[committer] Secure Committer Communication with TLS and mTLS

[dean-amar]

Type of change

• New feature
• Improvement (improvement to code, performance, etc)

Description

To support secure communication between components, we added a TLS layer to ensure encrypted message transmission.

This PR includes the following changes:

1. Implemented TLS and mTLS between the committer components.
2. Added TLS and mTLS support to the runtime, along with various TLS modes tests that utilize the loadgen to submit transactions after establishing a secure connection.
3. Added unit tests for each of the components.
4. Added TLS support to the loadgen adapters.

Additional details

• Each service can be configured to use TLS, mTLS, or an insecure connection via the tlsConfig. Clients must be configured accordingly.
• All clients of a given service use the same set of credentials.

Related issues

Partly solves epic: #19, solves #108

Next related PRs:

1. TLS support for the database connection is already finished and just waiting for this PR to be merged.
2. Integration tests based on release images.
3. Unit tests for each load generator adapter.
4. TLS support for Mock-Orderer to Sidecar communication.
5. Prometheus servers configured with TLS.

[Copilot]

Pull Request Overview

This PR adds end-to-end TLS and mTLS support for all committer components, enabling encrypted and authenticated gRPC communication.

• Introduce ConfigTLS with ServerOption/ClientOption in utils/connection/tls.go
• Update server and client utilities to consume ConfigTLS instead of insecure defaults
• Add a reusable RunSecureConnectionTest helper and cover all services/tests with secure-connection scenarios

Reviewed Changes

Copilot reviewed 43 out of 43 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
utils/connection/tls.go	Implement ConfigTLS type and methods for TLS/mTLS support
utils/connection/server_util.go	Refactor GrpcServer to return TLS-enabled grpc.Server
utils/connection/client_util.go	Update dial configs to use ClientOption from ConfigTLS
utils/test/secure_connection.go	New test helper to exercise various TLS modes end-to-end
service/**/.go / **/_test.go	Add secure-connection tests for verifier, VC, sidecar, etc.
integration/runner/runtime.go	Wire up TLS cert generation and credential injection in runner
loadgen/client_test.go	Update loadgen tests to reference TLS-enabled client configs
cmd/config/templates/*.yaml	Extend all config templates to include server-creds/client-creds
cmd/config/app_config_test.go	Update config-parse tests for new client TLS settings
docker/test/container_test.go	Update container tests to use ClientConfig
docker/images/test_node/Dockerfile	Rename env vars for client endpoint lists

Comments suppressed due to low confidence (5)

utils/connection/server_util.go:46

• The comment for GrpcServer is outdated since the method now returns (*grpc.Server, error). Please update it to describe the new signature and error return.

// GrpcServer instantiate a [grpc.Server].

utils/connection/tls.go:38

• [nitpick] The constant name TLSEmpty may be unclear. Consider renaming to TLSDefault or TLSUnspecified to better convey its purpose.

	TLSEmpty  TLSMode = ""

utils/connection/tls.go:155

• There’s no unit test covering the case where buildCertPool receives an empty slice of CA paths and returns an error. Consider adding a test to verify that error path.

	if len(paths) == 0 {

utils/connection/tls.go:79

• [nitpick] The name ClientOptionWithConfig is ambiguous given that you already have ClientOption. Consider renaming it to something like ClientCredentialsWithConfig to clarify that it returns both raw tls.Config and transport credentials.

func (c *ConfigTLS) ClientOptionWithConfig() (*tls.Config, credentials.TransportCredentials, error) {

integration/runner/runtime.go:647

• createSystemConfigWithServerCerts returns &serviceCfg, a pointer to a locally scoped variable. This pointer will be invalid after the function returns. Consider allocating on the heap or returning a copy of c.SystemConfig directly.

	serviceCfg := c.SystemConfig

[dean-amar]

Conducted an online review with @liran-funaro. Updates will follow accordingly.

[liran-funaro]

This is my last review after multiple iterations of online reviews.
This looks good overall, but I still have a few minor comments.
Especially in utils/test/secure_connection.go.
@cendhu Please add your review and merge the PR when it is ready.

[liran-funaro]

LGTM. @cendhu If you have time, I'd prefer you have a quick review as well.
If not, then you can merge it.

[cendhu]

LGTM.

In Fabric, the tlscacert can be provided in the config block as well as through the local config of the executable. We need to understand the reasoning and employ the same here in the subsequent PRs if needed.

[cendhu]

MutualTLS requires both the server and the client to authenticate each other using certificates.

I noticed line 119 to enable this. We can remove this and add it as else part in line 120.

[cendhu]

CAs or TLSConfig?

[cendhu]

Earlier, we have used ClientConfig with Endpoints []*Endpoint. Anyway, I prefer the proposed changes as they are explicit about the content of the struct.