feat: implement TLS and mTLS support for server and client

- Added TLS and mTLS configuration for both server and client
- Implemented secure communication unit tests
- Fixed linter issues and test configurations
- Updated Docker ENV and YAML configurations
- Refactored ServerConfig references to ClientConfig

Signed-off-by: Dean Amar <Dean.Amar@ibm.com>

Author: dean-amar

cmd/config/app_config_test.go

@@ -49,7 +49,7 @@ func TestReadConfigSidecar(t *testing.T) {
 				ChannelID: "mychannel",
 			},
 			Committer: sidecar.CoordinatorConfig{
-				Endpoint: *makeEndpoint("localhost", 9001),
+				Config: makeClientConfig("localhost", 9001),
 			},
 			Ledger: sidecar.LedgerConfig{
 				Path: "./ledger/",
@@ -84,7 +84,7 @@ func TestReadConfigSidecar(t *testing.T) {
 				ChannelID: "mychannel",
 			},
 			Committer: sidecar.CoordinatorConfig{
-				Endpoint: *makeEndpoint("coordinator", 9001),
+				Config: makeClientConfig("coordinator", 9001),
 			},
 			Ledger: sidecar.LedgerConfig{
 				Path: "/root/sc/ledger",
@@ -128,14 +128,10 @@ func TestReadConfigCoordinator(t *testing.T) {
 		name:           "sample",
 		configFilePath: "samples/coordinator.yaml",
 		expectedConfig: &coordinator.Config{
-			Server:     makeServer("", 9001),
-			Monitoring: makeMonitoring("", 2119),
-			VerifierConfig: connection.ClientConfig{
-				Endpoints: []*connection.Endpoint{makeEndpoint("signature-verifier", 5001)},
-			},
-			ValidatorCommitterConfig: connection.ClientConfig{
-				Endpoints: []*connection.Endpoint{makeEndpoint("validator-persister", 6001)},
-			},
+			Server:                   makeServer("", 9001),
+			Monitoring:               makeMonitoring("", 2119),
+			VerifierConfig:           *makeClientConfig("signature-verifier", 5001),
+			ValidatorCommitterConfig: *makeClientConfig("validator-persister", 6001),
 			DependencyGraphConfig: &coordinator.DependencyGraphConfig{
 				NumOfLocalDepConstructors:       1,
 				WaitingTxsLimit:                 10_000,
@@ -334,7 +330,7 @@ func TestReadConfigLoadGen(t *testing.T) {
 			},
 			Adapter: adapters.AdapterConfig{
 				OrdererClient: &adapters.OrdererClientConfig{
-					SidecarEndpoint: makeEndpoint("sidecar", 4001),
+					SidecarConfig: makeClientConfig("sidecar", 4001),
 					Orderer: broadcastdeliver.Config{
 						Connection: broadcastdeliver.ConnectionConfig{
 							Endpoints: connection.NewOrdererEndpoints(
@@ -438,10 +434,11 @@ func defaultSampleDBConfig() *vc.DatabaseConfig {
 	}
 }
 
-func makeEndpoint(host string, port int) *connection.Endpoint {
-	return &connection.Endpoint{
-		Host: host,
-		Port: port,
+func makeClientConfig(host string, port int) *connection.ClientConfig {
+	return &connection.ClientConfig{
+		Endpoints: []*connection.Endpoint{
+			makeEndpoint(host, port),
+		},
 	}
 }
 
@@ -451,6 +448,13 @@ func makeServer(host string, port int) *connection.ServerConfig {
 	}
 }
 
+func makeEndpoint(host string, port int) *connection.Endpoint {
+	return &connection.Endpoint{
+		Host: host,
+		Port: port,
+	}
+}
+
 func makeMonitoring(host string, port int) monitoring.Config {
 	return monitoring.Config{Server: makeServer(host, port)}
 }

cmd/config/create_config_file.go

@@ -34,11 +34,15 @@ type (
 		// Instance endpoints.
 		ServiceEndpoints ServiceEndpoints
 
+		// Service Tls options and certificates.
+		ServiceTLS connection.ConfigTLS
+
 		// System's resources.
 		Endpoints SystemEndpoints
 		DB        DatabaseConfig
 
 		// Per service configurations.
+		ClientsCreds      ClientsTLSConfig        // coordinator, sidecar
 		BlockSize         uint64                  // orderer, loadgen
 		BlockTimeout      time.Duration           // orderer
 		ConfigBlockPath   string                  // orderer, sidecar, loadgen
@@ -75,6 +79,15 @@ type (
 		Endpoints   []*connection.Endpoint
 	}
 
+	// ClientsTLSConfig contains the client's config TLS.
+	ClientsTLSConfig struct {
+		Vc          connection.ConfigTLS
+		Verifier    connection.ConfigTLS
+		Coordinator connection.ConfigTLS
+		Sidecar     connection.ConfigTLS
+		Query       connection.ConfigTLS
+	}
+
 	// ConfigBlock represents the configuration of the config block.
 	ConfigBlock = workload.ConfigBlock //nolint:revive
 )

cmd/config/samples/loadgen.yaml

@@ -16,7 +16,9 @@ monitoring:
       bucket-count: 1000
 
 orderer-client:
-  sidecar-endpoint: sidecar:4001
+  sidecar-client-config:
+    endpoints:
+      - sidecar:4001
   orderer:
     connection:
       endpoints:

cmd/config/samples/sidecar.yaml

@@ -31,7 +31,9 @@ orderer:
   #       Security: 256
   #       Hash: SHA2
 committer:
-  endpoint: coordinator:9001
+  client:
+    endpoints:
+      - coordinator:9001
 ledger:
   path: /root/sc/ledger
 

cmd/config/templates/coordinator.yaml

@@ -4,6 +4,16 @@
 #
 server:
   endpoint: {{ .ServiceEndpoints.Server | default "localhost:0" }}
+  server-creds:
+    tls-mode: {{ .ServiceTLS.Mode }}
+    server-name: {{ .ServiceTLS.ServerName }}
+    cert-path: {{ .ServiceTLS.CertPath }}
+    key-path: {{ .ServiceTLS.KeyPath }}
+    ca-cert-paths:
+      {{- range .ServiceTLS.CACertPaths }}
+      - {{ . }}
+      {{- end }}
+
 monitoring:
   server:
     endpoint: {{ .ServiceEndpoints.Metrics | default "localhost:0" }}
@@ -13,11 +23,30 @@ verifier:
     {{- range .Endpoints.Verifier }}
     - {{ .Server }}
     {{- end }}
+  client-creds:
+    tls-mode: {{ .ClientsCreds.Verifier.Mode }}
+    server-name: {{ .ClientsCreds.Verifier.ServerName }}
+    key-path: {{ .ClientsCreds.Verifier.KeyPath }}
+    cert-path: {{ .ClientsCreds.Verifier.CertPath }}
+    ca-cert-paths:
+      {{- range .ClientsCreds.Verifier.CACertPaths }}
+      - {{ . }}
+      {{- end }}
+
 validator-committer:
   endpoints:
-   {{- range .Endpoints.VCService }}
+    {{- range .Endpoints.VCService }}
     - {{ .Server }}
-   {{- end }}
+    {{- end }}
+  client-creds:
+    tls-mode: {{ .ClientsCreds.Vc.Mode }}
+    server-name: {{ .ClientsCreds.Vc.ServerName }}
+    key-path: {{ .ClientsCreds.Vc.KeyPath }}
+    cert-path: {{ .ClientsCreds.Vc.CertPath }}
+    ca-cert-paths:
+      {{- range .ClientsCreds.Vc.CACertPaths }}
+      - {{ . }}
+      {{- end }}
 
 dependency-graph:
   num-of-local-dep-constructors: 1

cmd/config/templates/loadgen_client_orderer.yaml

@@ -6,7 +6,18 @@
 # It should be complimented by the common load generator configuration.
 
 orderer-client:
-  sidecar-endpoint: {{ .Endpoints.Sidecar.Server }}
+  sidecar-client-config:
+    endpoints:
+      - {{ .Endpoints.Sidecar.Server }}
+    client-creds:
+      tls-mode: {{ .ClientsCreds.Sidecar.Mode }}
+      server-name: {{ .ClientsCreds.Sidecar.ServerName }}
+      cert-path: {{ .ClientsCreds.Sidecar.CertPath }}
+      key-path: {{ .ClientsCreds.Sidecar.KeyPath }}
+      ca-cert-paths:
+        {{- range .ClientsCreds.Sidecar.CACertPaths }}
+        - {{ . }}
+        {{- end }}
   orderer:
     connection:
       endpoints:

cmd/config/templates/loadgen_client_sidecar.yaml

@@ -6,7 +6,18 @@
 # It should be complimented by the common load generator configuration.
 
 sidecar-client:
-  sidecar-endpoint: {{ .Endpoints.Sidecar.Server }}
+  sidecar-client-config:
+    endpoints:
+      - {{ .Endpoints.Sidecar.Server }}
+    client-creds:
+      tls-mode: {{ .ClientsCreds.Sidecar.Mode }}
+      server-name: {{ .ClientsCreds.Sidecar.ServerName }}
+      cert-path: {{ .ClientsCreds.Sidecar.CertPath }}
+      key-path: {{ .ClientsCreds.Sidecar.KeyPath }}
+      ca-cert-paths:
+        {{- range .ClientsCreds.Sidecar.CACertPaths }}
+        - {{ . }}
+        {{- end }}
   orderer-servers:
     {{- range .Endpoints.Orderer }}
     - endpoint: {{ .Server }}

cmd/config/templates/queryexecutor.yaml

@@ -5,6 +5,15 @@
 # Configuration for the server
 server:
   endpoint: {{ .ServiceEndpoints.Server | default "localhost:0" }}
+  server-creds:
+    tls-mode: {{ .ServiceTLS.Mode }}
+    server-name: {{ .ServiceTLS.ServerName }}
+    cert-path: {{ .ServiceTLS.CertPath }}
+    key-path: {{ .ServiceTLS.KeyPath }}
+    ca-cert-paths:
+      {{- range .ServiceTLS.CACertPaths }}
+      - {{ . }}
+      {{- end }}
 monitoring:
   server:
     endpoint: {{ .ServiceEndpoints.Metrics | default "localhost:0" }}

cmd/config/templates/sidecar.yaml

@@ -4,6 +4,15 @@
 #
 server:
   endpoint: {{ .ServiceEndpoints.Server | default "localhost:0" }}
+  server-creds:
+    tls-mode: {{ .ServiceTLS.Mode }}
+    server-name: {{ .ServiceTLS.ServerName }}
+    cert-path: {{ .ServiceTLS.CertPath }}
+    key-path: {{ .ServiceTLS.KeyPath }}
+    ca-cert-paths:
+      {{- range .ServiceTLS.CACertPaths }}
+      - {{ . }}
+      {{- end }}
   keep-alive:
     params:
       time: 300s
@@ -24,7 +33,18 @@ orderer:
   channel-id: {{ .ChannelID }}
   consensus-type: BFT
 committer:
-  endpoint: {{ .Endpoints.Coordinator.Server }}
+  client:
+    endpoints:
+      - {{ .Endpoints.Coordinator.Server }}
+    client-creds:
+      tls-mode: {{ .ClientsCreds.Coordinator.Mode }}
+      server-name: {{ .ClientsCreds.Coordinator.ServerName }}
+      cert-path: {{ .ClientsCreds.Coordinator.CertPath }}
+      key-path: {{ .ClientsCreds.Coordinator.KeyPath }}
+      ca-cert-paths:
+        {{- range .ClientsCreds.Coordinator.CACertPaths }}
+        - {{ . }}
+        {{- end }}
 
 ledger:
   path: {{ .LedgerPath }}

cmd/config/templates/signatureverifier.yaml

@@ -4,6 +4,16 @@
 #
 server:
   endpoint: {{ .ServiceEndpoints.Server | default "localhost:0" }}
+  server-creds:
+    tls-mode: {{ .ServiceTLS.Mode }}
+    server-name: {{ .ServiceTLS.ServerName }}
+    cert-path: {{ .ServiceTLS.CertPath }}
+    key-path: {{ .ServiceTLS.KeyPath }}
+    ca-cert-paths:
+      {{- range .ServiceTLS.CACertPaths }}
+      - {{ . }}
+      {{- end }}
+
 monitoring:
   server:
     endpoint: {{ .ServiceEndpoints.Metrics | default "localhost:0" }}