ChainKode: a CICD methodology for chaincode development in Hyperledger Fabric based on Kubernetes

ChainKode: A CICD me hodology o chaincode de elopmen in Hype ledge
Fab ic based on Kube ne es
YASIRU RATHSARA WITHARANAGE, CEIT-Basque Resea ch and Technology Alliance (BRTA), Spain
SANTIAGO FIGUEROA-LORENZO, CEIT-Basque Resea ch and Technology Alliance (BRTA), Spain
NASIBEH MOHAMMADZADEH, CEIT-Basque Resea ch and Technology Alliance (BRTA), Spain
SAIOA ARRIZABALAGA JUARISTI, CEIT-Basque Resea ch and Technology Alliance (BRTA), Spain
Hype ledge Fab ic is a widely used blockchain echnology ha allows o ganiza ions o s o e and exchange da a h ough pe missioned
ne wo ks. A chaincode ex ends i s unc ionali y by enabling pa icipan s o in e ac wi h he s o ed da a ia mul iple p og amming
languages. Consequen ly, a chaincode can be ega ded as an ex e nal se ice o he Hype ledge Fab ic ne wo k which can be
deployed by con aine o ches a ion ools such as Kube ne es. This induces a dis inc i e So wa e De elopmen Li e Cycle (SDLC) o
chaincodes along wi h he necessi y o a sus ainable amewo k o suppo i . To his end, we p opose a me hodology based on CICD
p ac ices ha no only acili a es he de elopmen o chaincodes in Golang bu also ensu es ha hei unc ional and non- unc ional
equi emen s a e sa is ied. In pa icula , we deli e an au oma ed p ocess ha es ablishes adequa e code quali y, e i ies he in eg i y
o implemen a ion, alida es secu i y ulne abili ies, e alua es pe o mance and inally deploys he chaincode o a Hype ledge Fab ic
blockchain. We p o ide a pe o mance analysis o ou app oach based on he conduc ed expe imen s and a discussion on i s quali a i e
a ibu es. Addi ionally, we p esen a comp ehensi e ecosys em o Hype ledge Fab ic wi h Kube ne es which includes moni o ing
and benchma king ools. In essence, we s eng hen he SDLC o chaincodes and acili a e he adop ion o Hype ledge Fab ic in
c oss-o ganiza ional use cases.
Addi ional Key Wo ds and Ph ases: Hype ledge Fab ic, CICD, Chaincode, Kube ne es
1 In oduc ion
Blockchain has eme ged as a p o ound echnology ha enables da a sha ing among mul iple pa icipan s using an
immu able dis ibu ed ledge . I has u he e ol ed in o a a ie y o blockchain pla o ms ha can adap o di e en
indus ial use cases be i ingly. Hype ledge Fab ic is one such echnology whe e dis inc i e o ganiza ions can s o e
and sha e da a wi h high pe o mance and p i acy in a pe missioned ne wo k [
1
]. I u he allows pa icipan s o
in e ac wi h hese da a by implemen ing a bi a y se ices ia chaincodes in mul iple p og amming languages (e.g.
Ja a,Golang). De eloping secu e and pe o man chaincodes can be ega ded as non- i ial due o hei in ol emen in
c oss-o ganiza ional use cases wi h immu able da a.
Con inuous In eg a ion and Con inuous Deploymen /Deli e y (CICD) p o ides an au oma ed p ocess o accele a e
he So wa e De elopmen Li e Cycle (SDLC) while ensu ing he e icacy o an implemen a ion. Despi e i s bene i s,
Hype ledge Fab ic s ill lacks a p ope in es iga ion o adop ing CICD p ac ices, he eby esul ing in chaincodes wi h
inadequa e code quali y, secu i y ulne abili ies, pe o mance limi a ions and ine icien de elopmen li e cycles [2].
To he bes o ou knowledge, his can be ega ded as he i s academic esea ch on p oposing a CICD me hodology
o he de elopmen o chaincodes. In pa icula , ou main con ibu ions o his s udy can be ou lined as ollows.
Au ho s’ Con ac In o ma ion: Yasi u Ra hsa a Wi ha anage, CEIT-Basque Resea ch and Technology Alliance (BRTA), Donos ia/San Sebas ian, Basque
Coun y, Spain, [email p o ec ed]; San iago Figue oa-Lo enzo, CEIT-Basque Resea ch and Technology Alliance (BRTA), Donos ia/San Sebas ian,
Basque Coun y, Spain, [email p o ec ed]; Nasibeh Mohammadzadeh, CEIT-Basque Resea ch and Technology Alliance (BRTA), Donos ia/San Sebas ian,
Basque Coun y, Spain, [email p o ec ed]; Saioa A izabalaga Jua is i, CEIT-Basque Resea ch and Technology Alliance (BRTA), Donos ia/San
Sebas ian, Basque Coun y, Spain, [email p o ec ed].
Yasi u Ra hsa a Wi ha anage, San iago Figue oa-Lo enzo, Nasibeh Mohammadzadeh, and Saioa A izabalaga Jua is i
•
An ecosys em o Hype ledge Fab ic wi h benchma king, moni o ing and CICD ools o indus ial use cases
based on Docke and Kube ne es.
•A comp ehensi e CICD me hodology o suppo he So wa e De elopmen Li e Cycle (SDLC) o chaincodes.
•
Accommoda e Golang in chaincode de elopmen o ensu e he deli e y o desi ed in eg i y, code quali y,
secu i y and pe o mance le els.
The es o his pape is s uc u ed as ollows: Sec ion 2 desc ibes he backg ound whe eas sec ion 3 ou lines he
ela ed p io wo k. Sec ion 4 analyses he equi emen s o a CICD me hodology o Hype ledge Fab ic. Sec ion 5
p oposes ou app oach ollowed by i s implemen a ion de ails in sec ion 6. Sec ions 7 and 8 p esen an e alua ion and a
discussion o he implemen a ion, espec i ely. Finally, sec ion 9 concludes he pape .
2 Backg ound
In i s simples o m, blockchain is a decen alized ne wo k whe e pa icipan s can s o e da a as ansac ions in an
immu able dis ibu ed ledge . In Hype ledge Fab ic, admission o pa icipan s o a ledge can be go e ned, hus de i ing
an implici ly us ed ne wo k whe e all he pa icipan s a e known. Consequen ly, Hype ledge Fab ic is widely adop ed
in indus ial use cases, speci ically whe e dis inc i e o ganiza ions equi e exchanging da a wi h each o he while
en o cing decen aliza ion and da a so e eign y.
Hype ledge Fab ic suppo s he exis ence o mul iple ledge s wi hin he same o e lay ne wo k h ough a concep
called channels. A channel no only seg ega es con ex ually di e en da a bu also imposes ine-g ained p i acy by
es aining access o i s da a only o he channel membe s. I u he allows o ganiza ions o in e ac wi h hese da a
ia a chaincode which con ains a se o speci ic implemen a ions known as sma con ac s. Pa icipan s can in oke
hese sma con ac s ia clien applica ions o pe o m a ious business use cases wi h da a s o ed in channels.
An o ganiza ion in Hype ledge Fab ic gene ally deploys i s own sub-ne wo k wi h se e al componen s such as
pee s,o de e s and Ce i ica e Au ho i ies (CAs). In essence, a pee joins a channel and allows clien applica ions o
in e ac wi h i s channel da a h ough a chaincode. A chaincode can be ins alled on a pee ia buildpacks which con ain
he ins uc ions o de ec , build and un a chaincode ins ance. I is also possible o con igu e ancho pee s which a e used
by o he o ganiza ions and ex e nal applica ions o connec and e ie e in o ma ion abou he ne wo k [
3
]. An o de e
pa icipa es in a collec i e p ocess o o de any submi ed da a, bundles hem in o a block and p opaga es his block o
be commi ed by pee s. In addi ion, he e exis s wo ypes o CAs in Hype ledge Fab ic: A TLS CA o enable T anspo
Laye Secu i y (TLS) in communica ion and an o ganiza ion CA o gene a e he iden i ies o use s. Co espondingly, i
necessi a es skilled pe sonnel o deploy all hese componen s, es ablish hei connec ions and main ain so wa e and
ha dwa e in as uc u e while ensu ing he eliabili y o componen s.
In addi ion o he Fab ic amewo k, Hype ledge p o ides a numbe o ools o supplemen i s ecosys em. Pa icula ly,
Blockchain Explo e allows he o ganiza ions o moni o a Hype ledge Fab ic ne wo k in e ms o i s ne wo k in as-
uc u e, deployed chaincodes and commi ed blocks wi h ansac ional da a. Hype ledge Calipe is a benchma king
ool ha e alua es he pe o mance o a chaincode based on cus om wo kloads and con igu a ions.
De Ops se es as a ole ha combines he asks o de eloping, deploying and main aining so wa e se ices. I u he
in oduces a se o p ac ices commonly known as Con inuous In eg a ion and Con inuous Deploymen /Deli e y (CICD)
ha accele a es and simpli ies he So wa e De elopmen Li e Cycle (SDLC). This is accomplished h ough an au oma ed
p ocess called a pipeline which consis s o mul iple jobs o build, es , deploy and moni o so wa e se ices. In addi ion
o he con enience, such pipelines enable compliance wi h s anda ds by in eg a ing alida ion asks (e.g. uni es s,
ChainKode: A CICD me hodology o chaincode de elopmen in Hype ledge Fab ic based on Kube ne es
code quali y checks, benchma ks) and e i ying hei co esponding esul s. The CICD pipelines can be moni o ed wi h
ools such as P ome heus and G a ana, which e ie e he me ics and isualize hem in g aphs, espec i ely.
Docke p o ides a con aine un ime ha enables building and publishing so wa e applica ions as po able images.
These images can be deployed and managed wi h a con aine o ches a ion ool such as Kube ne es by using decla a i e
mani es iles. Gi lab is a cloud-na i e pla o m wi h ea u es o suppo De Ops in so wa e de elopmen . In gene al,
de elope s use Gi lab as a Ve sion Con ol Sys em (VCS) o main ain sou ce code iles o he implemen a ions. Gi lab
u he p o ides a p i a e and secu e con aine egis y ha can be used o publish, pull and deploy con aine ized images
(e.g. Docke ) o so wa e se ices whene e necessa y. Addi ionally, a CICD pipeline can be ealized wi h Gi lab CI by
implemen ing he low in a decla a i e con igu a ion ile and execu ing i s jobs by means o a Gi lab unne . These
unne s can also be hos ed locally (sel -managed) wi hin an o ganiza ion o p o ide addi ional secu i y and p i acy
du ing he execu ion o a job.
3 Rela ed Wo k
Se e al esea ch wo ks ha e been done on he applica ion o CICD me hodologies o sma con ac s in E he eum
blockchain. In pa icula , Maximilian Wöh e e al. p opose a CICD amewo k o suppo he de elopmen o sma
con ac s [
4
] whe eas Hauke P ech e al. ex end his wo k o deli e a con aine ized app oach which is agnos ic o a CI
pla o m [
5
]. Secu i y conce ns ela ed o Con inuous In eg a ion o sma con ac s ha e been esea ched by Al a o
Reyes e al. [
6
]. In addi ion, he e a e se e al non-scien i ic publica ions in which he communi y has ou lined gene al
conce ns ela ed o CICD p ac ices o E he eum [7, 8].
A numbe o esea ch a emp s ha e been made on deploying Hype ledge Fab ic on Kube ne es while being
cons ained o a speci ic use case. Pa icula ly, Muhammad Rehan e al. deploy Hype ledge Fab ic on Kube ne es o
Supply Chain Managemen [
9
] while Xiubo Liang e al. exploi Kube ne es o bo h he in as uc u e and de elopmen
o chaincodes ela ed o educa ion [
10
]. Vladimi Yussupo e al. p esen an o e iew o he blockchain echnology
and se e less a chi ec u e [
11
], including se ice pla o ms which p o ide Hype ledge Fab ic based on Kube ne es.
Howe e , hese pape s nei he en ail ex e nal componen s o a comple e ecosys em o Hype ledge Fab ic no suppo
he SDLC o chaincodes.
Maciej Kopa e al. p opose a CI me hodology o Hype ledge Fab ic which is only applicable o chaincodes based
on Ja a and i u he lacks he mechanisms o pe o mance e alua ion, con inuous deploymen and moni o ing o
he CICD p ocesses [12]. Simila ly, Ni in Gau e al. discuss a basic CI low o chaincodes bu i does no alida e he
secu i y o hi d-pa y dependencies as well as he pe o mance o a chaincode [
13
]. A cus om Hype ledge Fab ic
buildpack has been implemen ed by he communi y known as k8s builde
1
which enables ins alling and launching a
chaincode as a Kube ne es se ice. Ne e heless, i does no seg ega e he SDLC o a chaincode since i equi es a pee
o launch he chaincode wi h each deploymen . In addi ion, we no ed se e al s udies ha add essed he pe o mance o
Hype ledge Fab ic [14, 15] and used Hype ledge Calipe o pe o m benchma k es s [16, 17].
4 Requi emen Analysis
We ou line se e al equi emen s associa ed wi h he deploymen o chaincodes as lis ed below.
(1)
E icien deploymen s: The con en ional me hod o deploying a chaincode in Hype ledge Fab ic 2.x in ol es
a numbe o sequen ial s eps: package he chaincode in compliance wi h he equi ed olde s uc u e, ins all
he chaincode on pee s, app o e he chaincode de ini ion and subsequen ly commi i o a channel [
18
]. This
1h ps://gi hub.com/hype ledge -labs/ ab ic-builde -k8s
Yasi u Ra hsa a Wi ha anage, San iago Figue oa-Lo enzo, Nasibeh Mohammadzadeh, and Saioa A izabalaga Jua is i
Fig. 1. CICD low wi h he deli e y o chaincode p ope ies
en i e p ocess needs o be i e a ed whene e he implemen a ion is modi ied which can po en ially decele a e
he pace o a chaincode’s de elopmen li e cycle.
(2)
Suppo o de elopmen : The deploymen p ocess o a chaincode equi es de elope s o possess ope a ional
knowledge [19] which can hinde he g ow h o de elope communi y in Hype ledge Fab ic.
(3)
Func ional in eg i y: In con as o con en ional so wa e, a chaincode in e ac s wi h da a in a c oss-
o ganiza ional ne wo k and may o e se ices o mul iple dis inc i e conso iums [
20
]. The e o e, i is
manda o y o ensu e ha a deployed chaincode (i) sa is ies i s unc ional equi emen s and (ii) does no include
any male olen beha iou .
(4)
Se ice in eg i y: A pee should only in e ac wi h a alid chaincode ins ance and hence he in eg i y o a
chaincode se ice should be alida ed upon he connec ion es ablishmen wi h a pee .
(5)
Secu e chaincodes: A chaincode demands o be highly secu e wi h a ho ough in es iga ion o he co e
implemen a ion and i s ex e nal dependencies such as lib a ies and un ime en i onmen s [21].
(6)
Chaincode lineage: A mani es a ion o chaincode li e cycle e en s, including deploymen s, should be logged
wi h non- epudia ion o suppo aceabili y, audi abili y and anspa ency whene e necessa y [22].
(7)
Chaincode e sioning: A deployed chaincode is e e ed by a e sion in he ne wo k which should no allow
any modi ica ions du ing i s execu ion li e ime [18].
(8)
Po able chaincodes: O ganiza ions in a Hype ledge Fab ic ne wo k may sha e and deploy he same chaincode
package in o de o main ain consis ency [18].
(9)
Pe o mance o a chaincode: Blockchains consume mo e ansac ion la ency and deli e less h oughpu
compa ed o con en ional da abases [
23
]. The e o e, e alua ing he pe o mance o a chaincode p io o
i s deploymen can esul in awa eness o he o e all sys em and u he es ain he deploymen o any
unde pe o ming chaincodes.
Conce ns (1)-(2) imply ha he adop ion o a CICD me hodology suppo s he SDLC o a chaincode in Hype ledge
Fab ic, whe eas (3)-(9) demand ha such a CICD p ocess should p o ide he means o accomplish non- unc ional
equi emen s o a chaincode (e.g. code quali y, in eg i y, secu i y, pe o mance).
5 Me hodology
This sec ion p esen s an o e iew o he p oposed me hodology whe e we in oduce chaincode as a Kube ne es se ice
concep and hen desc ibe he design o ou CICD low based on he equi emen s speci ied in sec ion 4.
5.1 Chaincode as a Kube ne es Se ice
By de aul , a chaincode is launched as a Docke con aine by he pee when i s de ini ion is commi ed o a channel.
Since 2.0, Hype ledge Fab ic elimina es his igh coupling wi h he pee and enables a chaincode o be launched as an
ChainKode: A CICD me hodology o chaincode de elopmen in Hype ledge Fab ic based on Kube ne es
ex e nal se ice. Howe e , his can po en ially esul in an adminis a i e o e head, i an o ganiza ion has mul iple such
chaincode se ices deployed in Docke . A con aine o ches a ion ool such as Kube ne es can be used o o e come his
complexi y and manage chaincode con aine s con enien ly wi hin an o ganiza ion.
We le e age his possibili y in ou me hodology o deploy he chaincode as a Kube ne es se ice (CCaaKS). In pa icula ,
i educes he con en o a chaincode package ( equi es only me ada a and connec ion de ails) and he in ol emen o
pee s in deploying chaincodes (only du ing he ini ial deploymen and whene e he package is upda ed). Consequen ly,
i decouples he SDLC o a chaincode om he pee li e cycle and leads o he po en ial o in eg a ing CICD pipelines
o he de elopmen o chaincodes. Howe e , his app oach manda es a cus om buildpack o be moun ed on pee s,
which handles an ex e nal chaincode by skipping i s local ins alla ion and allowing he pee o connec o an ex e nal
endpoin .
5.2 Design o he CICD pipeline
We designed ou CICD me hodology based on he equi emen s in sec ion 4, such ha i p o ides an au oma ed pipeline
o deploy a chaincode (as a Kube ne es se ice) wi h adequa e le els o code-quali y, in eg i y, secu i y and pe o mance.
S a ic code analysis ools and lin e s can be used o alida e he chaincode a code le el whe eas uni and unc ional
es s should be implemen ed o e i y he in eg i y o algo i hms [
24
]. Once hese alida ion es s ha e been passed,
he pipeline should compile he sou ce code, build a con aine image and push i o a con aine egis y such ha i
p o ides e sioning and po abili y o deploy in mul iple ins ances i necessa y. Subsequen ly, So wa e Composi ion
Analysis (SCA) ools can be in eg a ed o scan he secu i y ulne abili ies o any ex e nal dependency used o he
chaincode se ice (e.g. hi d-pa y lib a ies in he implemen a ion, base image o hos ing he con aine ).
We de ined wo en i onmen s as s aging and p oduc ion in o de o adap ou me hodology o indus ial use cases. A
chaincode image de i ed om he p e ious s ages can be ini ially deployed o he s aging en i onmen and expe imen ed
wi h benchma king es s, since pe o mance is ega ded as a c ucial elemen in blockchain echnology [
25
]. The esul s
o hese e alua ions should be alida ed agains a p ede ined se o h eshold alues (con igu ed in a YAML ile) o
ensu e ha he pe o mance o he chaincode complies wi h he expec ed me ics (e.g. h oughpu , la ency).
I all he s eps succeed wi hou any ailu e, we deploy he chaincode image o he p oduc ion en i onmen wi h a
manual app o al o inco po a e human in e en ion in he o e all CICD pipeline. This also ans o ms ou app oach o
aCon inuous In eg a ion and Con inuous Deli e y me hodology due o he in ol emen o a semi-au oma ed p ocess. In
case o any ailu e (e.g. a h eshold is no sa is ied, ne wo k issue), a clean-up p ocess should be execu ed o emo e any
pe sis ed changes as applicable (e.g. dele e image om he con aine egis y). In addi ion, Gi bes p ac ices should be
adop ed h oughou he en i e p ocess o comply wi h u he equi emen s (e.g. associa e each commi wi h a change
eques o chaincode lineage, sign commi s o non- epudia ion, p o ec elease b anches o au ho iza ion). Figu e 1
shows he o e all low o ou designed me hodology wi h essen ial asks ha ensu e he non- unc ional equi emen s
o a chaincode as desc ibed in his sec ion.
6 Implemen a ion
This sec ion p o ides he implemen a ion-speci ic de ails o ou me hodology. Fi s , we discuss he in as uc u e se up
o he p oposed ecosys em which is ollowed by a comp ehensi e desc ip ion o he implemen ed CICD pipeline. Finally,
we desc ibe he moni o ing ools ela ed o ou con ex .

Yasi u Ra hsa a Wi ha anage, San iago Figue oa-Lo enzo, Nasibeh Mohammadzadeh, and Saioa A izabalaga Jua is i
6.1 In as uc u e
6.1.1 Hype ledge Fab ic: F om he pe spec i e o a ne wo k, Hype ledge Fab ic can be ega ded as a dis ibu ed
sys em wi h a se o dis inc i e se ice componen s (e.g. pee s, o de e s, CAs). Acco dingly, we u ilized Kube ne es o
main ain ou ne wo k in as uc u e by deploying Hype ledge Fab ic componen s as Kube ne es esou ces and hus
en o cing hei accessibili y cons ain s a he Kube ne es laye (e.g. ancho pee s as LoadBalance Se ice, in e nal
pee s and o ganiza ion CA as Clus e IP Se ice and Fab ic CLI as Deploymen ). As desc ibed in sec ion 5.1, we also
deploy chaincodes as Kube ne es se ices o suppo hei SDLCs.
6.1.2 Supplemen a y ools: In addi ion o he co e componen s, we deployed Blockchain Explo e and i s da abase
dependency (Pos g eSQL) in Kube ne es o moni o ing he blockchain ne wo k. We also de ined se e al ools o
acili a e and enhance he CICD p ocess o chaincodes in ou ecosys em. This includes a Gi lab unne o execu e jobs, a
se o se ices (Me ics-Expo e ,P ome heus and G a ana) o moni o pipelines, Sona Qube as a s a ic code analysis ool
and Calipe o e alua e he pe o mance o deployed chaincodes. In pa icula , we used a sel -managed Gi lab unne
o p o ide addi ional secu i y and p i acy du ing he execu ion o indi idual jobs. Since hese ools se e as u ili y
so wa e in ou me hodology, we deployed hem as Docke con aine s despi e ha Kube ne es can also be used o
such deploymen s. Figu e 2 illus a es a basic ne wo k a chi ec u e o hese componen s which se es as a bluep in o
ex end wi h addi ional componen s (e.g. pee s and o de e s) i necessa y.
Fig. 2. Ne wo k a chi ec u e
6.1.3 En i onmen s: We simula ed a s aging en i onmen in ou s udy by deploying a Kube ne es clus e wi h mic ok8s
2
in a Linux Con aine (LXC) which was hos ed on a ba e-me al se e . Subsequen ly, we used his Kube ne es clus e o
es ablish a ne wo k wi h Hype ledge Fab ic componen s and Blockchain Explo e as shown in Figu e 2. We u he
used he same se e ins ance o deploy a Gi lab unne and moni o ing ools as Docke con aine s. In con as , we only
deployed a Kube ne es clus e wi h a Hype ledge Fab ic ne wo k on a sepa a e ba e-me al se e as he p oduc ion
en i onmen . Figu e 3 shows hese en i onmen s wi h he componen s s acked on each se e .
6.2 CICD p ocess
As ou lined in sec ion 5, we designed a CICD pipeline wi h dis inc i e s ages and jobs (Figu e 4) o ensu e compliance o
design goals in ou me hodology. In he ollowing subsec ions, we di e in o he implemen a ion de ails o hese s ages.
6.2.1 Valida e: We ini ia ed he pipeline wi h code alida ion asks ela ed o Golang, since one o ou p ima y
objec i es is o suppo chaincode de elopmen in Golang. The e o e, we used i s na i e lin e , go-lin , in which a se o
lin e checks can be con igu ed ia .golangci.yml as equi ed. In addi ion, Sona Qube is used as a s a ic code analysis
ool o ensu e he quali y o he implemen a ion by inspec ing clean-code a ibu es and secu i y ulne abili ies.
2see mo e de ails a h ps://mic ok8s.io
ChainKode: A CICD me hodology o chaincode de elopmen in Hype ledge Fab ic based on Kube ne es
Fig. 3. En i onmen s wi h componen s acks
Fig. 4. Di ec ed Acyclic G aph o jobs wi h s ages
We included uni es ing in he subsequen job (go- es ) as i is conside ed a key mechanism o alida ing chain-
codes [
24
]. Since hese es s highly depend on he speci ic chaincode implemen a ion, de elope s a e esponsible o
implemen ing he co esponding es iles such ha a p ede ined es co e age h eshold is sa is ied. In case o c i ical
scena ios, his h eshold alue should be se highe such ha all possible beha iou s o he chaincode a e in es iga ed
and implemen ed as uni es s.
6.2.2 Build: Du ing his s age, he pipeline compiles, builds and pushes a chaincode (Docke ) image o he Gi lab
con aine egis y. We u ilized Di ec ed Acyclic G aphs in ou pipeline by de ining alida e jobs as p e- equisi es o he
build s age, such ha i does no p oceed wi h any insu icien sou ce code.
6.2.3 Tes : As discussed in sec ion 5, SCA ools play a key ole in deli e ing secu e chaincode se ices. To his end, we
used Gi lab’s inbuil con aine scanning job o inspec o secu i y ulne abili ies in con aine en i onmen s whe e a
chaincode will be execu ed. This is u he complemen ed wi h a dependency scanning job which analyses he secu i y
o hi d-pa y lib a ies (modules in Golang) used in a chaincode implemen a ion. Bo h o hese jobs include build s age
as a p e equisi e and gene a e he co esponding es esul s as a i ac s in he CICD pipeline.
6.2.4 P e-deploy: This s age deploys a chaincode o he s aging en i onmen by execu ing se e al asks au oma ed
wi h bash sc ip s. In pa icula , he pipeline de ines a se o a iables (e.g. chaincode name, e sion, package ID, se ice
endpoin , image ag) in .gi lab-ci.yml and cons uc s a Kube ne es mani es ile o he chaincode. Subsequen ly, i
moun s his ile on he s aging se e and boo s aps he chaincode as a Kube ne es se ice wi h i s package ID and
se ice endpoin as en i onmen a iables. To enhance he secu i y in ou app oach, we s o e he c eden ials o Gi lab
con aine egis y as Kube ne es sec e s [
26
], which p o ides au hen ica ion when downloading chaincode images.
Since dependency and con aine scanning jobs a e de ined as p e equisi es o his s age, a deployed chaincode in s aging
en i onmen can be assumed o be secu e i he p io jobs a e su icien ly capable o de ec ing ulne abili ies.
6.2.5 E alua e: In ou p oposed me hodology, we in eg a ed Hype ledge Calipe o e alua e he pe o mance o a
chaincode unde di e en ansac ion loads as speci ied by a se o wo kload modules (wi h benchma k es s). As simila
Yasi u Ra hsa a Wi ha anage, San iago Figue oa-Lo enzo, Nasibeh Mohammadzadeh, and Saioa A izabalaga Jua is i
Fig. 5. Compa ison be ween me hodologies
o uni es s, he esponsibili y o implemen ing wo kload modules should be delega ed o de elope s such ha he
benchma k es s adequa ely co e he c i ical unc ions o a chaincode. As o 0.6.0, Calipe only suppo s wo kload
implemen a ions in Node.js which can s ill be used o in oke Golang chaincodes. In addi ion o hese es s, benchma k
and ne wo k in o ma ion should be con igu ed wi h a leas one ancho -pee , which will be used by Calipe o connec
o he Hype ledge Fab ic ne wo k. The epo gene a ed by benchma ks is included as an a i ac o he job so ha i
can p o ide u he insigh s in e e ence o any supplemen a y documen a ion [16, 27].
We also included an au oma ed job o e i y he gene a ed pe o mance esul s agains a se o cons ain s. This
equi es an addi ional YAML con igu a ion ile which con ains a lis o h eshold alues as shown in Lis ing 1 o
each de ined es and me ic in Calipe (e.g. max. numbe o ailu es, a e age la ency uppe -bound, min. h oughpu ).
Once he pe o mance es s a e comple ed, hei esul s will be e alua ed agains hese h esholds o de e mine i he
chaincode sa is ies he expec ed le els o pe o mance.
h esholds :
ge −a s s e :
a i l : 2
max−la ency −sec : 1 . 5
a g−la ency −s ec : 0 . 5
h oughpu : 800
Lis ing 1. Th eshold con igu a ion o benchma king
6.2.6 Deploy: In he inal s age o ou p oposal, we use he mani es ile cons uc ed in p e-deploy s age o deploy he
chaincode o he p oduc ion en i onmen . A his poin , he chaincode implemen a ion along wi h i s Docke image
can easonably be conside ed as a se ice which sa is ies he de ined le els o code quali y, secu i y, in eg i y and
pe o mance. Howe e , we con igu ed he deploy s age wi h a manual app o al s ep o de ec and handle any un o eseen
complica ions p io o he inal deploymen o a chaincode.
Figu e 5 summa izes he low o ou me hodology as compa ed o he de aul p ocess o deploying a chaincode in
Hype ledge Fab ic. Despi e we p esen ou app oach con ining o Golang, i can also be used as a gene al amewo k
o accommoda e chaincode de elopmen in o he languages.
ChainKode: A CICD me hodology o chaincode de elopmen in Hype ledge Fab ic based on Kube ne es
6.3 Moni o ing
Con inuous moni o ing is ega ded as a c ucial componen o SDLC and in ou con ex , we ou line his in e ms o
blockchain ne wo k, chaincodes and CICD pipelines. Figu e 2 shows how we in eg a ed hese moni o ing ools in o
ou ecosys em. In pa icula , we used a hi d-pa y ool, gi lab-ci-pipelines-expo e
3
, o collec me ics om he CICD
pipelines and subsequen ly expo o a P ome heus ins ance. When con igu ed wi h a Gi lab Access Token and p ojec
eposi o y, he expo e se ice pulls me ics exposed by Gi lab APIs which p ima ily ela e o CICD jobs, pipelines and
deploymen s (e.g. job comple ion, pipeline s a us, deploymen du a ion). We ex ended his obse abili y by exposing
me ics om ou sel -managed Gi lab unne o p o ide u he insigh s ela ed o he ac ual se e s unning CICD
pipelines such as hei memo y u iliza ion, CPU ime and Golang speci ic me ics (e.g. ga bage collec ion, heap and
s ack alloca ions). P ome heus sc apes me ics om bo h o hese jobs (i.e. gi lab-ci-pipelines-expo e and unne ) and
deli e s hem o a G a ana ins ance o isualiza ion wi h dashboa ds (Figu e 6).
Fig. 6. G a ana dashboa d o CICD pipelines
Blockchain Explo e se es as a moni o ing ool o he Hype ledge Fab ic ne wo k. Speci ically, i p o ides a
dashboa d as shown in Figu e 7 wi h ne wo k in o ma ion (e.g. s a us o nodes), commi ed blocks, deployed channels
and ansac ion de ails (e.g. ype o a ansac ion, ead-w i e se , endo se s). Fu he , i allows o inspec he ins alled
chaincodes and in o ma ion abou hei sma con ac s (e.g. i le and e sion, pa ame e s and hei equi ed o ma s,
e u n da a ypes, schemas wi h hei p ope ies).
Fig. 7. Blockchain Explo e
7 E alua ion
We conduc ed se e al expe imen s o u he in es iga e he pe o mance o ou implemen ed me hodology in di e en
condi ions as desc ibed in he ollowing subsec ions.
3h ps://gi hub.com/m isonneau/gi lab-ci-pipelines-expo e