[committer] Secure Committer Communication with TLS and mTLS (#85)

<!--
Copyright IBM Corp. All Rights Reserved.

SPDX-License-Identifier: Apache-2.0
-->

#### Type of change
- New feature
- Improvement (improvement to code, performance, etc)
 
#### Description
To support secure communication between components, we added a TLS layer
to ensure encrypted message transmission.

This PR includes the following changes:

1. Implemented TLS and mTLS between the committer components.
2. Added TLS and mTLS support to the runtime, along with various TLS
modes tests that utilize the loadgen to submit transactions after
establishing a secure connection.
3. Added unit tests for each of the components.
4. Added TLS support to the loadgen adapters.


#### Additional details

* Each service can be configured to use TLS, mTLS, or an insecure
connection via the tlsConfig. Clients must be configured accordingly.
* All clients of a given service use the same set of credentials.

#### Related issues
Partly solves epic: #19, solves #108

Next related PRs:
1. TLS support for the database connection is already finished and just
waiting for this PR to be merged.
2. Integration tests based on release images.  
3. Unit tests for each load generator adapter.  
4. TLS support for Mock-Orderer to Sidecar communication.  
5. Prometheus servers configured with TLS.

---------

Signed-off-by: Dean Amar <Dean.Amar@ibm.com>

Author: dean-amar

cmd/config/app_config_test.go

@@ -41,17 +41,15 @@ func TestReadConfigSidecar(t *testing.T) {
 		name:           "default",
 		configFilePath: emptyConfig(t),
 		expectedConfig: &sidecar.Config{
-			Server:     makeServer("localhost", 4001),
-			Monitoring: makeMonitoring("localhost", 2114),
+			Server:     newServerConfig("localhost", 4001),
+			Monitoring: newMonitoringConfig("localhost", 2114),
 			Orderer: ordererconn.Config{
 				Connection: ordererconn.ConnectionConfig{
-					Endpoints: ordererconn.NewEndpoints(0, "", makeServer("localhost", 7050)),
+					Endpoints: ordererconn.NewEndpoints(0, "", newServerConfig("localhost", 7050)),
 				},
 				ChannelID: "mychannel",
 			},
-			Committer: sidecar.CoordinatorConfig{
-				Endpoint: *makeEndpoint("localhost", 9001),
-			},
+			Committer: newClientConfig("localhost", 9001),
 			Ledger: sidecar.LedgerConfig{
 				Path: "./ledger/",
 			},
@@ -67,7 +65,7 @@ func TestReadConfigSidecar(t *testing.T) {
 		configFilePath: "samples/sidecar.yaml",
 		expectedConfig: &sidecar.Config{
 			Server: &connection.ServerConfig{
-				Endpoint: *makeEndpoint("", 4001),
+				Endpoint: *newEndpoint("", 4001),
 				KeepAlive: &connection.ServerKeepAliveConfig{
 					Params: &connection.ServerKeepAliveParamsConfig{
 						Time:    300 * time.Second,
@@ -79,18 +77,16 @@ func TestReadConfigSidecar(t *testing.T) {
 					},
 				},
 			},
-			Monitoring: makeMonitoring("", 2114),
+			Monitoring: newMonitoringConfig("", 2114),
 			Orderer: ordererconn.Config{
 				Connection: ordererconn.ConnectionConfig{
 					Endpoints: ordererconn.NewEndpoints(
-						0, "", makeServer("ordering-service", 7050),
+						0, "", newServerConfig("ordering-service", 7050),
 					),
 				},
 				ChannelID: "mychannel",
 			},
-			Committer: sidecar.CoordinatorConfig{
-				Endpoint: *makeEndpoint("coordinator", 9001),
-			},
+			Committer: newClientConfig("coordinator", 9001),
 			Ledger: sidecar.LedgerConfig{
 				Path: "/root/sc/ledger",
 			},
@@ -124,9 +120,9 @@ func TestReadConfigCoordinator(t *testing.T) {
 		name:           "default",
 		configFilePath: emptyConfig(t),
 		expectedConfig: &coordinator.Config{
-			Server:     makeServer("localhost", 9001),
-			Monitoring: makeMonitoring("localhost", 2119),
-			DependencyGraphConfig: &coordinator.DependencyGraphConfig{
+			Server:     newServerConfig("localhost", 9001),
+			Monitoring: newMonitoringConfig("localhost", 2119),
+			DependencyGraph: &coordinator.DependencyGraphConfig{
 				NumOfLocalDepConstructors: 1,
 				WaitingTxsLimit:           100_000,
 			},
@@ -136,15 +132,11 @@ func TestReadConfigCoordinator(t *testing.T) {
 		name:           "sample",
 		configFilePath: "samples/coordinator.yaml",
 		expectedConfig: &coordinator.Config{
-			Server:     makeServer("", 9001),
-			Monitoring: makeMonitoring("", 2119),
-			VerifierConfig: connection.ClientConfig{
-				Endpoints: []*connection.Endpoint{makeEndpoint("signature-verifier", 5001)},
-			},
-			ValidatorCommitterConfig: connection.ClientConfig{
-				Endpoints: []*connection.Endpoint{makeEndpoint("validator-persister", 6001)},
-			},
-			DependencyGraphConfig: &coordinator.DependencyGraphConfig{
+			Server:             newServerConfig("", 9001),
+			Monitoring:         newMonitoringConfig("", 2119),
+			Verifier:           newMultiClientConfig("signature-verifier", 5001),
+			ValidatorCommitter: newMultiClientConfig("validator-persister", 6001),
+			DependencyGraph: &coordinator.DependencyGraphConfig{
 				NumOfLocalDepConstructors: 1,
 				WaitingTxsLimit:           100_000,
 			},
@@ -174,8 +166,8 @@ func TestReadConfigVC(t *testing.T) {
 		name:           "default",
 		configFilePath: emptyConfig(t),
 		expectedConfig: &vc.Config{
-			Server:     makeServer("localhost", 6001),
-			Monitoring: makeMonitoring("localhost", 2116),
+			Server:     newServerConfig("localhost", 6001),
+			Monitoring: newMonitoringConfig("localhost", 2116),
 			Database:   defaultDBConfig(),
 			ResourceLimits: &vc.ResourceLimitsConfig{
 				MaxWorkersForPreparer:             1,
@@ -189,8 +181,8 @@ func TestReadConfigVC(t *testing.T) {
 		name:           "sample",
 		configFilePath: "samples/vcservice.yaml",
 		expectedConfig: &vc.Config{
-			Server:     makeServer("", 6001),
-			Monitoring: makeMonitoring("", 2116),
+			Server:     newServerConfig("", 6001),
+			Monitoring: newMonitoringConfig("", 2116),
 			Database:   defaultSampleDBConfig(),
 			ResourceLimits: &vc.ResourceLimitsConfig{
 				MaxWorkersForPreparer:             1,
@@ -224,8 +216,8 @@ func TestReadConfigVerifier(t *testing.T) {
 		name:           "default",
 		configFilePath: emptyConfig(t),
 		expectedConfig: &verifier.Config{
-			Server:     makeServer("localhost", 5001),
-			Monitoring: makeMonitoring("localhost", 2115),
+			Server:     newServerConfig("localhost", 5001),
+			Monitoring: newMonitoringConfig("localhost", 2115),
 			ParallelExecutor: verifier.ExecutorConfig{
 				Parallelism:       4,
 				BatchSizeCutoff:   50,
@@ -237,8 +229,8 @@ func TestReadConfigVerifier(t *testing.T) {
 		name:           "sample",
 		configFilePath: "samples/sigservice.yaml",
 		expectedConfig: &verifier.Config{
-			Server:     makeServer("", 5001),
-			Monitoring: makeMonitoring("", 2115),
+			Server:     newServerConfig("", 5001),
+			Monitoring: newMonitoringConfig("", 2115),
 			ParallelExecutor: verifier.ExecutorConfig{
 				BatchSizeCutoff:   50,
 				BatchTimeCutoff:   10 * time.Millisecond,
@@ -270,8 +262,8 @@ func TestReadConfigQuery(t *testing.T) {
 		name:           "default",
 		configFilePath: emptyConfig(t),
 		expectedConfig: &query.Config{
-			Server:                makeServer("localhost", 7001),
-			Monitoring:            makeMonitoring("localhost", 2117),
+			Server:                newServerConfig("localhost", 7001),
+			Monitoring:            newMonitoringConfig("localhost", 2117),
 			Database:              defaultDBConfig(),
 			MinBatchKeys:          1024,
 			MaxBatchWait:          100 * time.Millisecond,
@@ -283,8 +275,8 @@ func TestReadConfigQuery(t *testing.T) {
 		name:           "sample",
 		configFilePath: "samples/queryservice.yaml",
 		expectedConfig: &query.Config{
-			Server:                makeServer("", 7001),
-			Monitoring:            makeMonitoring("", 2117),
+			Server:                newServerConfig("", 7001),
+			Monitoring:            newMonitoringConfig("", 2117),
 			Database:              defaultSampleDBConfig(),
 			MinBatchKeys:          1024,
 			MaxBatchWait:          100 * time.Millisecond,
@@ -316,18 +308,18 @@ func TestReadConfigLoadGen(t *testing.T) {
 		name:           "default",
 		configFilePath: emptyConfig(t),
 		expectedConfig: &loadgen.ClientConfig{
-			Server: makeServer("localhost", 8001),
+			Server: newServerConfig("localhost", 8001),
 			Monitoring: metrics.Config{
-				Config: makeMonitoring("localhost", 2118),
+				Config: newMonitoringConfig("localhost", 2118),
 			},
 		},
 	}, {
 		name:           "sample",
 		configFilePath: "samples/loadgen.yaml",
 		expectedConfig: &loadgen.ClientConfig{
-			Server: makeServer("", 8001),
+			Server: newServerConfig("", 8001),
 			Monitoring: metrics.Config{
-				Config: makeMonitoring("", 2118),
+				Config: newMonitoringConfig("", 2118),
 				Latency: metrics.LatencyConfig{
 					SamplerConfig: metrics.SamplerConfig{
 						Portion: 0.01,
@@ -341,11 +333,11 @@ func TestReadConfigLoadGen(t *testing.T) {
 			},
 			Adapter: adapters.AdapterConfig{
 				OrdererClient: &adapters.OrdererClientConfig{
-					SidecarEndpoint: makeEndpoint("sidecar", 4001),
+					SidecarClient: newClientConfig("sidecar", 4001),
 					Orderer: ordererconn.Config{
 						Connection: ordererconn.ConnectionConfig{
 							Endpoints: ordererconn.NewEndpoints(
-								0, "", makeServer("ordering-service", 7050),
+								0, "", newServerConfig("ordering-service", 7050),
 							),
 						},
 						ChannelID:     "mychannel",
@@ -373,7 +365,7 @@ func TestReadConfigLoadGen(t *testing.T) {
 							ID:       0,
 							MspID:    "org",
 							API:      []string{"broadcast", "deliver"},
-							Endpoint: *makeEndpoint("ordering-service", 7050),
+							Endpoint: *newEndpoint("ordering-service", 7050),
 						}},
 					},
 				},
@@ -385,7 +377,7 @@ func TestReadConfigLoadGen(t *testing.T) {
 			},
 			Stream: &workload.StreamOptions{
 				RateLimit: &workload.LimiterConfig{
-					Endpoint:     *makeEndpoint("", 6997),
+					Endpoint:     *newEndpoint("", 6997),
 					InitialLimit: 10_000,
 				},
 				BuffersSize: 10,
@@ -415,7 +407,7 @@ func TestReadConfigLoadGen(t *testing.T) {
 
 func defaultDBConfig() *vc.DatabaseConfig {
 	return &vc.DatabaseConfig{
-		Endpoints:      []*connection.Endpoint{makeEndpoint("localhost", 5433)},
+		Endpoints:      []*connection.Endpoint{newEndpoint("localhost", 5433)},
 		Username:       "yugabyte",
 		Password:       "yugabyte",
 		Database:       "yugabyte",
@@ -429,7 +421,7 @@ func defaultDBConfig() *vc.DatabaseConfig {
 
 func defaultSampleDBConfig() *vc.DatabaseConfig {
 	return &vc.DatabaseConfig{
-		Endpoints:      []*connection.Endpoint{makeEndpoint("db", 5433)},
+		Endpoints:      []*connection.Endpoint{newEndpoint("db", 5433)},
 		Username:       "yugabyte",
 		Password:       "yugabyte",
 		Database:       "yugabyte",
@@ -446,21 +438,37 @@ func defaultSampleDBConfig() *vc.DatabaseConfig {
 	}
 }
 
-func makeEndpoint(host string, port int) *connection.Endpoint {
-	return &connection.Endpoint{
-		Host: host,
-		Port: port,
+func newClientConfig(host string, port int) *connection.ClientConfig {
+	return &connection.ClientConfig{
+		Endpoint: newEndpoint(host, port),
+	}
+}
+
+func newMultiClientConfig(host string, port int) connection.MultiClientConfig {
+	return connection.MultiClientConfig{
+		Endpoints: []*connection.Endpoint{
+			newEndpoint(host, port),
+		},
+	}
+}
+
+func newMonitoringConfig(host string, port int) monitoring.Config {
+	return monitoring.Config{
+		Server: newServerConfig(host, port),
 	}
 }
 
-func makeServer(host string, port int) *connection.ServerConfig {
+func newServerConfig(host string, port int) *connection.ServerConfig {
 	return &connection.ServerConfig{
-		Endpoint: *makeEndpoint(host, port),
+		Endpoint: *newEndpoint(host, port),
 	}
 }
 
-func makeMonitoring(host string, port int) monitoring.Config {
-	return monitoring.Config{Server: makeServer(host, port)}
+func newEndpoint(host string, port int) *connection.Endpoint {
+	return &connection.Endpoint{
+		Host: host,
+		Port: port,
+	}
 }
 
 func emptyConfig(t *testing.T) string {

cmd/config/cobra_test_exports.go

@@ -26,6 +26,7 @@ import (
 	"github.com/hyperledger/fabric-x-committer/service/vc/dbtest"
 	"github.com/hyperledger/fabric-x-committer/utils/connection"
 	"github.com/hyperledger/fabric-x-committer/utils/logging"
+	"github.com/hyperledger/fabric-x-committer/utils/test"
 )
 
 // CommandTest is a struct that represents a CMD unit test.
@@ -47,7 +48,7 @@ func StartDefaultSystem(t *testing.T) SystemConfig {
 	_, orderer := mock.StartMockOrderingServices(t, &mock.OrdererConfig{NumService: 1})
 	_, coordinator := mock.StartMockCoordinatorService(t)
 	conn := dbtest.PrepareTestEnv(t)
-	server := connection.NewLocalHostServer()
+	server := connection.NewLocalHostServerWithTLS(test.InsecureTLSConfig)
 	listen, err := server.Listener()
 	require.NoError(t, err)
 	connection.CloseConnectionsLog(listen)

cmd/config/create_config_file.go

@@ -31,6 +31,11 @@ type (
 		// Instance endpoints.
 		ServiceEndpoints ServiceEndpoints
 
+		// ServiceTLS holds the TLS configuration for a service.
+		ServiceTLS connection.TLSConfig
+		// ClientTLS holds the TLS configuration used by a service when acting as a client to other services.
+		ClientTLS connection.TLSConfig
+
 		// System's resources.
 		Endpoints SystemEndpoints
 		DB        DatabaseConfig

cmd/config/samples/loadgen.yaml

@@ -16,7 +16,8 @@ monitoring:
       bucket-count: 1000
 
 orderer-client:
-  sidecar-endpoint: sidecar:4001
+  sidecar-client:
+    endpoint: sidecar:4001
   orderer:
     connection:
       endpoints:

cmd/config/templates/coordinator.yaml

@@ -4,6 +4,14 @@
 #
 server:
   endpoint: {{ .ServiceEndpoints.Server | default "localhost:0" }}
+  tls:
+    mode: {{ .ServiceTLS.Mode }}
+    key-path: {{ .ServiceTLS.KeyPath }}
+    cert-path: {{ .ServiceTLS.CertPath }}
+    ca-cert-paths:
+      {{- range .ServiceTLS.CACertPaths }}
+      - {{ . }}
+      {{- end }}
 monitoring:
   server:
     endpoint: {{ .ServiceEndpoints.Metrics | default "localhost:0" }}
@@ -13,11 +21,20 @@ verifier:
     {{- range .Endpoints.Verifier }}
     - {{ .Server }}
     {{- end }}
+  tls: &ClientCreds
+    mode: {{ .ClientTLS.Mode }}
+    key-path: {{ .ClientTLS.KeyPath }}
+    cert-path: {{ .ClientTLS.CertPath }}
+    ca-cert-paths:
+      {{- range .ClientTLS.CACertPaths }}
+      - {{ . }}
+      {{- end }}
 validator-committer:
   endpoints:
    {{- range .Endpoints.VCService }}
     - {{ .Server }}
    {{- end }}
+  tls: *ClientCreds
 
 dependency-graph:
   num-of-local-dep-constructors: 1

cmd/config/templates/loadgen_client_coordinator.yaml

@@ -7,3 +7,11 @@
 
 coordinator-client:
   endpoint: {{ .Endpoints.Coordinator.Server }}
+  tls:
+    mode: {{ .ClientTLS.Mode }}
+    key-path: {{ .ClientTLS.KeyPath }}
+    cert-path: {{ .ClientTLS.CertPath }}
+    ca-cert-paths:
+      {{- range .ClientTLS.CACertPaths }}
+      - {{ . }}
+      {{- end }}

cmd/config/templates/loadgen_client_distributed_loadgen.yaml

@@ -7,3 +7,11 @@
 
 loadgen-client:
   endpoint: {{ .Endpoints.LoadGen.Server }}
+  tls:
+    mode: {{ .ClientTLS.Mode }}
+    key-path: {{ .ClientTLS.KeyPath }}
+    cert-path: {{ .ClientTLS.CertPath }}
+    ca-cert-paths:
+      {{- range .ClientTLS.CACertPaths }}
+      - {{ . }}
+      {{- end }}

cmd/config/templates/loadgen_client_orderer.yaml

@@ -6,7 +6,16 @@
 # It should be complimented by the common load generator configuration.
 
 orderer-client:
-  sidecar-endpoint: {{ .Endpoints.Sidecar.Server }}
+  sidecar-client:
+    endpoint: {{ .Endpoints.Sidecar.Server }}
+    tls:
+      mode: {{ .ClientTLS.Mode }}
+      key-path: {{ .ClientTLS.KeyPath }}
+      cert-path: {{ .ClientTLS.CertPath }}
+      ca-cert-paths:
+        {{- range .ClientTLS.CACertPaths }}
+        - {{ . }}
+        {{- end }}
   orderer:
     connection:
       endpoints: