hyperledger.fabricx.orderer¶
Manages Fabric-X Orderer consenter, batcher, assembler, and router components across binary, container, and Kubernetes deployments.
Role Defaults¶
See defaults/main.yaml for the generated role defaults and inline variable descriptions.
ansible-doc¶
You can view the role documentation in your terminal running:
Tasks¶
start¶
Dispatch orderer startup by component and deployment mode
Dispatches consensus, batcher, assembler, or router startup to the selected bin, container, or k8s implementation. Consumes configuration, crypto, genesis, and TLS material prepared by the config and crypto entrypoints.
- name: Dispatch orderer startup by component and deployment mode
vars:
# Orderer component to manage; use `consensus` for the consenter process. Example: `consensus`, `batcher`, `assembler`, or `router`.
orderer_component_type: "router"
# Deployment backend selected by the top-level dispatcher.
orderer_deployment_mode: "{%- if orderer_use_bin -%}bin{%- elif orderer_use_openshift -%}openshift{%- elif orderer_use_k8s -%}k8s{%- else -%}container{%- endif -%}"
# Selects the binary deployment branch.
orderer_use_bin: false
# Selects the Kubernetes deployment branch.
orderer_use_k8s: false
# Selects the OpenShift deployment branch.
orderer_use_openshift: false
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: start
stop¶
Dispatch orderer shutdown by component and deployment mode
Dispatches component shutdown to the active binary, container, or Kubernetes lifecycle implementation. Stops the running orderer process or workload without removing generated config, crypto, genesis, or data artifacts.
- name: Dispatch orderer shutdown by component and deployment mode
vars:
# Orderer component to manage; use `consensus` for the consenter process. Example: `consensus`, `batcher`, `assembler`, or `router`.
orderer_component_type: "router"
# Deployment backend selected by the top-level dispatcher.
orderer_deployment_mode: "{%- if orderer_use_bin -%}bin{%- elif orderer_use_openshift -%}openshift{%- elif orderer_use_k8s -%}k8s{%- else -%}container{%- endif -%}"
# Selects the binary deployment branch.
orderer_use_bin: false
# Selects the Kubernetes deployment branch.
orderer_use_k8s: false
# Selects the OpenShift deployment branch.
orderer_use_openshift: false
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: stop
teardown¶
Dispatch orderer teardown by component and deployment mode
Dispatches component teardown to the selected deployment backend. Removes runtime resources for the consenter, batcher, assembler, or router while leaving reusable generated config and crypto cleanup to dedicated entrypoints.
- name: Dispatch orderer teardown by component and deployment mode
vars:
# Orderer component to manage; use `consensus` for the consenter process. Example: `consensus`, `batcher`, `assembler`, or `router`.
orderer_component_type: "router"
# Deployment backend selected by the top-level dispatcher.
orderer_deployment_mode: "{%- if orderer_use_bin -%}bin{%- elif orderer_use_openshift -%}openshift{%- elif orderer_use_k8s -%}k8s{%- else -%}container{%- endif -%}"
# Selects the binary deployment branch.
orderer_use_bin: false
# Selects the Kubernetes deployment branch.
orderer_use_k8s: false
# Selects the OpenShift deployment branch.
orderer_use_openshift: false
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: teardown
wipe¶
Remove orderer runtime state, config, and optional binary
Runs lifecycle teardown, removes generated orderer configuration and MSP/TLS material, and removes the installed binary when binary mode is selected. Use for a full role-local reset after generated artifacts have been fetched or are no longer needed.
- name: Remove orderer runtime state, config, and optional binary
vars:
# Selects the binary deployment branch.
orderer_use_bin: false
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: wipe
fetch_logs¶
Fetch orderer logs from the active deployment backend
Delegates log collection to the Kubernetes pod selector, container name, or binary process implementation according to the enabled deployment mode. Collects runtime logs for any orderer component without modifying config, crypto, or data artifacts.
- name: Fetch orderer logs from the active deployment backend
vars:
# Selects the Kubernetes deployment branch.
orderer_use_k8s: false
# Selects the OpenShift deployment branch.
orderer_use_openshift: false
# Selects the container deployment branch.
orderer_use_container: "{{ (not orderer_use_bin) and (not orderer_use_k8s) and (not orderer_use_openshift) }}"
# Selects the binary deployment branch.
orderer_use_bin: false
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: fetch_logs
ping¶
Check the orderer gRPC port
Checks the configured orderer gRPC listener for binary and container deployments. When Kubernetes mode is active, delegates to the NodePort ping branch so exposed Service ports can be checked from the control node.
- name: Check the orderer gRPC port
vars:
# gRPC port exposed by the orderer. Example: `7050`.
orderer_rpc_port: 7050
# Selects the Kubernetes deployment branch.
orderer_use_k8s: false
# Selects the OpenShift deployment branch.
orderer_use_openshift: false
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: ping
effective_address¶
Resolve the effective orderer metrics address
Compute the address used to reach an orderer operations metrics endpoint from outside its own host. Sets orderer_effective_metrics_address as an Ansible fact on the calling host. Resolution priority is OpenShift Route, then Kubernetes NodePort, then the plain host port. Accepts an orderer_host variable so the task can be called from any host in the inventory. All orderer-specific variables are read from hostvars[orderer_host].
- name: Resolve the effective orderer metrics address
vars:
# Inventory host whose orderer metrics endpoint should be resolved. Example: `orderer-router-1`.
orderer_host: "orderer-router-1"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: effective_address
get_metrics¶
Retrieve orderer Prometheus metrics
Fetches Prometheus metrics from the configured orderer operations endpoint. Delegates address resolution to the effective_address entry point.
- name: Retrieve orderer Prometheus metrics
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: get_metrics
bin/build¶
Build the orderer binary from source
Builds the orderer binary through the shared bin role using the configured Git repository, ref, and Go package path. Produces a binary that can be transferred and started for consenter, batcher, assembler, or router component modes.
- name: Build the orderer binary from source
vars:
# Binary name used by the bin branches.
orderer_bin_name: arma
# Git host used to resolve the orderer source repository.
orderer_git_hub_url: github.com
# Repository path for the orderer source code.
orderer_git_repo: hyperledger/fabric-x-orderer
# Git ref or release tag used by the bin build and install branches.
orderer_git_commit: v1.0.0-alpha.1
# Go package path that builds the orderer binary.
orderer_source_code_package: cmd/arma
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: bin/build
bin/install¶
Install the published orderer binary
Installs the configured released orderer binary through the shared bin role. Uses the Git host, repository, package path, and ref metadata to resolve the published binary package.
- name: Install the published orderer binary
vars:
# Binary name used by the bin branches.
orderer_bin_name: arma
# Go package path used by the install branch.
orderer_bin_package: "{{ orderer_git_hub_url }}/{{ orderer_git_repo }}/{{ orderer_source_code_package }}"
# Git host used to resolve the orderer source repository.
orderer_git_hub_url: github.com
# Repository path for the orderer source code.
orderer_git_repo: hyperledger/fabric-x-orderer
# Go package path that builds the orderer binary.
orderer_source_code_package: cmd/arma
# Git ref or release tag used by the bin build and install branches.
orderer_git_commit: v1.0.0-alpha.1
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: bin/install
bin/transfer¶
Transfer the orderer binary to the target host
Copies the built or downloaded orderer binary through the shared bin role. Prepares target hosts for binary-mode lifecycle tasks without rendering config or crypto.
- name: Transfer the orderer binary to the target host
vars:
# Binary name used by the bin branches.
orderer_bin_name: arma
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: bin/transfer
bin/rm¶
Remove the installed orderer binary
Deletes the installed orderer binary through the shared bin role. Does not remove generated config, crypto material, or persisted orderer data.
- name: Remove the installed orderer binary
vars:
# Binary name used by the bin branches.
orderer_bin_name: arma
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: bin/rm
bin/start¶
Start the orderer binary process
Ensures the binary-mode data directory exists and starts orderer_bin_name with the selected component subcommand and generated config file. Consumes remote config, genesis, MSP, and TLS material already transferred into the orderer config directory.
- name: Start the orderer binary process
vars:
# Binary name used by the bin branches.
orderer_bin_name: arma
# Orderer component to manage; use `consensus` for the consenter process. Example: `consensus`, `batcher`, `assembler`, or `router`.
orderer_component_type: "router"
# Shared base directory for generated configuration. Example: `/var/hyperledger/fabric-x/config/orderer/assembler-1`.
remote_config_dir: "/var/hyperledger/fabric-x/config/orderer/assembler-1"
# Shared base directory for persisted runtime data. Example: `/var/hyperledger/fabric-x/data/orderer/router-1`.
remote_data_dir: "/var/hyperledger/fabric-x/data/orderer/router-1"
# Remote directory where orderer configuration is written.
orderer_remote_config_dir: "{{ remote_config_dir }}"
# Remote directory where orderer data is stored.
orderer_remote_data_dir: "{{ remote_data_dir }}"
# Rendered orderer configuration filename.
orderer_config_file: node_config.yaml
# gRPC port exposed by the orderer. Example: `7050`.
orderer_rpc_port: 7050
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: bin/start
bin/stop¶
Stop the orderer binary process
Stops the orderer binary process through the shared bin role. Leaves the binary, generated config, crypto, logs, and persisted data in place for restart or inspection.
- name: Stop the orderer binary process
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: bin/stop
bin/fetch_logs¶
Fetch logs for the orderer binary process
Collects logs for the binary-mode orderer process through the shared bin role. Useful after running consenter, batcher, assembler, or router components directly on the host.
- name: Fetch logs for the orderer binary process
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: bin/fetch_logs
bin/teardown¶
Remove the orderer binary runtime state
Stops the binary-mode orderer process and removes its persisted data directory. Keeps generated configuration and crypto artifacts under the config directory for explicit cleanup or later reuse.
- name: Remove the orderer binary runtime state
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: bin/teardown
container/start¶
Start the orderer container
Ensures the host data directory exists and starts the orderer container with the selected component command. Mounts generated config and TLS/MSP material read-only, mounts the data directory read-write, and exposes gRPC and operations ports.
- name: Start the orderer container
vars:
# Orderer component to manage; use `consensus` for the consenter process. Example: `consensus`, `batcher`, `assembler`, or `router`.
orderer_component_type: "router"
# Container name used by the container lifecycle branch.
orderer_container_name: "{{ inventory_hostname }}"
# Full image reference used by the container and Kubernetes branches.
orderer_image: "{{ orderer_registry_endpoint }}/{{ orderer_image_name }}:{{ orderer_image_tag }}"
# Registry prefix used to build the orderer image reference.
orderer_registry_endpoint: "{{ lookup('env', 'ORDERER_REGISTRY_ENDPOINT') or 'docker.io/hyperledger' }}"
# Image name used for the orderer container.
orderer_image_name: fabric-x-orderer
# Image tag used for the orderer container.
orderer_image_tag: 1.0.0-alpha.1
# Shared base directory for generated configuration. Example: `/var/hyperledger/fabric-x/config/orderer/assembler-1`.
remote_config_dir: "/var/hyperledger/fabric-x/config/orderer/assembler-1"
# Shared base directory for persisted runtime data. Example: `/var/hyperledger/fabric-x/data/orderer/router-1`.
remote_data_dir: "/var/hyperledger/fabric-x/data/orderer/router-1"
# Remote directory where orderer configuration is written.
orderer_remote_config_dir: "{{ remote_config_dir }}"
# Remote directory where orderer data is stored.
orderer_remote_data_dir: "{{ remote_data_dir }}"
# Container path where orderer configuration is mounted.
orderer_container_config_dir: /config
# Container path where orderer data is mounted.
orderer_container_data_dir: /data
# Rendered orderer configuration filename.
orderer_config_file: node_config.yaml
# gRPC port exposed by the orderer. Example: `7050`.
orderer_rpc_port: 7050
# Operations endpoint port exposed by the orderer. This endpoint serves operational APIs and Prometheus metrics. Example: `7060`.
orderer_operations_port: 7060
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: container/start
container/stop¶
Stop the orderer container
Stops the named orderer container through the shared container role. Leaves the container definition, mounted config, crypto material, and persisted data for restart or inspection.
- name: Stop the orderer container
vars:
# Container name used by the container lifecycle branch.
orderer_container_name: "{{ inventory_hostname }}"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: container/stop
container/rm¶
Remove the orderer container
Deletes the named orderer container through the shared container role. Does not remove host-side generated config, crypto material, or persisted data directories.
- name: Remove the orderer container
vars:
# Container name used by the container lifecycle branch.
orderer_container_name: "{{ inventory_hostname }}"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: container/rm
container/fetch_logs¶
Fetch logs from the orderer container
Collects logs for the configured orderer container. Covers consenter, batcher, assembler, and router containers by using the role's container name.
- name: Fetch logs from the orderer container
vars:
# Container name used by the container lifecycle branch.
orderer_container_name: "{{ inventory_hostname }}"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: container/fetch_logs
container/teardown¶
Remove the orderer container runtime state
Deletes the orderer container and removes its persisted data directory. Keeps generated config and crypto artifacts on the host unless the config or crypto cleanup entrypoints are run.
- name: Remove the orderer container runtime state
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: container/teardown
data/rm¶
Remove orderer persisted data
Deletes the orderer data directory for binary and container deployments. In Kubernetes mode, removes the orderer PVC so StatefulSet-managed component data can be recreated.
- name: Remove orderer persisted data
vars:
# Remote directory where orderer data is stored.
orderer_remote_data_dir: "{{ remote_data_dir }}"
# Shared base directory for persisted runtime data. Example: `/var/hyperledger/fabric-x/data/orderer/router-1`.
remote_data_dir: "/var/hyperledger/fabric-x/data/orderer/router-1"
# Selects the Kubernetes deployment branch.
orderer_use_k8s: false
# Selects the OpenShift deployment branch.
orderer_use_openshift: false
# Kubernetes namespace used for orderer resources. Example: `fabricx-orderer`.
k8s_namespace: "fabricx-orderer"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: data/rm
config/transfer¶
Render and transfer orderer configuration
Renders the component-specific orderer config for consensus, batcher, assembler, or router. Copies the genesis block from configtxgen artifacts, writes data and config paths for the selected deployment mode, and prepares optional TLS, mTLS, metrics, and Kubernetes ConfigMap artifacts.
- name: Render and transfer orderer configuration
vars:
# Orderer component to manage; use `consensus` for the consenter process. Example: `consensus`, `batcher`, `assembler`, or `router`.
orderer_component_type: "router"
# Shared base directory for generated configuration. Example: `/var/hyperledger/fabric-x/config/orderer/assembler-1`.
remote_config_dir: "/var/hyperledger/fabric-x/config/orderer/assembler-1"
# Shared base directory for persisted runtime data. Example: `/var/hyperledger/fabric-x/data/orderer/router-1`.
remote_data_dir: "/var/hyperledger/fabric-x/data/orderer/router-1"
# Remote directory where orderer configuration is written.
orderer_remote_config_dir: "{{ remote_config_dir }}"
# Remote directory where orderer data is stored.
orderer_remote_data_dir: "{{ remote_data_dir }}"
# Container path where orderer configuration is mounted.
orderer_container_config_dir: /config
# Container path where orderer data is mounted.
orderer_container_data_dir: /data
# Configuration path embedded into rendered orderer files.
orderer_config_dir: "{{ orderer_remote_config_dir if orderer_use_bin else orderer_container_config_dir }}"
# Data path embedded into rendered orderer files.
orderer_data_dir: "{{ orderer_remote_data_dir if orderer_use_bin else orderer_container_data_dir }}"
# Rendered orderer configuration filename.
orderer_config_file: node_config.yaml
# Control-node directory containing configtxgen artifacts. Example: `/tmp/fabric-x/artifacts/configtxgen`.
configtxgen_artifacts_dir: "/tmp/fabric-x/artifacts/configtxgen"
# Channel identifier used to derive the genesis block filename. Example: `fabricx-channel`.
channel_id: "fabricx-channel"
# Genesis block filename copied into the config directory.
orderer_genesis_block_file: "{{ channel_id }}_block.pb"
# Selects the binary deployment branch.
orderer_use_bin: false
# Enables server-side TLS in the rendered config.
orderer_use_tls: false
# Enables client mutual TLS in the rendered config.
orderer_use_mtls: false
# Selects the Kubernetes deployment branch.
orderer_use_k8s: false
# Selects the OpenShift deployment branch.
orderer_use_openshift: false
# IP address on which the orderer gRPC server binds. Example: `0.0.0.0`.
orderer_listen_address: "0.0.0.0"
# gRPC port exposed by the orderer. Example: `7050`.
orderer_rpc_port: 7050
# Interval between client keepalive pings to other orderer nodes. Example: `1m0s`.
orderer_keepalive_client_interval: "1m0s"
# Time the orderer client waits for a keepalive response before closing the connection. Example: `20s`.
orderer_keepalive_client_timeout: "20s"
# Minimum permitted interval between client pings to the orderer gRPC server. Example: `1m0s`.
orderer_keepalive_server_min_interval: "1m0s"
# Interval between server keepalive pings to connected clients. Example: `2h0m0s`.
orderer_keepalive_server_interval: "2h0m0s"
# Time the orderer server waits for a keepalive response before closing the connection. Example: `20s`.
orderer_keepalive_server_timeout: "20s"
# Initial delay used by the orderer gRPC client backoff policy. Example: `1s`.
orderer_backoff_base_delay: "1s"
# Multiplier applied to orderer gRPC client retry backoff delays. Example: `1.6`.
orderer_backoff_multiplier: 1.6
# Maximum delay used by the orderer gRPC client backoff policy. Example: `2m0s`.
orderer_backoff_max_delay: "2m0s"
# Maximum message size in bytes the orderer gRPC server and client can receive. Example: `104857600`.
orderer_max_recv_msg_size: 104857600
# Maximum message size in bytes the orderer gRPC server and client can send. Example: `104857600`.
orderer_max_send_msg_size: 104857600
# Bootstrap method written to `General.Bootstrap.Method` in the orderer config. Example: `block`.
orderer_bootstrap_method: "block"
# Maximum number of messages in the orderer cluster egress buffer. Example: `100`.
orderer_cluster_send_buffer_size: 100
# Optional block replication policy written to `General.Cluster.ReplicationPolicy`.
orderer_cluster_replication_policy: "string"
# Preferred blockchain crypto service provider for the orderer. Example: `SW`.
orderer_bccsp_default: "SW"
# Hash algorithm for the software blockchain crypto provider. Example: `SHA2`.
orderer_bccsp_sw_hash: "SHA2"
# Security level for the software blockchain crypto provider. Example: `256`.
orderer_bccsp_sw_security: 256
# Optional key store path for the software blockchain crypto provider.
orderer_bccsp_sw_file_key_store: "string"
# PKCS#11 module library path used when `orderer_bccsp_default` is `PKCS11`.
orderer_bccsp_pkcs11_library: "string"
# PKCS#11 token label used by the orderer crypto provider.
orderer_bccsp_pkcs11_label: "string"
# PKCS#11 user PIN used by the orderer crypto provider.
orderer_bccsp_pkcs11_pin: "string"
# Hash algorithm for the PKCS#11 crypto provider.
orderer_bccsp_pkcs11_hash: "string"
# Security level for the PKCS#11 crypto provider.
orderer_bccsp_pkcs11_security: 1000
# Optional key store path for the PKCS#11 crypto provider.
orderer_bccsp_pkcs11_file_key_store: "string"
# Logging specification written to `General.LogSpec`. Example: `info`.
orderer_log_spec: "info"
# Controls whether router and batcher validate signatures in client requests. Example: `false`.
orderer_client_signature_verification_required: false
# Operations endpoint port exposed by the orderer. This endpoint serves operational APIs and Prometheus metrics. Example: `7060`.
orderer_operations_port: 7060
# IP address on which the orderer operations server binds. Example: `0.0.0.0`.
orderer_operations_listen_address: "0.0.0.0"
# Enables TLS for the orderer operations endpoint.
orderer_operations_use_tls: false
# Enables client mutual TLS for the orderer operations endpoint.
orderer_operations_use_mtls: "{{ orderer_use_mtls }}"
# Client identifiers whose TLS CA certificates are trusted by the operations endpoint. Trusts fetched `tls/ca.crt` files under those artifact directories. Example: `['prometheus-1']`.
orderer_operations_mtls_clients:
- "prometheus-1"
# Organization dictionaries whose TLS CA certificates are trusted by the operations endpoint. Example: `[{'name': 'Org1', 'domain': 'org1.example.com'}]`.
orderer_operations_mtls_orgs:
- name: "Org1"
domain: "org1.example.com"
# Metrics provider written to the orderer `Metrics.Provider` setting. Example: `prometheus`.
orderer_metrics_provider: "prometheus"
# Metrics logging interval written to `Metrics.MetricsLogInterval`; `0s` disables periodic logging. Example: `0s`.
orderer_metrics_log_interval: "0s"
# Client identifiers whose mTLS CA certificates are mounted or transferred. Trusts fetched `tls/ca.crt` files under those artifact directories. Example: `['loadgen-1', 'gateway-1']`.
orderer_mtls_clients:
- "loadgen-1"
- "gateway-1"
# Organization dictionaries whose mTLS CA certificates are mounted or transferred. Example: `[{'name': 'Org1', 'domain': 'org1.example.com'}, {'name': 'Org2', 'domain': 'org2.example.com'}]`.
orderer_mtls_orgs:
- name: "Org1"
domain: "org1.example.com"
- name: "Org2"
domain: "org2.example.com"
# Organization metadata shared by the orderer crypto and config branches. Example: `{'name': 'OrdererOrg1', 'domain': 'ordererorg1.example.com', 'role': 'orderer', 'fabric_ca_host': 'fca-orderer-org1', 'orderer': {'name': 'orderer-router-1', 'secret': 'orderer-router-1PWD'}}`.
organization:
name: "OrdererOrg1"
domain: "ordererorg1.example.com"
role: "orderer"
fabric_ca_host: "fca-orderer-org1"
orderer:
name: "orderer-router-1"
secret: "orderer-router-1PWD"
# Numeric party identifier written to `PartyID` in the orderer configuration. Example: `1`.
orderer_group: 1
# Batcher shard identifier written only by the batcher template. Example: `0`.
orderer_shard_id: 0
# Number of connections the router opens to each batcher. Example: `10`.
orderer_router_number_of_connections_per_batcher: 10
# Number of streams the router opens per connection to a batcher. Example: `5`.
orderer_router_number_of_streams_per_connection: 5
# Maximum batch sequence distance primary batchers allow before waiting for secondaries. Example: `10`.
orderer_batcher_batch_sequence_gap: 10
# Maximum number of requests permitted in the batcher request pool. Example: `1000000`.
orderer_batcher_mem_pool_max_size: 1000000
# Time a client can wait when submitting a request into the batcher pool. Example: `500ms`.
orderer_batcher_submit_timeout: "500ms"
# Maximum memory in bytes used by the assembler prefetch buffer. Example: `1073741824`.
orderer_assembler_prefetch_buffer_memory_bytes: 1073741824
# Timeout for assembler ledger scanning during restart. Example: `5s`.
orderer_assembler_restart_ledger_scan_timeout: "5s"
# Time-to-live for evicting prefetched assembler batches. Example: `1h`.
orderer_assembler_prefetch_eviction_ttl: "1h"
# Timeout for assembler pop-wait monitoring. Example: `1s`.
orderer_assembler_pop_wait_monitor_timeout: "1s"
# Channel size for assembler replication messages. Example: `100`.
orderer_assembler_replication_channel_size: 100
# Channel size for assembler batch request messages. Example: `1000`.
orderer_assembler_batch_requests_channel_size: 1000
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: config/transfer
config/mtls/transfer¶
Transfer mTLS CA certificates for orderer clients and orgs
Copies trusted client and organization TLS CA certificates into the orderer mTLS directory structure. Consumes fetched client tls/ca.crt files and peer organization tlsca certificates so generated configs can enable client mutual TLS.
- name: Transfer mTLS CA certificates for orderer clients and orgs
vars:
# Shared base directory for generated configuration. Example: `/var/hyperledger/fabric-x/config/orderer/assembler-1`.
remote_config_dir: "/var/hyperledger/fabric-x/config/orderer/assembler-1"
# Control-node directory containing fetched crypto artifacts. Example: `/tmp/fabric-x/artifacts/fetched`.
fetched_artifacts_dir: "/tmp/fabric-x/artifacts/fetched"
# Remote directory where orderer configuration is written.
orderer_remote_config_dir: "{{ remote_config_dir }}"
# Client identifiers whose mTLS CA certificates are mounted or transferred. Trusts fetched `tls/ca.crt` files under those artifact directories. Example: `['loadgen-1', 'gateway-1']`.
orderer_mtls_clients:
- "loadgen-1"
- "gateway-1"
# Organization dictionaries whose mTLS CA certificates are mounted or transferred. Example: `[{'name': 'Org1', 'domain': 'org1.example.com'}, {'name': 'Org2', 'domain': 'org2.example.com'}]`.
orderer_mtls_orgs:
- name: "Org1"
domain: "org1.example.com"
- name: "Org2"
domain: "org2.example.com"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: config/mtls/transfer
config/mtls/operations/transfer¶
Transfer Operations mTLS CA certificates for orderer clients and orgs
Copies trusted client and organization TLS CA certificates into the orderer mTLS directory structure for the Operations endpoint. Consumes fetched client tls/ca.crt files and peer organization tlsca certificates so generated configs can enable operations mutual TLS.
- name: Transfer Operations mTLS CA certificates for orderer clients and orgs
vars:
# Shared base directory for generated configuration. Example: `/var/hyperledger/fabric-x/config/orderer/assembler-1`.
remote_config_dir: "/var/hyperledger/fabric-x/config/orderer/assembler-1"
# Control-node directory containing fetched crypto artifacts. Example: `/tmp/fabric-x/artifacts/fetched`.
fetched_artifacts_dir: "/tmp/fabric-x/artifacts/fetched"
# Remote directory where orderer configuration is written.
orderer_remote_config_dir: "{{ remote_config_dir }}"
# Client identifiers whose TLS CA certificates are trusted by the operations endpoint. Trusts fetched `tls/ca.crt` files under those artifact directories. Example: `['prometheus-1']`.
orderer_operations_mtls_clients:
- "prometheus-1"
# Organization dictionaries whose TLS CA certificates are trusted by the operations endpoint. Example: `[{'name': 'Org1', 'domain': 'org1.example.com'}]`.
orderer_operations_mtls_orgs:
- name: "Org1"
domain: "org1.example.com"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: config/mtls/operations/transfer
config/rm¶
Remove orderer configuration
Deletes the orderer configuration directory, including rendered config, genesis block, mTLS trust bundles, and deployment-local config artifacts. In Kubernetes mode, also delegates removal of the orderer ConfigMap.
- name: Remove orderer configuration
vars:
# Shared base directory for generated configuration. Example: `/var/hyperledger/fabric-x/config/orderer/assembler-1`.
remote_config_dir: "/var/hyperledger/fabric-x/config/orderer/assembler-1"
# Remote directory where orderer configuration is written.
orderer_remote_config_dir: "{{ remote_config_dir }}"
# Selects the Kubernetes deployment branch.
orderer_use_k8s: false
# Selects the OpenShift deployment branch.
orderer_use_openshift: false
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: config/rm
config/transfer_grafana_dashboard¶
Copy the orderer Grafana dashboard
Publishes the bundled Fabric-X Orderer Grafana dashboard through the grafana role. The dashboard consumes Prometheus scrape targets produced for consenter, batcher, assembler, and router metrics endpoints.
- name: Copy the orderer Grafana dashboard
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: config/transfer_grafana_dashboard
crypto/setup¶
Prepare orderer crypto material
Validates TLS and mTLS prerequisites, provisions orderer MSP and TLS material through cryptogen or Fabric CA, and optionally creates the Kubernetes Secret. Produces the crypto artifacts consumed by config rendering, binary/container mounts, and Kubernetes workloads.
- name: Prepare orderer crypto material
vars:
# Enables server-side TLS in the rendered config.
orderer_use_tls: false
# Enables client mutual TLS in the rendered config.
orderer_use_mtls: false
# Enables TLS for the orderer operations endpoint.
orderer_operations_use_tls: false
# Enables client mutual TLS for the orderer operations endpoint.
orderer_operations_use_mtls: "{{ orderer_use_mtls }}"
# Organization metadata shared by the orderer crypto and config branches. Example: `{'name': 'OrdererOrg1', 'domain': 'ordererorg1.example.com', 'role': 'orderer', 'fabric_ca_host': 'fca-orderer-org1', 'orderer': {'name': 'orderer-router-1', 'secret': 'orderer-router-1PWD'}}`.
organization:
name: "OrdererOrg1"
domain: "ordererorg1.example.com"
role: "orderer"
fabric_ca_host: "fca-orderer-org1"
orderer:
name: "orderer-router-1"
secret: "orderer-router-1PWD"
# Selects the Kubernetes deployment branch.
orderer_use_k8s: false
# Selects the OpenShift deployment branch.
orderer_use_openshift: false
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: crypto/setup
crypto/cryptogen/transfer¶
Transfer cryptogen-generated orderer crypto material
Copies cryptogen-generated MSP and TLS artifacts for the orderer identity into the remote configuration directory. Consumes the cryptogen artifact tree for the orderer organization and prepares material for local mounts or Kubernetes Secret creation.
- name: Transfer cryptogen-generated orderer crypto material
vars:
# Control-node directory containing cryptogen-generated crypto artifacts. Example: `/tmp/fabric-x/artifacts/cryptogen`.
cryptogen_artifacts_dir: "/tmp/fabric-x/artifacts/cryptogen"
# Shared base directory for generated configuration. Example: `/var/hyperledger/fabric-x/config/orderer/assembler-1`.
remote_config_dir: "/var/hyperledger/fabric-x/config/orderer/assembler-1"
# Organization metadata shared by the orderer crypto and config branches. Example: `{'name': 'OrdererOrg1', 'domain': 'ordererorg1.example.com', 'role': 'orderer', 'fabric_ca_host': 'fca-orderer-org1', 'orderer': {'name': 'orderer-router-1', 'secret': 'orderer-router-1PWD'}}`.
organization:
name: "OrdererOrg1"
domain: "ordererorg1.example.com"
role: "orderer"
fabric_ca_host: "fca-orderer-org1"
orderer:
name: "orderer-router-1"
secret: "orderer-router-1PWD"
# Orderer identity name used to derive crypto artifact paths.
orderer_crypto_name: "{{ organization.orderer.name | default(inventory_hostname) }}"
# Remote directory where orderer configuration is written.
orderer_remote_config_dir: "{{ remote_config_dir }}"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: crypto/cryptogen/transfer
crypto/fabric_ca/enroll¶
Enroll the orderer with Fabric CA
Copies the Fabric CA TLS certificate when needed and enrolls both MSP and TLS identities for the orderer host. Writes generated MSP and server TLS material into the orderer config directory for later config, runtime, and fetch tasks.
- name: Enroll the orderer with Fabric CA
vars:
# Control-node directory containing fetched crypto artifacts. Example: `/tmp/fabric-x/artifacts/fetched`.
fetched_artifacts_dir: "/tmp/fabric-x/artifacts/fetched"
# Real machine host. Example: `myvpc.cloud.ibm.com`.
actual_host: "myvpc.cloud.ibm.com"
# Shared base directory for generated configuration. Example: `/var/hyperledger/fabric-x/config/orderer/assembler-1`.
remote_config_dir: "/var/hyperledger/fabric-x/config/orderer/assembler-1"
# Organization metadata shared by the orderer crypto and config branches. Example: `{'name': 'OrdererOrg1', 'domain': 'ordererorg1.example.com', 'role': 'orderer', 'fabric_ca_host': 'fca-orderer-org1', 'orderer': {'name': 'orderer-router-1', 'secret': 'orderer-router-1PWD'}}`.
organization:
name: "OrdererOrg1"
domain: "ordererorg1.example.com"
role: "orderer"
fabric_ca_host: "fca-orderer-org1"
orderer:
name: "orderer-router-1"
secret: "orderer-router-1PWD"
# Orderer identity name used to derive crypto artifact paths.
orderer_crypto_name: "{{ organization.orderer.name | default(inventory_hostname) }}"
# Remote directory where orderer configuration is written.
orderer_remote_config_dir: "{{ remote_config_dir }}"
# Specifies the OpenShift Route host. Example: `orderer-rpc.apps.example.com`.
orderer_openshift_route: "orderer-rpc.apps.example.com"
# Specifies the OpenShift Route host for the operations/metrics endpoint. Example: `orderer-metrics.apps.example.com`.
orderer_openshift_metrics_route: "orderer-metrics.apps.example.com"
# Enables TLS for the orderer operations endpoint.
orderer_operations_use_tls: false
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: crypto/fabric_ca/enroll
crypto/fetch¶
Fetch orderer certificates to the control node
Fetches the orderer sign certificate, TLS server certificate, and TLS CA certificate to the control node. Publishes artifacts consumed by downstream config generation, client mTLS trust bundles, and other roles.
- name: Fetch orderer certificates to the control node
vars:
# Control-node directory containing fetched crypto artifacts. Example: `/tmp/fabric-x/artifacts/fetched`.
fetched_artifacts_dir: "/tmp/fabric-x/artifacts/fetched"
# Shared base directory for generated configuration. Example: `/var/hyperledger/fabric-x/config/orderer/assembler-1`.
remote_config_dir: "/var/hyperledger/fabric-x/config/orderer/assembler-1"
# Organization metadata shared by the orderer crypto and config branches. Example: `{'name': 'OrdererOrg1', 'domain': 'ordererorg1.example.com', 'role': 'orderer', 'fabric_ca_host': 'fca-orderer-org1', 'orderer': {'name': 'orderer-router-1', 'secret': 'orderer-router-1PWD'}}`.
organization:
name: "OrdererOrg1"
domain: "ordererorg1.example.com"
role: "orderer"
fabric_ca_host: "fca-orderer-org1"
orderer:
name: "orderer-router-1"
secret: "orderer-router-1PWD"
# Orderer identity name used to derive crypto artifact paths.
orderer_crypto_name: "{{ organization.orderer.name | default(inventory_hostname) }}"
# Remote directory where orderer configuration is written.
orderer_remote_config_dir: "{{ remote_config_dir }}"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: crypto/fetch
crypto/rm¶
Remove orderer crypto material
Deletes the orderer MSP and TLS directories from the config path. In Kubernetes mode, also delegates deletion of the Secret that mounted MSP and TLS material into the workload.
- name: Remove orderer crypto material
vars:
# Shared base directory for generated configuration. Example: `/var/hyperledger/fabric-x/config/orderer/assembler-1`.
remote_config_dir: "/var/hyperledger/fabric-x/config/orderer/assembler-1"
# Remote directory where orderer configuration is written.
orderer_remote_config_dir: "{{ remote_config_dir }}"
# Selects the Kubernetes deployment branch.
orderer_use_k8s: false
# Selects the OpenShift deployment branch.
orderer_use_openshift: false
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: crypto/rm
k8s/start¶
Create the orderer Kubernetes workload
Creates the orderer Kubernetes Service, StatefulSet, and optional NodePort and LoadBalancer Services after ensuring the namespace exists. Consumes ConfigMap and Secret artifacts generated by the Kubernetes config and crypto transfer entrypoints, then starts the selected component container.
- name: Create the orderer Kubernetes workload
vars:
# Orderer component to manage; use `consensus` for the consenter process. Example: `consensus`, `batcher`, `assembler`, or `router`.
orderer_component_type: "router"
# Orderer identity name used to derive crypto artifact paths.
orderer_crypto_name: "{{ organization.orderer.name | default(inventory_hostname) }}"
# Base name used for the orderer Kubernetes objects, including the optional NodePort Service.
orderer_k8s_resource_name: "{{ inventory_hostname }}"
# Value for the Kubernetes `app.kubernetes.io/part-of` label applied to orderer resources.
orderer_k8s_part_of: "fabric-x-orderer-{{ organization.name }}"
# Seconds to wait for the orderer StatefulSet rollout.
orderer_k8s_wait_timeout: 120
# gRPC port exposed by the orderer. Example: `7050`.
orderer_rpc_port: 7050
# Operations endpoint port exposed by the orderer. This endpoint serves operational APIs and Prometheus metrics. Example: `7060`.
orderer_operations_port: 7060
# Enables client mutual TLS for the orderer operations endpoint.
orderer_operations_use_mtls: "{{ orderer_use_mtls }}"
# Client identifiers whose TLS CA certificates are trusted by the operations endpoint. Trusts fetched `tls/ca.crt` files under those artifact directories. Example: `['prometheus-1']`.
orderer_operations_mtls_clients:
- "prometheus-1"
# Organization dictionaries whose TLS CA certificates are trusted by the operations endpoint. Example: `[{'name': 'Org1', 'domain': 'org1.example.com'}]`.
orderer_operations_mtls_orgs:
- name: "Org1"
domain: "org1.example.com"
# Kubernetes NodePort value used by the external RPC Service port. Defining this variable enables the NodePort Service; the value is set as the static `nodePort` in the Service spec. Example: `31050`.
orderer_k8s_rpc_node_port: 31050
# Kubernetes NodePort value used by the external operations/metrics Service port. Defining this variable enables the NodePort Service; the value is set as the static `nodePort` in the Service spec. Example: `31051`.
orderer_k8s_metrics_node_port: 31051
# Filesystem group applied to mounted ConfigMap and Secret volumes.
orderer_k8s_fs_group: 10001
# Full image reference used by the container and Kubernetes branches.
orderer_image: "{{ orderer_registry_endpoint }}/{{ orderer_image_name }}:{{ orderer_image_tag }}"
# Registry prefix used to build the orderer image reference.
orderer_registry_endpoint: "{{ lookup('env', 'ORDERER_REGISTRY_ENDPOINT') or 'docker.io/hyperledger' }}"
# Image name used for the orderer container.
orderer_image_name: fabric-x-orderer
# Image tag used for the orderer container.
orderer_image_tag: 1.0.0-alpha.1
# Container path where orderer configuration is mounted.
orderer_container_config_dir: /config
# Container path where orderer data is mounted.
orderer_container_data_dir: /data
# Enables client mutual TLS in the rendered config.
orderer_use_mtls: false
# Client identifiers whose mTLS CA certificates are mounted or transferred. Trusts fetched `tls/ca.crt` files under those artifact directories. Example: `['loadgen-1', 'gateway-1']`.
orderer_mtls_clients:
- "loadgen-1"
- "gateway-1"
# Organization dictionaries whose mTLS CA certificates are mounted or transferred. Example: `[{'name': 'Org1', 'domain': 'org1.example.com'}, {'name': 'Org2', 'domain': 'org2.example.com'}]`.
orderer_mtls_orgs:
- name: "Org1"
domain: "org1.example.com"
- name: "Org2"
domain: "org2.example.com"
# Organization metadata shared by the orderer crypto and config branches. Example: `{'name': 'OrdererOrg1', 'domain': 'ordererorg1.example.com', 'role': 'orderer', 'fabric_ca_host': 'fca-orderer-org1', 'orderer': {'name': 'orderer-router-1', 'secret': 'orderer-router-1PWD'}}`.
organization:
name: "OrdererOrg1"
domain: "ordererorg1.example.com"
role: "orderer"
fabric_ca_host: "fca-orderer-org1"
orderer:
name: "orderer-router-1"
secret: "orderer-router-1PWD"
# Kubernetes namespace used for orderer resources. Example: `fabricx-orderer`.
k8s_namespace: "fabricx-orderer"
# PVC storage request used by the orderer StatefulSet. Example: `20Gi`.
k8s_storage_size: "20Gi"
# Optional storage class used by the StatefulSet PVC. Example: `fast-ssd`.
k8s_storage_class: "fast-ssd"
# Optional image pull secret used by the StatefulSet. Example: `regcred-orderer`.
k8s_image_pull_secret: "regcred-orderer"
# Optional readiness probe initial delay override. Example: `15`.
k8s_readiness_probe_initial_delay_seconds: 15
# Optional readiness probe period override. Example: `10`.
k8s_readiness_probe_period_seconds: 10
# Optional readiness probe timeout override. Example: `3`.
k8s_readiness_probe_timeout_seconds: 3
# Optional readiness probe failure threshold override. Example: `6`.
k8s_readiness_probe_failure_threshold: 6
# Optional liveness probe initial delay override. Example: `30`.
k8s_liveness_probe_initial_delay_seconds: 30
# Optional liveness probe period override. Example: `20`.
k8s_liveness_probe_period_seconds: 20
# Optional liveness probe timeout override. Example: `5`.
k8s_liveness_probe_timeout_seconds: 5
# Optional liveness probe failure threshold override. Example: `3`.
k8s_liveness_probe_failure_threshold: 3
# Set to `true` to create a LoadBalancer Service entry that exposes the RPC port externally. When undefined or `false`, the RPC port is not included in the LoadBalancer Service.
orderer_k8s_loadbalancer_expose_rpc_port: false
# Set to `true` to create a LoadBalancer Service entry that exposes the operations/metrics port externally. When undefined or `false`, the operations/metrics port is not included in the LoadBalancer Service.
orderer_k8s_loadbalancer_expose_metrics_port: false
# Optional Kubernetes container resource requests and limits. Example: `{'requests': {'memory': '1Gi', 'cpu': '500m'}, 'limits': {'memory': '2Gi', 'cpu': '1000m'}}`.
k8s_resources:
requests:
memory: "1Gi"
cpu: "500m"
limits:
memory: "2Gi"
cpu: "1000m"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: k8s/start
k8s/ping¶
Check that the orderer Kubernetes services are reachable
Probes configured Kubernetes NodePort values and LoadBalancer-exposed service ports for external reachability.
- name: Check that the orderer Kubernetes services are reachable
vars:
# Kubernetes NodePort value used by the external RPC Service port. Defining this variable enables the NodePort Service; the value is set as the static `nodePort` in the Service spec. Example: `31050`.
orderer_k8s_rpc_node_port: 31050
# Kubernetes NodePort value used by the external operations/metrics Service port. Defining this variable enables the NodePort Service; the value is set as the static `nodePort` in the Service spec. Example: `31051`.
orderer_k8s_metrics_node_port: 31051
# Set to `true` to create a LoadBalancer Service entry that exposes the RPC port externally. When undefined or `false`, the RPC port is not included in the LoadBalancer Service.
orderer_k8s_loadbalancer_expose_rpc_port: false
# Set to `true` to create a LoadBalancer Service entry that exposes the operations/metrics port externally. When undefined or `false`, the operations/metrics port is not included in the LoadBalancer Service.
orderer_k8s_loadbalancer_expose_metrics_port: false
# gRPC port exposed by the orderer. Example: `7050`.
orderer_rpc_port: 7050
# Operations endpoint port exposed by the orderer. This endpoint serves operational APIs and Prometheus metrics. Example: `7060`.
orderer_operations_port: 7060
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: k8s/ping
k8s/rm¶
Remove the orderer Kubernetes workload
Deletes the orderer StatefulSet and Services from the configured namespace. Leaves ConfigMap, Secret, and PVC artifacts for explicit config, crypto, or data cleanup entrypoints.
- name: Remove the orderer Kubernetes workload
vars:
# Base name used for the orderer Kubernetes objects, including the optional NodePort Service.
orderer_k8s_resource_name: "{{ inventory_hostname }}"
# Kubernetes namespace used for orderer resources. Example: `fabricx-orderer`.
k8s_namespace: "fabricx-orderer"
# Kubernetes NodePort value used by the external RPC Service port. Defining this variable enables the NodePort Service; the value is set as the static `nodePort` in the Service spec. Example: `31050`.
orderer_k8s_rpc_node_port: 31050
# Set to `true` to create a LoadBalancer Service entry that exposes the RPC port externally. When undefined or `false`, the RPC port is not included in the LoadBalancer Service.
orderer_k8s_loadbalancer_expose_rpc_port: false
# Kubernetes NodePort value used by the external operations/metrics Service port. Defining this variable enables the NodePort Service; the value is set as the static `nodePort` in the Service spec. Example: `31051`.
orderer_k8s_metrics_node_port: 31051
# Set to `true` to create a LoadBalancer Service entry that exposes the operations/metrics port externally. When undefined or `false`, the operations/metrics port is not included in the LoadBalancer Service.
orderer_k8s_loadbalancer_expose_metrics_port: false
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: k8s/rm
k8s/teardown¶
Remove the orderer Kubernetes workload and data
Deletes the Kubernetes workload and removes persisted orderer data. Keeps generated ConfigMap and Secret artifacts unless their dedicated removal entrypoints are invoked.
- name: Remove the orderer Kubernetes workload and data
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: k8s/teardown
k8s/fetch_logs¶
Fetch logs from the orderer Kubernetes pod
Collects logs from pods selected by the orderer Kubernetes app label. Works for consenter, batcher, assembler, and router workloads by using the generated resource name labels.
- name: Fetch logs from the orderer Kubernetes pod
vars:
# Base name used for the orderer Kubernetes objects, including the optional NodePort Service.
orderer_k8s_resource_name: "{{ inventory_hostname }}"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: k8s/fetch_logs
k8s/config/transfer¶
Create the orderer Kubernetes ConfigMap
Slurps the generated genesis block and renders the orderer ConfigMap. Includes the component config file and optional mTLS CA bundles consumed by the Kubernetes StatefulSet.
- name: Create the orderer Kubernetes ConfigMap
vars:
# Shared base directory for generated configuration. Example: `/var/hyperledger/fabric-x/config/orderer/assembler-1`.
remote_config_dir: "/var/hyperledger/fabric-x/config/orderer/assembler-1"
# Remote directory where orderer configuration is written.
orderer_remote_config_dir: "{{ remote_config_dir }}"
# Base name used for the orderer Kubernetes objects, including the optional NodePort Service.
orderer_k8s_resource_name: "{{ inventory_hostname }}"
# Value for the Kubernetes `app.kubernetes.io/part-of` label applied to orderer resources.
orderer_k8s_part_of: "fabric-x-orderer-{{ organization.name }}"
# Orderer component to manage; use `consensus` for the consenter process. Example: `consensus`, `batcher`, `assembler`, or `router`.
orderer_component_type: "router"
# Rendered orderer configuration filename.
orderer_config_file: node_config.yaml
# Enables client mutual TLS in the rendered config.
orderer_use_mtls: false
# Client identifiers whose mTLS CA certificates are mounted or transferred. Trusts fetched `tls/ca.crt` files under those artifact directories. Example: `['loadgen-1', 'gateway-1']`.
orderer_mtls_clients:
- "loadgen-1"
- "gateway-1"
# Organization dictionaries whose mTLS CA certificates are mounted or transferred. Example: `[{'name': 'Org1', 'domain': 'org1.example.com'}, {'name': 'Org2', 'domain': 'org2.example.com'}]`.
orderer_mtls_orgs:
- name: "Org1"
domain: "org1.example.com"
- name: "Org2"
domain: "org2.example.com"
# Enables client mutual TLS for the orderer operations endpoint.
orderer_operations_use_mtls: "{{ orderer_use_mtls }}"
# Client identifiers whose TLS CA certificates are trusted by the operations endpoint. Trusts fetched `tls/ca.crt` files under those artifact directories. Example: `['prometheus-1']`.
orderer_operations_mtls_clients:
- "prometheus-1"
# Organization dictionaries whose TLS CA certificates are trusted by the operations endpoint. Example: `[{'name': 'Org1', 'domain': 'org1.example.com'}]`.
orderer_operations_mtls_orgs:
- name: "Org1"
domain: "org1.example.com"
# Organization metadata shared by the orderer crypto and config branches. Example: `{'name': 'OrdererOrg1', 'domain': 'ordererorg1.example.com', 'role': 'orderer', 'fabric_ca_host': 'fca-orderer-org1', 'orderer': {'name': 'orderer-router-1', 'secret': 'orderer-router-1PWD'}}`.
organization:
name: "OrdererOrg1"
domain: "ordererorg1.example.com"
role: "orderer"
fabric_ca_host: "fca-orderer-org1"
orderer:
name: "orderer-router-1"
secret: "orderer-router-1PWD"
# Kubernetes namespace used for orderer resources. Example: `fabricx-orderer`.
k8s_namespace: "fabricx-orderer"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: k8s/config/transfer
k8s/config/rm¶
Remove the orderer Kubernetes ConfigMap
Deletes the ConfigMap that holds orderer configuration, genesis material, and optional mTLS CA bundles. Does not remove the local generated config directory.
- name: Remove the orderer Kubernetes ConfigMap
vars:
# Base name used for the orderer Kubernetes objects, including the optional NodePort Service.
orderer_k8s_resource_name: "{{ inventory_hostname }}"
# Kubernetes namespace used for orderer resources. Example: `fabricx-orderer`.
k8s_namespace: "fabricx-orderer"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: k8s/config/rm
k8s/crypto/transfer¶
Create the orderer Kubernetes Secret
Resolves orderer MSP and TLS file locations and renders the Kubernetes Secret. The Secret is consumed by the StatefulSet to mount MSP private key, signcert, CA certs, TLS server key, TLS server certificate, and TLS CA material.
- name: Create the orderer Kubernetes Secret
vars:
# Shared base directory for generated configuration. Example: `/var/hyperledger/fabric-x/config/orderer/assembler-1`.
remote_config_dir: "/var/hyperledger/fabric-x/config/orderer/assembler-1"
# Remote directory where orderer configuration is written.
orderer_remote_config_dir: "{{ remote_config_dir }}"
# Organization metadata shared by the orderer crypto and config branches. Example: `{'name': 'OrdererOrg1', 'domain': 'ordererorg1.example.com', 'role': 'orderer', 'fabric_ca_host': 'fca-orderer-org1', 'orderer': {'name': 'orderer-router-1', 'secret': 'orderer-router-1PWD'}}`.
organization:
name: "OrdererOrg1"
domain: "ordererorg1.example.com"
role: "orderer"
fabric_ca_host: "fca-orderer-org1"
orderer:
name: "orderer-router-1"
secret: "orderer-router-1PWD"
# Orderer identity name used to derive crypto artifact paths.
orderer_crypto_name: "{{ organization.orderer.name | default(inventory_hostname) }}"
# Base name used for the orderer Kubernetes objects, including the optional NodePort Service.
orderer_k8s_resource_name: "{{ inventory_hostname }}"
# Value for the Kubernetes `app.kubernetes.io/part-of` label applied to orderer resources.
orderer_k8s_part_of: "fabric-x-orderer-{{ organization.name }}"
# Orderer component to manage; use `consensus` for the consenter process. Example: `consensus`, `batcher`, `assembler`, or `router`.
orderer_component_type: "router"
# Kubernetes namespace used for orderer resources. Example: `fabricx-orderer`.
k8s_namespace: "fabricx-orderer"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: k8s/crypto/transfer
k8s/crypto/rm¶
Remove the orderer Kubernetes Secret
Deletes the Secret that stores orderer MSP and TLS material. Does not remove the local MSP and TLS directories under the orderer config path.
- name: Remove the orderer Kubernetes Secret
vars:
# Base name used for the orderer Kubernetes objects, including the optional NodePort Service.
orderer_k8s_resource_name: "{{ inventory_hostname }}"
# Kubernetes namespace used for orderer resources. Example: `fabricx-orderer`.
k8s_namespace: "fabricx-orderer"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: k8s/crypto/rm
prometheus/get_scrapers¶
Build Prometheus scrape targets for orderer hosts
Groups orderer hosts by component type and exposes Prometheus scrape service definitions for downstream monitoring configuration. Produces scrape targets for consenter, batcher, assembler, and router metrics endpoints using each host's configured operations port.
- name: Build Prometheus scrape targets for orderer hosts
vars:
# Inventory hosts dedicated to orderer nodes. Example: `['orderer-consenter-1', 'orderer-batcher-1', 'orderer-assembler-1', 'orderer-router-1']`.
orderer_hosts:
- "orderer-consenter-1"
- "orderer-batcher-1"
- "orderer-assembler-1"
- "orderer-router-1"
# Control-node directory containing fetched crypto artifacts. Example: `/tmp/fabric-x/artifacts/fetched`.
fetched_artifacts_dir: "/tmp/fabric-x/artifacts/fetched"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: prometheus/get_scrapers
openshift/start¶
Start the OpenShift deployment
Reuses the Kubernetes workload flow and manages OpenShift Routes for configured HTTP-capable ports.
- name: Start the OpenShift deployment
vars:
# Base name used for the orderer Kubernetes objects, including the optional NodePort Service.
orderer_k8s_resource_name: "{{ inventory_hostname }}"
# Value for the Kubernetes `app.kubernetes.io/part-of` label applied to orderer resources.
orderer_k8s_part_of: "fabric-x-orderer-{{ organization.name }}"
# Orderer component to manage; use `consensus` for the consenter process. Example: `consensus`, `batcher`, `assembler`, or `router`.
orderer_component_type: "router"
# Enables server-side TLS in the rendered config.
orderer_use_tls: false
# Enables TLS for the orderer operations endpoint.
orderer_operations_use_tls: false
# Organization metadata shared by the orderer crypto and config branches. Example: `{'name': 'OrdererOrg1', 'domain': 'ordererorg1.example.com', 'role': 'orderer', 'fabric_ca_host': 'fca-orderer-org1', 'orderer': {'name': 'orderer-router-1', 'secret': 'orderer-router-1PWD'}}`.
organization:
name: "OrdererOrg1"
domain: "ordererorg1.example.com"
role: "orderer"
fabric_ca_host: "fca-orderer-org1"
orderer:
name: "orderer-router-1"
secret: "orderer-router-1PWD"
# Specifies the OpenShift Route host. Example: `orderer-rpc.apps.example.com`.
orderer_openshift_route: "orderer-rpc.apps.example.com"
# Specifies the OpenShift Route host for the operations/metrics endpoint. Example: `orderer-metrics.apps.example.com`.
orderer_openshift_metrics_route: "orderer-metrics.apps.example.com"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: openshift/start
openshift/ping¶
Check the OpenShift deployment
Checks configured OpenShift Routes and reuses the Kubernetes service ping flow.
- name: Check the OpenShift deployment
vars:
# Enables server-side TLS in the rendered config.
orderer_use_tls: false
# Enables TLS for the orderer operations endpoint.
orderer_operations_use_tls: false
# Specifies the OpenShift Route host. Example: `orderer-rpc.apps.example.com`.
orderer_openshift_route: "orderer-rpc.apps.example.com"
# Specifies the OpenShift Route host for the operations/metrics endpoint. Example: `orderer-metrics.apps.example.com`.
orderer_openshift_metrics_route: "orderer-metrics.apps.example.com"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: openshift/ping
openshift/rm¶
Remove the OpenShift deployment
Reuses the Kubernetes workload flow and manages OpenShift Routes for configured HTTP-capable ports.
- name: Remove the OpenShift deployment
vars:
# Base name used for the orderer Kubernetes objects, including the optional NodePort Service.
orderer_k8s_resource_name: "{{ inventory_hostname }}"
# Specifies the OpenShift Route host. Example: `orderer-rpc.apps.example.com`.
orderer_openshift_route: "orderer-rpc.apps.example.com"
# Specifies the OpenShift Route host for the operations/metrics endpoint. Example: `orderer-metrics.apps.example.com`.
orderer_openshift_metrics_route: "orderer-metrics.apps.example.com"
ansible.builtin.include_role:
name: hyperledger.fabricx.orderer
tasks_from: openshift/rm
openshift/teardown¶
Teardown the OpenShift deployment
Removes OpenShift and Kubernetes resources, then deletes orderer data artifacts.