[committer] Secure Committer Communication with TLS and mTLS

cmd/config/app_config_test.go

@@ -41,17 +41,15 @@ func TestReadConfigSidecar(t *testing.T) {
 		name:           "default",
 		configFilePath: emptyConfig(t),
 		expectedConfig: &sidecar.Config{
-			Server:     makeServer("localhost", 4001),
-			Monitoring: makeMonitoring("localhost", 2114),
+			Server:     newServerConfig("localhost", 4001),
+			Monitoring: newMonitoringConfig("localhost", 2114),
 			Orderer: ordererconn.Config{
 				Connection: ordererconn.ConnectionConfig{
-					Endpoints: ordererconn.NewEndpoints(0, "", makeServer("localhost", 7050)),
+					Endpoints: ordererconn.NewEndpoints(0, "", newServerConfig("localhost", 7050)),
 				},
 				ChannelID: "mychannel",
 			},
-			Committer: sidecar.CoordinatorConfig{
-				Endpoint: *makeEndpoint("localhost", 9001),
-			},
+			Committer: newClientConfig("localhost", 9001),
 			Ledger: sidecar.LedgerConfig{
 				Path: "./ledger/",
 			},
@@ -67,7 +65,7 @@ func TestReadConfigSidecar(t *testing.T) {
 		configFilePath: "samples/sidecar.yaml",
 		expectedConfig: &sidecar.Config{
 			Server: &connection.ServerConfig{
-				Endpoint: *makeEndpoint("", 4001),
+				Endpoint: *newEndpoint("", 4001),
 				KeepAlive: &connection.ServerKeepAliveConfig{
 					Params: &connection.ServerKeepAliveParamsConfig{
 						Time:    300 * time.Second,
@@ -79,18 +77,16 @@ func TestReadConfigSidecar(t *testing.T) {
 					},
 				},
 			},
-			Monitoring: makeMonitoring("", 2114),
+			Monitoring: newMonitoringConfig("", 2114),
 			Orderer: ordererconn.Config{
 				Connection: ordererconn.ConnectionConfig{
 					Endpoints: ordererconn.NewEndpoints(
-						0, "", makeServer("ordering-service", 7050),
+						0, "", newServerConfig("ordering-service", 7050),
 					),
 				},
 				ChannelID: "mychannel",
 			},
-			Committer: sidecar.CoordinatorConfig{
-				Endpoint: *makeEndpoint("coordinator", 9001),
-			},
+			Committer: newClientConfig("coordinator", 9001),
 			Ledger: sidecar.LedgerConfig{
 				Path: "/root/sc/ledger",
 			},
@@ -124,9 +120,9 @@ func TestReadConfigCoordinator(t *testing.T) {
 		name:           "default",
 		configFilePath: emptyConfig(t),
 		expectedConfig: &coordinator.Config{
-			Server:     makeServer("localhost", 9001),
-			Monitoring: makeMonitoring("localhost", 2119),
-			DependencyGraphConfig: &coordinator.DependencyGraphConfig{
+			Server:     newServerConfig("localhost", 9001),
+			Monitoring: newMonitoringConfig("localhost", 2119),
+			DependencyGraph: &coordinator.DependencyGraphConfig{
 				NumOfLocalDepConstructors: 1,
 				WaitingTxsLimit:           100_000,
 			},
@@ -136,15 +132,11 @@ func TestReadConfigCoordinator(t *testing.T) {
 		name:           "sample",
 		configFilePath: "samples/coordinator.yaml",
 		expectedConfig: &coordinator.Config{
-			Server:     makeServer("", 9001),
-			Monitoring: makeMonitoring("", 2119),
-			VerifierConfig: connection.ClientConfig{
-				Endpoints: []*connection.Endpoint{makeEndpoint("signature-verifier", 5001)},
-			},
-			ValidatorCommitterConfig: connection.ClientConfig{
-				Endpoints: []*connection.Endpoint{makeEndpoint("validator-persister", 6001)},
-			},
-			DependencyGraphConfig: &coordinator.DependencyGraphConfig{
+			Server:             newServerConfig("", 9001),
+			Monitoring:         newMonitoringConfig("", 2119),
+			Verifier:           newMultiClientConfig("signature-verifier", 5001),
+			ValidatorCommitter: newMultiClientConfig("validator-persister", 6001),
+			DependencyGraph: &coordinator.DependencyGraphConfig{
 				NumOfLocalDepConstructors: 1,
 				WaitingTxsLimit:           100_000,
 			},
@@ -174,8 +166,8 @@ func TestReadConfigVC(t *testing.T) {
 		name:           "default",
 		configFilePath: emptyConfig(t),
 		expectedConfig: &vc.Config{
-			Server:     makeServer("localhost", 6001),
-			Monitoring: makeMonitoring("localhost", 2116),
+			Server:     newServerConfig("localhost", 6001),
+			Monitoring: newMonitoringConfig("localhost", 2116),
 			Database:   defaultDBConfig(),
 			ResourceLimits: &vc.ResourceLimitsConfig{
 				MaxWorkersForPreparer:             1,
@@ -189,8 +181,8 @@ func TestReadConfigVC(t *testing.T) {
 		name:           "sample",
 		configFilePath: "samples/vcservice.yaml",
 		expectedConfig: &vc.Config{
-			Server:     makeServer("", 6001),
-			Monitoring: makeMonitoring("", 2116),
+			Server:     newServerConfig("", 6001),
+			Monitoring: newMonitoringConfig("", 2116),
 			Database:   defaultSampleDBConfig(),
 			ResourceLimits: &vc.ResourceLimitsConfig{
 				MaxWorkersForPreparer:             1,
@@ -224,8 +216,8 @@ func TestReadConfigVerifier(t *testing.T) {
 		name:           "default",
 		configFilePath: emptyConfig(t),
 		expectedConfig: &verifier.Config{
-			Server:     makeServer("localhost", 5001),
-			Monitoring: makeMonitoring("localhost", 2115),
+			Server:     newServerConfig("localhost", 5001),
+			Monitoring: newMonitoringConfig("localhost", 2115),
 			ParallelExecutor: verifier.ExecutorConfig{
 				Parallelism:       4,
 				BatchSizeCutoff:   50,
@@ -237,8 +229,8 @@ func TestReadConfigVerifier(t *testing.T) {
 		name:           "sample",
 		configFilePath: "samples/sigservice.yaml",
 		expectedConfig: &verifier.Config{
-			Server:     makeServer("", 5001),
-			Monitoring: makeMonitoring("", 2115),
+			Server:     newServerConfig("", 5001),
+			Monitoring: newMonitoringConfig("", 2115),
 			ParallelExecutor: verifier.ExecutorConfig{
 				BatchSizeCutoff:   50,
 				BatchTimeCutoff:   10 * time.Millisecond,
@@ -270,8 +262,8 @@ func TestReadConfigQuery(t *testing.T) {
 		name:           "default",
 		configFilePath: emptyConfig(t),
 		expectedConfig: &query.Config{
-			Server:                makeServer("localhost", 7001),
-			Monitoring:            makeMonitoring("localhost", 2117),
+			Server:                newServerConfig("localhost", 7001),
+			Monitoring:            newMonitoringConfig("localhost", 2117),
 			Database:              defaultDBConfig(),
 			MinBatchKeys:          1024,
 			MaxBatchWait:          100 * time.Millisecond,
@@ -283,8 +275,8 @@ func TestReadConfigQuery(t *testing.T) {
 		name:           "sample",
 		configFilePath: "samples/queryservice.yaml",
 		expectedConfig: &query.Config{
-			Server:                makeServer("", 7001),
-			Monitoring:            makeMonitoring("", 2117),
+			Server:                newServerConfig("", 7001),
+			Monitoring:            newMonitoringConfig("", 2117),
 			Database:              defaultSampleDBConfig(),
 			MinBatchKeys:          1024,
 			MaxBatchWait:          100 * time.Millisecond,
@@ -316,18 +308,18 @@ func TestReadConfigLoadGen(t *testing.T) {
 		name:           "default",
 		configFilePath: emptyConfig(t),
 		expectedConfig: &loadgen.ClientConfig{
-			Server: makeServer("localhost", 8001),
+			Server: newServerConfig("localhost", 8001),
 			Monitoring: metrics.Config{
-				Config: makeMonitoring("localhost", 2118),
+				Config: newMonitoringConfig("localhost", 2118),
 			},
 		},
 	}, {
 		name:           "sample",
 		configFilePath: "samples/loadgen.yaml",
 		expectedConfig: &loadgen.ClientConfig{
-			Server: makeServer("", 8001),
+			Server: newServerConfig("", 8001),
 			Monitoring: metrics.Config{
-				Config: makeMonitoring("", 2118),
+				Config: newMonitoringConfig("", 2118),
 				Latency: metrics.LatencyConfig{
 					SamplerConfig: metrics.SamplerConfig{
 						Portion: 0.01,
@@ -341,11 +333,11 @@ func TestReadConfigLoadGen(t *testing.T) {
 			},
 			Adapter: adapters.AdapterConfig{
 				OrdererClient: &adapters.OrdererClientConfig{
-					SidecarEndpoint: makeEndpoint("sidecar", 4001),
+					SidecarClient: newClientConfig("sidecar", 4001),
 					Orderer: ordererconn.Config{
 						Connection: ordererconn.ConnectionConfig{
 							Endpoints: ordererconn.NewEndpoints(
-								0, "", makeServer("ordering-service", 7050),
+								0, "", newServerConfig("ordering-service", 7050),
 							),
 						},
 						ChannelID:     "mychannel",
@@ -373,7 +365,7 @@ func TestReadConfigLoadGen(t *testing.T) {
 							ID:       0,
 							MspID:    "org",
 							API:      []string{"broadcast", "deliver"},
-							Endpoint: *makeEndpoint("ordering-service", 7050),
+							Endpoint: *newEndpoint("ordering-service", 7050),
 						}},
 					},
 				},
@@ -385,7 +377,7 @@ func TestReadConfigLoadGen(t *testing.T) {
 			},
 			Stream: &workload.StreamOptions{
 				RateLimit: &workload.LimiterConfig{
-					Endpoint:     *makeEndpoint("", 6997),
+					Endpoint:     *newEndpoint("", 6997),
 					InitialLimit: 10_000,
 				},
 				BuffersSize: 10,
@@ -415,7 +407,7 @@ func TestReadConfigLoadGen(t *testing.T) {
 
