KFS LogoChainLaunch - KFS
Bevel Operator Fabric 1.13.0: New Features and Enhancements

Bevel Operator Fabric 1.13.0: New Features and Enhancements

dviejo

dviejo

@dviejo

Introduction

Bevel Operator Fabric version 1.13.0 introduces a range of updates to the Kubernetes operator for Hyperledger Fabric networks. This release focuses on improvements in security, automation, and operational efficiency, including integration with external tools and refinements to core functionalities. Key additions cover certificate management, chaincode operations, and deployment configurations, supporting Hyperledger Fabric versions 2.5+, 3.0.0 and 3.1.0.

Key Takeaways

  • HashiCorp Vault Integration: Enables secure certificate provisioning and management using Vault's PKI secrets engine, with automatic renewal and rotation.
  • Lease-Based Certificate Renewal: Implements Kubernetes leases to coordinate certificate operations across multiple controllers, preventing conflicts.
  • Enhanced Chaincode Query Commands: Adds support for JSON and table output formats, improving integration with scripts and automation tools.
  • Fabric CA Deployment Enhancements: Updates CRDs for better schema definitions, replica support, and Vault-enabled certificate workflows.
  • Security and Dependency Updates: Patches Go modules and npm dependencies to address vulnerabilities, alongside default configurations for credential stores.

Understanding Bevel Operator Fabric 1.13.0

Core Functionality Overview

Kubernetes-Native Management:
Bevel Operator Fabric is a Kubernetes-native tool designed for deploying and managing Hyperledger Fabric networks.

Default Credential Storage:
In version 1.13.0, a major improvement is the introduction of default settings for credential storage. The CredentialStore is now set to 'kubernetes' by default for controllers managing certificate authorities, identities, orderer nodes, and peers.

HashiCorp Vault Integration:
This release also adds support for HashiCorp Vault as an alternative backend for credential storage.

  • Secure certificate management: Vault integration allows users to provision and manage certificates using Vault’s PKI secrets engine.
  • Flexible workflows: Organizations can now choose between Kubernetes-native secrets and Vault-based credential management, making it easier to adapt to different security requirements and further strengthening operational security.

Integration with External Tools

A notable aspect of 1.13.0 is its emphasis on external integrations. The operator now supports HashiCorp Vault as a backend for credential storage, enabling users to leverage Vault's features for generating and storing cryptographic materials. This integration is configured via YAML files, specifying parameters like Vault address, token, PKI path, and role. Once set up, it handles tasks such as TLS certificate provisioning for network components automatically.

Another integration point is with Kubernetes-native mechanisms, such as leases for distributed coordination. This ensures that in environments with multiple operator replicas, tasks like certificate renewals are executed without overlaps, using lease durations of 30 seconds and renewal intervals of 10 seconds.

Core Components of Bevel Operator Fabric 1.13.0

Updated Custom Resource Definitions (CRDs)

The CRDs are central to the operator, and version 1.13.0 introduces important refinements. For Fabric CA, the CRD now supports a replicas field, but only values of 1 (to run a single CA instance) or 0 (to scale down and stop the CA) are supported. This allows administrators to easily start or stop the CA service as needed, but does not support running multiple CA replicas for high availability.

Now you can stop the CA by setting the replicas field to 0 in the CRD.

apiVersion: hlf.kungfusoftware.es/v1alpha1
kind: FabricCA
metadata:
  name: ca-org1
  # ... other fields ...
spec:
  # ... other fields ...
  replicas: 0
  # ... other fields ...

Bevel Operator Fabric-Specific Processes or Mechanisms

Chaincode Query and Management Processes

The chaincode query commands have been enhanced with better output handling. Commands such as kubectl hlf chaincode queryapproved, querycommitted, and queryinstalled now support an --output flag, allowing outputs in json or table formats. The default is table, but switching to JSON enables programmatic access, as shown in examples like:

kubectl hlf chaincode queryinstalled --peer peer0-org1 --output json | jq -r '.[].name'

This extracts chaincode names for scripting. Error handling has also been improved, providing structured responses that integrate with automation tools. The processes maintain backward compatibility, with no changes to existing syntax.

Certificate Renewal Mechanism

The lease-based renewal process uses Kubernetes leases to prevent multiple peers and orderers from renewing their certificates simultaneously. Before a peer or orderer performs a renewal, the operator attempts to acquire a lease; if successful, it proceeds with the renewal, otherwise, it retries with exponential backoff. This mechanism prevents conflicts that could occur when multiple components try to renew certificates at the same time, which could lead to network inconsistencies. The lease parameters are fixed: 30 seconds duration, 10-second renewals.

Dependency and Vulnerability Management

This release updates multiple dependencies to enhance security. Go modules, including protobuf, crypto, and networking libraries, have been upgraded to patch known vulnerabilities. Similarly, npm and yarn dependencies in example applications receive security fixes, ensuring the operator's ecosystem remains compliant with current standards.

Lease based certificate renewal

This mechanism is designed to avoid renewing certificates for multiple orderers or peers at the same time. By coordinating renewal operations through Kubernetes leases, the operator ensures that only one component performs a renewal at any given moment, preventing conflicts and maintaining network stability.

When you upgrade to this version, the lease-based certificate renewal mechanism is added automatically—no additional configuration is needed. The operator manages the coordination internally, so users benefit from improved certificate renewal safety out of the box.

Configuring Vault Integration

Vault integration is configured through the vault property in CRDs. The configuration follows the VaultComponent structure which includes certificate request parameters and Vault server configuration.

Basic Configuration:

credentialStore: vault  # Required to use Vault instead of Kubernetes
vault:
  request:
    pki: "pki"                    # PKI backend path
    role: "fabric-peer"           # PKI role for certificate generation
    ttl: "8760h"                 # Certificate TTL (default: 8760h)
    userIDs: []                  # Optional user identifiers
  vault:
    url: "https://vault.example.com:8200"
    tokenSecretRef:
      name: "vault-token"
      namespace: "default"
      key: "token"
    backend: "pki"               # Backend type (default: "kv")
    path: "secret/hlf"           # Path in Vault for secrets
    timeout: "30s"               # Vault operation timeout
    maxRetries: 2                # Maximum retry attempts
    tlsSkipVerify: false         # Skip TLS verification

Advanced TLS Configuration:

vault:
  vault:
    serverCert: "/path/to/server.crt"
    serverName: "vault.example.com"
    clientCert: "/path/to/client.crt"
    clientKey:
      name: "vault-client-key"
      namespace: "default"
      key: "key"
    caCert: "/path/to/ca.crt"

Kubernetes Authentication:

vault:
  vault:
    role: "fabric-operator"      # Kubernetes auth role
    authPath: "kubernetes"       # Auth mount path (default: "kubernetes")
    serviceAccountTokenPath: "/var/run/secrets/kubernetes.io/serviceaccount/token"

Then, create identities: kubectl hlf identity create --name peer-org1 --vault-enabled --vault-role fabric-peer.

Creating Identities with Vault:

kubectl hlf identity create --name ord-ca-sign --namespace default \
    --mspid OrdererMSP \
    --credential-store=vault \
    --vault-address="$VAULT_ADDR" \
    --vault-token-secret="vault-token" \
    --vault-token-secret-namespace="default" \
    --vault-token-secret-key="token" \
    --vault-pki-path="pki_orderer" \
    --vault-role="admin-sign" \
    --vault-ttl="8760h"

Key Benefits:

  • Automatic Certificate Renewal: Vault handles certificate lifecycle management
  • Enhanced Security: External secret storage reduces attack surface
  • Audit Trail: Complete logging of certificate operations
  • Role-Based Access: Granular permissions for different certificate types

You can check the Vault integration documentation for more details.

Conclusion

Bevel Operator Fabric 1.13.0 recaps enhancements across integration, automation, and security, including HashiCorp Vault support for certificate management, lease-based renewals for coordination, JSON outputs for chaincode queries, and updated CRDs for deployments. These features collectively address operational needs in Kubernetes environments, supporting efficient management of Hyperledger Fabric networks and their significance in scalable blockchain infrastructures.

Production Readiness:

  • Enterprise Security: Vault integration provides enterprise-grade certificate management
  • Operational Efficiency: Lease-based coordination prevents conflicts in multi-replica deployments
  • Developer Experience: Enhanced CLI with JSON output support improves automation workflows
  • Scalability: Improved resource management and monitoring capabilities for large-scale deployments

Ready to get started?

Start your decentralization journey with ChainLaunch.

Schedule a demo