that when localhosty or a wildcard or a subdomain of localhosty Is requested to core dns it will return with the ip of the service That the hto ingress gateway is running and this is the hack that we need to use for localhost in order to use fully qualified domain names so We'll go to the Code again So in this step where in the cluster ip 179 We're using We're getting the cluster ip And if we call the cluster ip is 10 96 210 94 If we go to the lens and we go to the services tough We have here that the cluster ip for the hto ingress gateway is the same 10 96 210 94 so We need to configure the config map for the core dns and in this Config map what we're saying is That any subdomain or localhost that is why this regeps We will go to the cluster ip So that is a that is the goal and then we just apply this and we will be a Operator and any pr will be able to access localhosty just if we were in the developer machine So we can just apply this If you're running this for the first time it will throw you this warning and then for the second time Just will tell you that the core dns is unchanged And with this we have solved the networking problem uh for now So we can now start to deploy the One question that is found in the world. Yeah One question about production environment. Is it usable these hacks for production environment or it's only for localhost that the planning Yeah In production environment, we need to set up like dns records inside for example avs or how to do this so for developer environment is what we Try to explain here So in this diagram so you will have Your domain, you know and this is the ingress gateway But there are some cloud services that allows you to have a public IP for a service Where this service is type of load balancer So you can have i don't know 20 45 This one which is for master and then you will You won't use that hack because It's not helpful for you because you have already drawn up in the dns So what you need to configure is a white hardiness And then point it to the public IP that will reach your ingress gateway That is the That is the thing. I don't know if you have any problems with this in production Or if you are trying to set up Mm-hmm. So I need like to do the same stuff on the kubectl apply For the dns, but with another Like Ideally you want to To have this mapping in the in the dns provider that you are using this could be in mch or amazon root 53 whatever dns provider you have But it's not advice To redirect the ingress gateway. Yeah, yeah to redirect to the ip You're running the ingress gateway so But the the key point is that you are able to access the ip here the With ip the ingress gateway. This is the first step and then to Root the dns to the ip You will need for of course firewalls. We will need the security for that But that is the first step Okay, thanks So any other questions now that we're Anyone so, uh, well, yeah that That is this this is only for for development. So for for production or for uit you shouldn't use this because this would mean that This will only be accessible in local cost basically So let's start with Going towards this picture Which is the goal we will start with the org one Or one msp or two msp and then we will finish with the other msp. So the first thing To deploy the organization and we have here a diagram the workflow We need to first deploy the fabric c a which is the first step And then depending on the type of organization we can either deploy a PR Or or another order a node and then once we have all of this organization created, we can just create a channel This is the workflow that will be repeated on all of the organization. So let's start with the first one Which is the org one then we will create a certificate authority Uh, the image is the one that we have declared Before The version is the same. This is this is for the docker image storage classes standard. This is the one that kind provides So, uh, you will need to change this according To the cloud provider cloud providers are running Capacity one gigabyte. This is more than enough. There are some cloud providers that don't allow you to Have less than one gigabyte provision the name of the C a in the cluster if there is no namespace this assumes that this will be deployed in the default namespace Then then roll id and roll password. We can have customs custom parameters for this And the last part is for istio is to if for us in order to be able To access this in istio. So let's create it Okay, this has been created. We have a qc tail weight parameter here Which we can use in order to Run this process sequence sequentially imagine that you are In a ci cd and you want to spin up a network Every time that the that the repository changes. So you can use these commands that supply a weight And this will wait until the fabric c a is running if we go to the Lens then in the pod this c a has been deployed already So after this we can do a basic check And we can do a care in this org one c a local hoe dot st In the port 443 and in order to look for the ci info. This will also work in google chrome. So if I go here to google chrome Authority the authority in valley because it is a self sign certificate For the server. So we have the same And we have the cnm c a but we have to c a is deployed The cl the the c a which is for signing for the sign certificate and the tls c a which is different And this is for the servers For the peers and the and the orders So next part is to register the pr The pr user Using this c a register command We're saying here that This uh This c a the c a was that will be used in order to register this user will be the org one c a which is the one that we have already created Then the user which is the pr. This is the user name and then the secret pr pw you can use whatever Secret that you want in for your environment And then the reality the real idea and real secrets which are needed Which are the ones that we have defined when we just created the fabrics here and the spd also But uh, so the we will register this user the pr and The reason why we need to create this user is because we need to Create the pr and then we need to pass If we see here the line 245 We need to specify the enroll id which is the pr And then the enroll pw which is the The enroll password that will be used by the operator in order to go to the c a And then enroll the pr and this will be used not only for the for this time, but also to renew the certificates of the pr which is a An operational tax that that is usually forgotten And state db is cost db storage cost standard These are parameters that are for For the infrastructure msp id or one msp this is very important. This needs to match The one that that we want this This organization to be A positive a gigabyte the name of the pr or one pr zero the c a name to be used in order to enroll the certificates and then The last two parameters are The same as the c a are related to istio So we can create The pr zero and then As we saw in this figure we're going to create the pr one also for the organization for the organization one So let's do the same is the same Command, but what we have changed? Well, let's create the first and we explain what we have changed is the name or one pr one This part And then the host Which instead of pr zero or one is pr one or one So this is the this is the change and then we have this common in order to wait For the peers to be created shouldn't take more than one Minutes in order to create these peers So let's wait We in the meantime, we can go to the lens So we can see that that the pr zero for the one has been created And the one pr one has been created also and these commands will have been finished This has finished so In order for some info about what has been created We can go in the lens we're going to go in the left in the href kung fu software dotes And we can go to the failure pr Because the parameters that we have specified are too little and there are many many parameters In the failure pr in fact, this is the resource with The most parameters that It is in the in the href operator So let's take a look at the parameters. We have the affinity Which is if you want This pr to run only on specific Unspecific nodes, which we are not using right now because db is porter This is for the metrics, which we're not using most of these parameters To confine the permit the documentation In this page, so The page is labs dot hyperlayer dot org HL of operator and you have here in the operator guide You have here how to change the state db or how to configure the caos db How to configure the user the password the image for the caos db, etc monitoring you have also Documentation on how to configure the monitoring using the permissions operator The more The renew certificates the same you have a subcommon in order to renew the certificates for the peers and for the order So there are lots of documentation In in this web page that you want to Combine with these words of people if you want to get Deep into into hyperlayer fabric and how to manage the network So You have the caos db the image password user the tag of the image discovery Configuration this is not usually changed and variable variables in case that you want to Customize this the both of the pr external builders, which are the The programs used to build the chain code who are using chain code as a service Which is basically that the chain code is running on a different both And we will explain this external info and this is for other peers to connect to this to this peer Using the pr0 or one localhosty and the hack using core dns Ego ship what is in the what configuration also the The endpoint for the gossip protocol in order to exchange That is used in order to exchange private data Then the host And this and the host for the history And the ingress headway used image pull policy always the image That will be used image pull secrets in case that you are fetching the configuration From a private repository from a private container registry so you can have full secrets here Logging this is useful in order to not to to change to from info to debug in order to Debug a problem in in the pr dmspid which is the one that we configure in the command replicas which will Be one most of the time But if you want to set on the peer then you can change this to zero and the peer will go down Then the resources Which is the cpu memory limits and and minimum Resources for the for each of the of the components Mainly for the cos db and for the peer if you are using a cos db supporter, which is another Another pod that runs inside the in another container that runs inside the pod Then you can also configure the limits for for that And then we have and this is most of the important part the secret Enrollment component for the component, which is for the sign certificate and for the tls which is for the For the certificate that is used for the for the server In each so you can you could use in theory you could use different ca's For each of them for the signing and for the tls so you can have the ca host In this case, it's the same in order to to simplify it, but you can have different And we have the host here, which is the or 1 ca local st And you have the cnm and you see that the cnm in the line 351 Is Different from the one 360 because one is for signing and the other is for the lsa We have in the line 355 the tls certificate for the ca in order to trust that this is the ca that we want to connect to And then role id and role secret, which are the user and password that we have used To register the the user of type with the type pr And then for the tls we want the the host to be available in In this one in in the one in the loop back in local host This is the governor's cluster or one pr zero. This is customizable custom cost You can customize this for for your needs So the the certificate created for this pier which will have All of these hosts In the certificate as sans uh And then the role id secret Okay, so Morse parameters So We have the the service type could see the cluster ip if we go to the service This is the the service that can be configurable the the one for the pier And then the service monitor this is for the monitoring. We're noticing that at the moment The state db that will be used by the pier Which is the cos db Storage storage used for each component chain code is not being used because we are using The the chain code as a service. This was an old container. So Keep in mind That that were using only the cos db and the pier storage size and you will you can use this in order to upgrade the storage programmatically and then the touch of the image for the For the pier Tolerations, which there are some nodes that have some have some tolerations for example That we had this problem of running hyperlady fabric peers on spot machines on on asur And you cannot do that unless you specify a toleration a toleration is that you can deploy To tell Kubernetes to deploy this node even on nodes that have some specific toleration And then the certificate time which is a date that is used by the command of living one of living one the certificates Which is this one? So these are all of the parameters you can and you can follow the follow the workshop and then Inspect these parameters and if you have any questions just raise a quick official or put a comment or Put a comment on YouTube or or contact me directly We have a question from Daniel Sego. How is this to change one such a default parameter at or after installation? depends on the parameter if it's I don't know if you are talking about channels or peers, but if it's for the peer then you just change it here and The next step will be to restart the peer because most of the configuration is most of the configuration is in the config map So changing this will not actually restart the peer. You will need to restart it manually, but other than that then it's as easy as changing this so imagine that I want The extra size for the org one peer zero to change to seven gigabytes. I change it and then I go to the persistent volume claims and then it will need to be Defected here soon. We can check later We can check later, but it will need to be reflected here. You can also go here and then update it to to seven gigabytes for example, but That is how easy it is to to modify the parameters So the same can happen with the image. Imagine that you have another image or another tag for the cost of it or just update this Update this YAML and that's it So I wanted to do a deep deep dive on the peer configuration because if it's one of the most complex the predator, so if you have any questions just drop them here and we will answer it And okay, so let's continue So right now What we have done let's go to the To the meetup goal We have deployed this too. So let's put this two in green Let's put this two in green We have deployed these two and then let's go to the organization too. We will go much faster there because We have already seen How to deploy one Well, and then there are some parameters here with open ssl Which are used to Check the connectivity with the peer If this doesn't give you this certificate in PEM format Then you have a problem in your connectivity And if we inspect this this certificate In cert logic, which is a page that I use in order to inspect any certificate Then Something is wrong with your installation. We can see here the certificate, which is for the PR Is from the TLCA Yes, come on TLCA and it has all of the Sands Which I don't know right now the What does this acronym mean? But I think it is a Alternative name servers something like that So that means that this pair has to be deployed correctly and then if we do the same with the PR1 Then we take the The certificate We go to the logic and then the same Will need to appear but with the PR1 or one PR1 we see This certificate is specific to this PR So let's deploy This CA for the organization 2 We have created this for the organization 2 then let's wait For this to be created we go to lens of the processor repeats is everything is the same Well, you know once you know how to deploy an organization then what can't change is Not many things can change apart from dns or some storage configuration So there are two CA has been deployed and then this is running So The condition has been met We can we need to verify that we can access a CA if not Again some networking problem or That that there are two Usual problems that the CA hasn't been deployed correctly Or that the dns or Then the working is not working correctly Then we register the PR for this specific CA And we can start to deploy The peers for the org 2 so we will just execute this this to them fail It's the same. This is the same but what changes is the name instead of for one is or two the CA name is different because we want to Have these peers in another organization And that's it so and there must be ID changes. So these are the two changes And then once this is deployed and we will be able to do the test be an open SSL the one that we did before Or two ps0 has been deployed right now And our two pr1 the is deployed right now. So very Very very fast So let's go to the picture And then let's put pr0 pr1 as green and then Now the final step in order for the deployment Is to deploy the order organization with three nodes So In order to deploy an order organization, we need to create a certificate authority. Well, do you know how to do that? register user order with type With password order pw and then create the order or the orders in this case Then with the same we create CA CA image CA versions of the same repeats for every organization And We will create we will check the organization one The the order for the for the order organization Okay, the CA has been created and we register the order user I know This is important the type will be ordered will not be peer if you change this to peer then if you if you try to deploy the order node with a user that is the That is a peer then this will not work So we have registered this user. So we're ready to deploy the order nodes and for the order nodes We will create three as we stated previously And the parameters are the image. This is the order image order version. We have deployed we have these variables from the start Which are these ones? for the order 2.4.6 Then we have the stress class standard enroll id Orderer msp the order msp. It must be the same for the three orders Then the the enrolled password is one that we specify one registering the user the capacity to gigabytes. This is more than enough for For the a local network the name will be or node one. This must be different for each order The cea name will be the one that we have just created This is in the format of the name of the cea and the namespace And then the last party for the easter easter So where the where the claim the host that Will be created in istio in order to do the load balancing and the istio port will be 443 Which is the one that we redirected from our machine to The kind cluster So we can just create the three or at once and we can see here party cord there is no this three created So we can quickly see In the in the mean time well the order are created We can quickly see the configuration. We have some fields that repeat such as affinity Pustram method this was for early for 2.2 Because you could bootstrap the node with With a genesis file channel participation enabled True because we're using the channel participation api Genesis empty Because of the same reason jrp proxy this is in order for you to use The factory cooperation console you need the jrp proxy host analysis Noted to comment it now image image pool secrets in case that you want to run This is not enough fetching up image from a private container registry The host for istio, which are the ones It's the same configuration as as we saw in the pr msp id pool policy for the image always Replicas one which will be the default But in case that you want to set up the pr you can set it to zero The same secret enrollment for the component and tls This is to enroll the user the the user that we created the order and pw another pw And going to the ca the or the c in this case And then the ccr which is certificate signing request which we can specifically the we can specify the common name and the host That we want to be in the In the certificate Then the service type which we recommend that this is cluster ip but you can configure it In case that you need it service monitor for the monitoring storage for the Persistent volume claim Then the tag of the image tolerations Which is that if you want to run this ordering some know that Has a specific Toleration that you can configure that here and to the certificate time in order to update the certificate So those are those are the parameters. These are quite similar to the ones that we saw in the pr for the pr but Still there are some differences such as this one the channel participation enabled and genesis But overall is quite quite quite Similar then we have the min Istio which is for the this is for the mini api which is used for the channel participation So this is also quite important if you want to access that mini api from istio to can just disable it and not Internally via the cluster So While we explained The properties then we have here the orders running already The combination has to be has been met We can still pods in order to see that all of the pods are running and then we can individually go To a specific order node and then if we're getting the certificate and this means that the order node has been deployed And if we go to the third logic here Let's encode it. Let's decode it. Sorry. Let's put it here and decode it And then we see that the certificate that has these sons was created just now 15 p.m In not the chest but well, this is the time that is now more or less One question About orders, uh, that's The important to have uh, like separate c a for an order and separate organizations for the order node or no I don't understand Like for the order or an order node Is it mandatory to have separate organizations for the order? Uh, to have the order node or I can use the same like for some main organization and create the Do you mean if uh Instead of having an extra organization to have this here Yeah, yeah, yeah I haven't tried but I think but it's possible It's possible, but I haven't tried Because it seems More organized to have Organization that is responsible for the for the ordering service rather than having Just All of the organization Taking care of that. So usually there is one There is one Organization that is care of this So The rest of organization just run one two p.m. But they're not really Uh experts in hyperlabel and leaving them running the order node and eventually That cause a crash in the system because there are not enough order nodes in the In the network. So it really depends on What are the participants? Yeah, yeah, you can just offer the ordering service. Uh Uh The most experienced organization offers the ordering service and then the rest connect to it Uh, if you have two organizations that Are proficient in hyperlabel, then you can have two order organizations running the consensus So that one has three and the other has other three, for example Well, that is how I will I will orient the problem I will manage the problem But Also question about the Pierce you said that you use two peers. Yeah for each organization and three order nodes for order And this just for availability or it's Does it work with only one peer for each organization? It works, but In a production system, you want to have multiple peers just in case that one goes down And if you have only one peer and that peer is then core peer and it happens to go down then The peers that are not well known for the other organization about this pair imagine that this pair or two Pair goes down Then they will not be able to connect and they will not be able to know about other peers of this organization So basically this organization could be down So that is why we need to In production at least we need to have at least two peers and both of them are some core peers This doesn't usually happen, but it's a possibility and we want to We want this node to happen basically And both of them should be on her peers. Yeah In case that one fails No Okay, I don't know if we will be able to finish Okay, let's see some questions for this configuration. Have you done any testing? No, I haven't But just free to free to do it and post in the In the repo if you want Are the orders connected with by raft? Yes So let's So right now the The status is we have deployed all of the nodes And We want to deploy the channel, which is the one that we are That we need to we need to do now I have a question regarding When when you put it here we We will answer it in the meantime, let's create the channel The channel creation is really easy with the latest release of the gel operator the 1.8 0.0 But first we need to register and enroll the order msp identity So we need to register and admin user for the order organization So let's register it And let's enroll it Using the qctl plugin If you as we do not have much time Just I think that the commands are self-explained. So the register we have already saw the parameters and then roll Uh, we just pass the name and the ca and the namespace We pass the user and and and secret that we want the user to to have admin and admin pw And the msp id or the msp and the cna we want to use since we are using admin participation api We need to use the tlca in order to Interact with the ambient api. We can also have Other ca, but We haven't implemented the operator And the output will be resources or the msp yaml and this file will contain with it Will contain the certificate, which is this one And the the private key And we need to do this also for the order one. So we register the admin which I think is already registered Well, no, it's not a registered and then enroll it And then the same we will have here in the resources the order one which contains the certificate and the key Then for the order two we do the same i'm reading the questions as soon as we As we finish the creative of the channel and the deployment of the channel we will go to these questions Uh, so the same for the organization the admin for the organization two and went wrong And why do we need this because we need to create a secret coordinate test for the operator to To pass those To pass the credentials to the operator because the operator needs in one place In this the identity for the order in order to create the channel And the identity for the order one which will be the The one that manage the channel and everything needs to be uh admin credential because a client cannot Cannot administer a channel So we create the secret which is what we call wallet and the namespace will be default and we Get it in the coordinates. Uh, we can see it in lens in the In the storage no in the config part We can see it wallet Or we can see here the three channels Which we will reference later in the in the crd for the creation of the channel and everything is with an admin identity of each organization So here comes the uh crucial part create main channel Don't worry about this sport. Let's see the actual configuration of the channel So the channel configuration is in the spec. So first we will have the name demo And we have the main order organizations, which are the order msp this case and that mimpia organizations this This uh organization will be fetched From the from the cluster from the cs that are deployed in the cluster Then we have the channel configuration In this case, uh, we have the application configuration with the acl's the capabilities the policies so you can configure the channel just with this Just modifying this demo then you have the The configuration for the application And the configuration for the order. This is The most important part if you want to do some test with caliper. You may want to tweak these parameters with which are the batch size of the order Basically, what this means in the fact in the line 468 Max max count what this means is that there will be 10 transactions maximum In the block, so you will maybe you want to set this to 100 or to 120 And you can do this dynamically so you can just Modify this jammel and then the operator will take care of of updating this using the admin credentials for the order organization Then you can have the batch timeout you can modify the batch timeout, which is basically how How often is a block created every every how much time two seconds three seconds four seconds You are free to configure this The capabilities it is the raft These are some options that you can that you can look at Tweaking And where past the configuration of the channel external order configurations There are some possibilities that you don't have All of the orders inside the Kubernetes cluster, so there is a way And in the documentation in the lab you can reach me out if you want in case that you have this problem of having order Organizations that are not in your Kubernetes cluster Then in the line 485 you have the peer organization that will belong to the channel In this case, we will have two or one and or two and there are two ways to Reference the the certificates one is to reference the CI name and the CI name space These are the organizations that are in the Kubernetes cluster There are others in the line 501 that are external peer organizations that are the same as the external order organization, but you just need to Set the MSPID and then set the sign certificate and the TLS CI certificate So the certificate authority Certificates that will belong to that organization This is not needed for this demo. So it is empty and then The line 492 We skip but these are the identities that are going to be used and this is why we needed the wallet So in order to submit a change in the channel You need an identity and this is the part where the identities are configured So basically we're telling the operator the secret name that he wants to He needs to check that the secret key or the MSP YAML, the secret namespace Which is default and the same for the org one MSP, but the key is different But it's the same the same secret And then the orderer organization we have the CNM CI namespace which are used in order to get the TLS and sign both certificates The external orders to join the operator will take care of this MSPID of this orderer organization orderer endpoints This is again in the in the configuration of the channel Orders to join since we have this standard orders to join. This is okay And then in the line 518 This is not the orders. This is the concenters. So here we are saying the orderer The host and the port of the concenter Combine with the TLS certificate And this is why we need Disembodiment variables In order to fetch the certificates for the three orders. So let's execute this And let's execute the four element channel Okay created. Let's go to lens Four element channel and This needs to be running right now And a cool feature of the operator also is that it Creates a config map With the channel configuration. So if we put it here in the Code This is the raw configuration of the channel and you have the here the concenter. So In case that you need to debug you can see the channel configuration Injation from the From the channel itself, which is quite useful But now we have We have created the channel, but there are no peers. There are no peers inside the network. So we have to join The or one msp I'm going fast because we're running out of time So we need to know the orderer zero TLS cert Which we can do an echo is basically this one And then in the fabric follower channel, we specify the anchor peers with we will have two HLF identity, which will be created Which will be used in order to access and modify the channel for this organization To remember our organization can change its own anchor peers in the channel configuration So this is something that it only needs their own identity as long as it's an admitted identity The name of the channel he wants to join the orders in order to fetch the block And the peers to join which in this case Since the peers are in the cluster then It can reach the peers inside the cluster. We don't have to specify external peers to join If our organization have peers in the current cluster and in other clusters, then it will need to Specify this property, which you can find in the documentation Then we Copy and paste this And we also copy and paste this organization to MSP, which is the same but with Anchor peers different Anchor peers are different are the ones for the organization too And right now if we see in the lens Probably for our channel both are running So and there is a config map for each of them. It's created And the last one is them or two so we can take this And we can see the anchor peers These are the anchor peers in the configuration from order one And then the core peers for order two and this is everything in the configuration Well, let's see the question I have a question when I try to install if it's okay for everyone we can stay there late It's fine for me In order to finalize the the workshop when I try to install ercd 20 it shows well this Go to discord and ask it there better Discord will be Better for for this question can we create channel with single organization or minimum of two organizations required to create a channel Yeah, you can create a channel with with one organization having tried out with two for two One for the order and one for the peer And this this way Of installing fabric really much simpler than using a classical way. I mean for simple use cases. There is a most Uh default commands, but I can imagine if it gets more out of the box. There is the same complicitors as with configuring everything with uh I mean with if the key still plugging really is as the The initial configuration so as you saw there we didn't have to deal with any configuration at all We made sure that the configuration that need to change Are configurable and the other are left the default the ones that are usually Are usually stay the same so with this approach You will be able to even manage multiple clusters multiple networks and confuse or what we're managing More than 10 networks and with happily the fabric. So we are confident that this is better than using plain Kubernetes Uh Based on our experience, of course, Daniel How are client certificates manners that's frontend app hold user private key answered or that is needed on the server side Frontend doesn't hold the user private key answered usually frontend authenticates with Key clock and then the back end is secure and the back end has the private key and certificate Which is uh, what we are doing in these words of In the future because we haven't Got there into the part of the api And I don't know David the boss will if you want to Stop here or we can Keep going David What's well, I'm okay to keep going okay so Let's continue Install a chain code. So this is the part where the we will Deploy the chain code and then Deploy the the api the api will be deployed locally the the chain code will be deploying In the current cluster So First what we need to do is expect the channel config the Generate the network config and there is a command for that which is keep CTL hdf expect We're going to Have the channel demo in the network config the output will be here this path and there will be three orderer organizations The zero organization the order one door two and the order msp So let's expect it And then let's see the network channel And we have the other msp organization with three Orders the organ msp with two peers the or two msp with two peers And we have the url. We have everything generated for us even the tlsc search This is a network config that you can use already to connect With with the network, but we're missing The part of the users So this network config what it needs to have is the admin the certificate and perfect key For the organization one and for the organization two So we will register The the admin which is already registered, but you can use other admin Credentials if you want Then we enroll the admin for the organization one and with this command keep CTL hdf users added the user Using the user path that we have used in order to generate the certificate and private key for the For the enrollment and using also the network config path And also the organization the username and msp ad we can add This user to the network config which we will see now So if we go right now to the network jammel Or one msp We will see here that in the user certificate there is an admin with the cert and the key Here in the in this line, but there are two doesn't have this user So we need to repeat the same for the organization two to have a common network config With the users so we register it will give us that It's already registered and then we enroll it And then we add the user to the To the network How do you secure server-side private keys? Do you do anything special? For these words of no, I have used hasikor bold in other blades So I recommend you look at that hasikor bold in order to sign the data on on transit Is there any support for cross-company coordination? Like if you have to send certificates between two companies that are totally separated and you don't want to use like email Not at the moment Not at the moment. There are some thoughts about that, but we haven't really started to implement that Since these use cases are not common We haven't stumbled into Into these into these use cases yet Can you precipitate that I was securing? So we do not do anything here about securing the private keys, but I recommend you looking at hasikor bold which has A feature that allows you to sign data on transit. Basically the the keys are in hasikor bold You just send the data to hasikor bold and hasikor bold returns to the data Signed but without you Seeing the private key without applications in the private key Any chance to put the that in fact right now these are these keys and are in Coordinated secrets, so This is what we're doing right now And this is totally fine. I mean there are secrets From postgres that are storing Coordinated secrets, so I don't see anything wrong with that At the moment, but hasikor bold is a more robust solution than this So let's get into the part So well if we go to the network then we have the organization too. We have the users That mean users here So we are ready to go. We're ready to install the chain code and to install the chain code. We need to be able to Have the metadata json the connection json, which we will Create a tar in the code tar just jc with the connection json and then We will put it all together in the change on in the chain code Take the jc with the metadata json and the code tar So what does contain the metadata json? The metadata json contains the type of the chain code builder that we will use which in this case is the chain code as a service Let's show A diagram for this chain code deployment architecture because This is This is important to understand. We have the coordinate cluster and we have the PR inside the coordinate cluster So we want in before the PR was the one that built the The chain code and then deploy the chain code, but this is not happening in this workshop What we are doing is deploying a chain code In the cluster which at the end is a is a pod to can have multiple pods Of course, but it's usually a pod and then the PR connects to the chain code Using the internal networking of coordinates So this is why this is chain code as a service because the chain code right now is in coordinates, but If we see the other flow The the PR could connect to a tunnel that then connects to the developer machine And then the chain code is not within the coordinate cluster, but is within Is in your machine and you are able to execute any changes This is not in this workshop, but this is to To showcase that this is possible using the chain code as a service to have the chain code running locally in your developer machine and then Have the network in the coordinate cluster which can be locally or can be in In azure or in any cloud or on your premise even So that is why we need to Have this type cc as chain code as a service and the label will be asset Which is a descriptive name of what the chain code does Then we have the connection json which We're specifying the address, which is the chain code name Asset this this will be the chain code The service that will be used in order to connect to the chain code and the port will be 7052, which is the default chain code for for connecting to The default port for connecting to the chain code So we just need to create these two Metadata json right now this is created metadata json and then we need to create the connection json Then we create the tar We calculate the package id Which is this one Just for info the package id is just the combination of the chain code name, which is asset and the has in sha 256 of the chain code So it's just if we if we calculate the has Is as this The has in Hex format of this file plus the That's the the chain code name with the same color In a product in environment, we need to add our nodes To the ns. Yes And the communication will go through Istio And then once we have created this This chip then we can install the Chain code in all of the nodes Then we will install the chain code using the qctl plugin the qctl hlf chain code install We go to the path We specify the config The network config The language is not really needed. It was needed before The label would be the chain code label that we have defined earlier And then the user that will be used for the organization and the PR Which will be one for the organization one The PR that we want The chain code to be stored And then the same for the PR one in the organization one and then the same for the PRs in the organization two Then it comes The time to build the docker image. So As we saw here We need to deploy the chain code and this chain code then coordinates everything needs to have an image So we will go To the asset transfer basic, which is the chain code that we're going to deploy and we have to Deploy it with the docker file So we just build the docker file Which is what we're going to do here if you want to Creators use another chain code Then we can You can just take an Or modify this This asset transfer basic And then deploy it and then test your solution with the same network architecture So We just declare the the image this can go to a private Container registry that you have that you have so it doesn't need to be Something It doesn't need to be this one. This is the one that they have access to which is located in docker half And then if you are using mac n one you will need to specify this the platform linux amd 64 this is for me Or otherwise if you are in windows or linux, then just this Docker build without any without the platform Then we can do this docker build Which I think it will be It will be cast because I I have executed this Before and then I can push the image to the docker registry Okay, and now we have the image into the container registry we can see in docker half if you if we want There and this is the The image asset transfer basic tiers, which means type script So next step Will be to deploy the container On the cluster and we can use this external chain code sync which will take the image Name Which with the container name The name for the For the deployment that will be created for the chain code Then the namespace the package id which is very important if you don't update this After approving and committing then the chain code will not run tls require false since we are running this inside Quarantest cluster there is no need for tls and the replicates for the chain code, which is one So when we we execute this command, then we will see a deployment happening in Quarantest Create the external chain code asset You can use this command for creating or updating the chain code With a new image So if we go to the lens Fabric chain code Yeah, this is running already So in the pod well, this is uh Will be pulling the image I think Pulling the image it took A while While it's still pulling the image But in the meantime we can Well, this is Some command in order to check The Chain codes that have been stored in a specific pr, but we saw that we have installed it with no issues And then we need to approve the chain code Uh for the organization one and for the organization two since we have two organizations So we approve For the organization one The policy is worth mentioning that is that both organizations need to endorse Transacting in order for this to For the transaction to go through then the version on the sequence, which is the one that we have Declared here in the line seven six six and seven six seven We if we want to change the policy or to change The private articulations which right now we are not using then the sequence will need to increase for every change that we do Right now since it's the first one Only we're starting with one and the version can be whatever string that you want It usually doesn't change So we need to do that for the organization two also And then this will be approved And then we just commit the chain code definition And this is now right now committed Then what we can do using this This sub command of course CTL plugin then we can do an invoke using the network config With the user admin in the SPR, which is from the organization one MSP We can invoke this chain code on this channel and then we can have We can specify the function which is in it ledger and if we have More parameters and we can We call out the parameters by specifying multiple times this That's a flag So we can invoke this in it ledger This will not return anything just a transaction ID Which this means that this has been committed and then we can We can get the asset from the channel And these are the these are the assets we can put this in a separate window This is the asian And just so these are all of the assets and we can execute the same Query but with the organization two So get all assets With organization two is to return This one going to the pair of organization two also if we were to appear to us to the second pair of the organization two We would must be able to get the the The results because everything is synchronized across all of the nodes So the last step I will post here in order to see if there are any questions the last step is to launch the api Which is the same that we have done here, but with an api written note. Yes So Is it possible to just enable one organization to issue client certificates? No, because this organization has access to their own fabric CA so It's uh It's not possible because every organization has control over the CA What certificates they use So what you can do is to in the smart contract to Restrict what functions you want a specific user to a specific user from a set of organizations to To execute How can I you did the chain code? You just build another image here You change here the The code you build another image and then you I I recommend you to put a version here. So 1.0 0.0 1.0 0.1 for for every modification Because if not, you will need to go to the lens and then go to the deployments Then go to the asset and then restart in order for the new pod to pick the new image. So That is what I recommend Okay, so let's go to the client Read me. So in this case we need to go So the next step is to launch the api for this step head over the client folder and follow the read me instructions So let's go to the client folder Don't follow the instructions Let's make this a bit bigger So first thing that we need to do is go to the client folder and then install the libraries This is very important. You need to have no no js install. I have already installed the library. So This went very very fast because there were already here in the node modules And then we can launch the server for the organization one which will use this This environment variable. So basically the channel name will be demo the tankon name will be asset The MSPID will be org1 And the cnn will be org1ca default. This is to sign up and log in users which we are not using right now But this is a feature that you will be able to see in the server ts Then the telefusor that will be used for in order to Send transactions Which is the one that we have used that we have configured in the network config that mean user Then the network config path, which is in the one folder above resources network.jammel and then the port which is three thousand and three for the Organization one and then if we see the organization two it's Three thousand and four and the only thing that changes is the MSPID which is instead of org1 is org2 and then the cnn is different so Let's open two different tabs and in one tab i will run the server org1 dev Okay, this is the one for the this is the api for the organization one and In other tab let's run I'll just go to the client folder and then let's run the organization two api And now we have two organizations running two apis with different organizations These apis could be run in could be executed in two different completely different environments. So this doesn't need to be in the same coordinate cluster and So right now We have the apis launched and we have what we described And then we can just start to execute the The operation so we have two endpoints one is evaluate and the other is submit And we just pass the function As a shortcut is fcn And then the arcs we just pass it as an array So we can get all of the assets as an organization one which We are using HTTP IE so this one I'm going to put it in the chat Just in case that you That you try to run these comments also So we just executed They get all assets for the organization one. Let's do it for the organization two just to verify connectivity And we get the assets back Perfect And then let's try to create an asset for the organization one. That's it key will be asset key 11 The arguments will be blue, which is the these are the parameters of the Of the chain codes and this is the size and the appraise value appraise value So these are parameters that you can use in your chain code And then let's submit this create the asset As organization one and let's get The asset created And as you can see here, there is an owner and the owner is the organization semi-code Two two dots here and the id of the user Okay, and then what we are going to do is to transfer the The asset from the organization one to the organization two, but what happens if I try And this is something that wasn't in the in the read me, but what happens if I try to transfer Using a user from the organization two, then this will give us an error It has gone to the two peers from the organization two. It said that the asset key is not toned by the organization two obviously It's some other organization one. So we need to use a user from the organization one And transfer it to the organization two to the admin of the organization two, which is this id Then this transfer Was successful. This is the old owner. If we see in the asset Transfer basic in the contract Transfer assets It returns the old owner. So we're able to see here Here the old owner and this is the new owner the new owner, but if we go back to the read me Read asset to verify owner. So let's actually see The source of truth that The owner is the one that we just specify And we see here in the owner or to msp and Again, this is the id of the of the certificate of the user Then as the organization two, I can update the asset. So instead of having the color blue, I'm going to set the asset to red Okay, then some This this is a void actually in the In the smart contract. I don't know what this is being written about Okay, so the asset has been updated and then we are able to read the asset again to see The color That is right now red and the owner and then in order to finalize the The api tutorial the api workshop We can transfer the asset back as an organization two back to the organization one And We can do this if we try to do this from the organization one It will give us the same error But from the peers of the organization one that the asset key is not all about the organization one, but then right now We can transfer it the organization to transfer it to the organization one Then it returns the old owner and we can Read the asset again in order to verify the owner which right now is very organization one So we are like we started but the only difference is that the organization two has changed the color from blue to red but the owner is the same so You can I mean We have Gone very very very fast Through this one because we don't have much time but you are feel free to Go to the source code make any pull request study it and Asking this code in the etcher operator channel in order to to improve this this workflow and to and So that everyone this call and everyone that watches in youtube can Can learn more about this. So I don't know if there is any more question about this I will check How can I take the change of this one's answer before? Can you say your gift of link this Will be also the In the youtube video, let's Paste it here. This is one perfect So I don't see any I don't know how many We are left But feel free to ask any question. I mean the the workshop has finished. So I just wanted to do an end-to-end test because I haven't released seen Anyone do it in a in a workshop. So with an api with a chain code that is a custom that has a custom image custom docker image Etc and with so many organizations because because we have deployed two organizations with two peers and also One organization with the order knows so Feel free to ask any question or otherwise, thank you for For listening and for attending this was any question someone Do you have the last link? Yeah, I have the last link This is the last link What transaction speed can we expect? It depends on the transactions per block that you have configured You can see you can take a look at the fabric main channel and then from there you can You can Configure it according to this Hi, hi, David Is it possible? Disney cos is it possible to And how is it possible to not use a steel and use something else in this in its position to do the same thing? Right now, it's not possible if that is a question because There are many organizations using many ingress So it will be not possible to support everyone, but there is a way that you can't just use HLF operator to deploy the nodes, but you will need to do the bridge with the ingress So in theory is possible. So you just deploy the PR and then you deploy whatever crd That you that You need in order to work with your ingress. I don't know what what ingress Do you want to work with nginx or With hyproxy? I don't know what ingress to have in mind. Yes, the classic the nginx for example exactly Yeah So but yes, no I mean at this point is interesting is for the history of this tutorial here. So it's totally understood And good work by the way things thank you because if if we see more more need for ingress then we will take a look to implement it but we haven't seen it yet So if There is not any more question you can conclude first one if you want the first one Is it possible? Yeah, I'm here. Do you have a question? Yeah, we have concluded. So there are no more questions. So if you want to conclude the meeting or Well, thanks so much. Thanks everyone. Yeah, I'll end it on my end and uh, yeah the record I'll send out the links as we said to everybody who signed up and thanks so much, David Thank you. Thank you so much for listening to me and uh, we'll One more thing if you want to reach me out, uh, I saw some people that wanted to reach me out And I can't answer all of them. So just Add me to the lintine david viejo. I will put it here in the chat Uh, and then we can keep talking there That's great. I'll send I'll share the linkedin link as well on the email. Perfect. Perfect. Perfect So thank you. Thank you everyone. Bye. Thank you. Bye