 func defaultDBConfig() *vc.DatabaseConfig {
 	return &vc.DatabaseConfig{
-		Endpoints:      []*connection.Endpoint{makeEndpoint("localhost", 5433)},
+		Endpoints:      []*connection.Endpoint{newEndpoint("localhost", 5433)},
 		Username:       "yugabyte",
 		Password:       "yugabyte",
 		Database:       "yugabyte",
@@ -429,7 +421,7 @@ func defaultDBConfig() *vc.DatabaseConfig {
 
 func defaultSampleDBConfig() *vc.DatabaseConfig {
 	return &vc.DatabaseConfig{
-		Endpoints:      []*connection.Endpoint{makeEndpoint("db", 5433)},
+		Endpoints:      []*connection.Endpoint{newEndpoint("db", 5433)},
 		Username:       "yugabyte",
 		Password:       "yugabyte",
 		Database:       "yugabyte",
@@ -446,21 +438,37 @@ func defaultSampleDBConfig() *vc.DatabaseConfig {
 	}
 }
 
-func makeEndpoint(host string, port int) *connection.Endpoint {
-	return &connection.Endpoint{
-		Host: host,
-		Port: port,
+func newClientConfig(host string, port int) *connection.ClientConfig {
+	return &connection.ClientConfig{
+		Endpoint: newEndpoint(host, port),
+	}
+}
+
+func newMultiClientConfig(host string, port int) connection.MultiClientConfig {
+	return connection.MultiClientConfig{
+		Endpoints: []*connection.Endpoint{
+			newEndpoint(host, port),
+		},
+	}
+}
+
+func newMonitoringConfig(host string, port int) monitoring.Config {
+	return monitoring.Config{
+		Server: newServerConfig(host, port),
 	}
 }
 
-func makeServer(host string, port int) *connection.ServerConfig {
+func newServerConfig(host string, port int) *connection.ServerConfig {
 	return &connection.ServerConfig{
-		Endpoint: *makeEndpoint(host, port),
+		Endpoint: *newEndpoint(host, port),
 	}
 }
 
-func makeMonitoring(host string, port int) monitoring.Config {
-	return monitoring.Config{Server: makeServer(host, port)}
+func newEndpoint(host string, port int) *connection.Endpoint {
+	return &connection.Endpoint{
+		Host: host,
+		Port: port,
+	}
 }
 
 func emptyConfig(t *testing.T) string {

cmd/config/cobra_test_exports.go

@@ -26,6 +26,7 @@ import (
 	"github.com/hyperledger/fabric-x-committer/service/vc/dbtest"
 	"github.com/hyperledger/fabric-x-committer/utils/connection"
 	"github.com/hyperledger/fabric-x-committer/utils/logging"
+	"github.com/hyperledger/fabric-x-committer/utils/test"
 )
 
 // CommandTest is a struct that represents a CMD unit test.
@@ -47,7 +48,7 @@ func StartDefaultSystem(t *testing.T) SystemConfig {
 	_, orderer := mock.StartMockOrderingServices(t, &mock.OrdererConfig{NumService: 1})
 	_, coordinator := mock.StartMockCoordinatorService(t)
 	conn := dbtest.PrepareTestEnv(t)
-	server := connection.NewLocalHostServer()
+	server := connection.NewLocalHostServerWithTLS(test.InsecureTLSConfig)
 	listen, err := server.Listener()
 	require.NoError(t, err)
 	connection.CloseConnectionsLog(listen)

cmd/config/create_config_file.go

@@ -31,6 +31,11 @@ type (
 		// Instance endpoints.
 		ServiceEndpoints ServiceEndpoints
 
+		// ServiceTLS holds the TLS configuration for a service.
+		ServiceTLS connection.TLSConfig
+		// ClientTLS holds the TLS configuration used by a service when acting as a client to other services.
+		ClientTLS connection.TLSConfig
+
 		// System's resources.
 		Endpoints SystemEndpoints
 		DB        DatabaseConfig

cmd/config/samples/loadgen.yaml

@@ -16,7 +16,8 @@ monitoring:
       bucket-count: 1000
 
 orderer-client:
-  sidecar-endpoint: sidecar:4001
+  sidecar-client:
+    endpoint: sidecar:4001
   orderer:
     connection:
       endpoints:

cmd/config/templates/coordinator.yaml

@@ -4,6 +4,14 @@
 #
 server:
   endpoint: {{ .ServiceEndpoints.Server | default "localhost:0" }}
+  tls:
+    mode: {{ .ServiceTLS.Mode }}
+    key-path: {{ .ServiceTLS.KeyPath }}
+    cert-path: {{ .ServiceTLS.CertPath }}
+    ca-cert-paths:
+      {{- range .ServiceTLS.CACertPaths }}
+      - {{ . }}
+      {{- end }}
 monitoring:
   server:
     endpoint: {{ .ServiceEndpoints.Metrics | default "localhost:0" }}
@@ -13,11 +21,20 @@ verifier:
     {{- range .Endpoints.Verifier }}
     - {{ .Server }}
     {{- end }}
+  tls: &ClientCreds
+    mode: {{ .ClientTLS.Mode }}
+    key-path: {{ .ClientTLS.KeyPath }}
+    cert-path: {{ .ClientTLS.CertPath }}
+    ca-cert-paths:
+      {{- range .ClientTLS.CACertPaths }}
+      - {{ . }}
+      {{- end }}
 validator-committer:
   endpoints:
    {{- range .Endpoints.VCService }}
     - {{ .Server }}
    {{- end }}
+  tls: *ClientCreds
 
 dependency-graph:
   num-of-local-dep-constructors: 1

cmd/config/templates/loadgen_client_coordinator.yaml

@@ -7,3 +7,11 @@
 
 coordinator-client:
   endpoint: {{ .Endpoints.Coordinator.Server }}
+  tls:
+    mode: {{ .ClientTLS.Mode }}
+    key-path: {{ .ClientTLS.KeyPath }}
+    cert-path: {{ .ClientTLS.CertPath }}
+    ca-cert-paths:
+      {{- range .ClientTLS.CACertPaths }}
+      - {{ . }}
+      {{- end }}

cmd/config/templates/loadgen_client_distributed_loadgen.yaml

@@ -7,3 +7,11 @@
 
 loadgen-client:
   endpoint: {{ .Endpoints.LoadGen.Server }}
+  tls:
+    mode: {{ .ClientTLS.Mode }}
+    key-path: {{ .ClientTLS.KeyPath }}
+    cert-path: {{ .ClientTLS.CertPath }}
+    ca-cert-paths:
+      {{- range .ClientTLS.CACertPaths }}
+      - {{ . }}
+      {{- end }}

cmd/config/templates/loadgen_client_orderer.yaml

@@ -6,7 +6,16 @@
 # It should be complimented by the common load generator configuration.
 
 orderer-client:
-  sidecar-endpoint: {{ .Endpoints.Sidecar.Server }}
+  sidecar-client:
+    endpoint: {{ .Endpoints.Sidecar.Server }}
+    tls:
+      mode: {{ .ClientTLS.Mode }}
+      key-path: {{ .ClientTLS.KeyPath }}
+      cert-path: {{ .ClientTLS.CertPath }}
+      ca-cert-paths:
+        {{- range .ClientTLS.CACertPaths }}
+        - {{ . }}
+        {{- end }}
   orderer:
     connection:
       endpoints: