Skip to content

Commit 2f40bb4

Browse files
dean-amardean-amar
authored
[database] Add TLS support for database connections (#159)
#### Type of change - New feature - Improvement (improvement to code, performance, etc) - Test update #### Description - Add support for DB connection with TLS. - Add a secured database node creation (PostgreSQL or YugabyteDB). - Add file extensions to the TLS certificates. #### Related issues - Resolves #24 - Resolves #25 --------- Signed-off-by: Dean Amar <[email protected]>
1 parent 8d2b382 commit 2f40bb4

30 files changed

+440
-164
lines changed

cmd/config/app_config_test.go

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ import (
2626
"github.com/hyperledger/fabric-x-committer/service/vc"
2727
"github.com/hyperledger/fabric-x-committer/service/verifier"
2828
"github.com/hyperledger/fabric-x-committer/utils/connection"
29+
"github.com/hyperledger/fabric-x-committer/utils/dbconn"
2930
"github.com/hyperledger/fabric-x-committer/utils/monitoring"
3031
"github.com/hyperledger/fabric-x-committer/utils/ordererconn"
3132
"github.com/hyperledger/fabric-x-committer/utils/signature"
@@ -34,18 +35,18 @@ import (
3435
var (
3536
defaultServerTLSConfig = connection.TLSConfig{
3637
Mode: connection.MutualTLSMode,
37-
CertPath: "/server-certs/public-key",
38-
KeyPath: "/server-certs/private-key",
38+
CertPath: "/server-certs/public-key.pem",
39+
KeyPath: "/server-certs/private-key.pem",
3940
CACertPaths: []string{
40-
"/server-certs/ca-certificate",
41+
"/server-certs/ca-certificate.pem",
4142
},
4243
}
4344
defaultClientTLSConfig = connection.TLSConfig{
4445
Mode: connection.MutualTLSMode,
45-
CertPath: "/client-certs/public-key",
46-
KeyPath: "/client-certs/private-key",
46+
CertPath: "/client-certs/public-key.pem",
47+
KeyPath: "/client-certs/private-key.pem",
4748
CACertPaths: []string{
48-
"/client-certs/ca-certificate",
49+
"/client-certs/ca-certificate.pem",
4950
},
5051
}
5152
)
@@ -445,10 +446,14 @@ func defaultDBConfig() *vc.DatabaseConfig {
445446

446447
func defaultSampleDBConfig() *vc.DatabaseConfig {
447448
return &vc.DatabaseConfig{
448-
Endpoints: []*connection.Endpoint{newEndpoint("db", 5433)},
449-
Username: "yugabyte",
450-
Password: "yugabyte",
451-
Database: "yugabyte",
449+
Endpoints: []*connection.Endpoint{newEndpoint("db", 5433)},
450+
Username: "yugabyte",
451+
Password: "yugabyte",
452+
Database: "yugabyte",
453+
TLS: dbconn.DatabaseTLSConfig{
454+
Mode: connection.OneSideTLSMode,
455+
CACertPath: "/server-certs/ca-certificate.pem",
456+
},
452457
MaxConnections: 10,
453458
MinConnections: 5,
454459
LoadBalance: false,

cmd/config/cobra_test_exports.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,8 +64,8 @@ func StartDefaultSystem(t *testing.T) SystemConfig {
6464
},
6565
DB: DatabaseConfig{
6666
Name: conn.Database,
67-
LoadBalance: false,
6867
Endpoints: conn.Endpoints,
68+
LoadBalance: false,
6969
},
7070
Policy: &workload.PolicyProfile{
7171
ChannelID: "channel1",

cmd/config/create_config_file.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ import (
2222

2323
"github.com/hyperledger/fabric-x-committer/loadgen/workload"
2424
"github.com/hyperledger/fabric-x-committer/utils/connection"
25+
"github.com/hyperledger/fabric-x-committer/utils/dbconn"
2526
"github.com/hyperledger/fabric-x-committer/utils/logging"
2627
)
2728

@@ -72,8 +73,10 @@ type (
7273
// DatabaseConfig represents the used DB.
7374
DatabaseConfig struct {
7475
Name string
76+
Password string
7577
LoadBalance bool
7678
Endpoints []*connection.Endpoint
79+
TLS dbconn.DatabaseTLSConfig
7780
}
7881
)
7982

cmd/config/samples/coordinator.yaml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@ server:
66
endpoint: :9001
77
tls:
88
mode: mtls
9-
cert-path: /server-certs/public-key
10-
key-path: /server-certs/private-key
9+
cert-path: /server-certs/public-key.pem
10+
key-path: /server-certs/private-key.pem
1111
ca-cert-paths:
12-
- /server-certs/ca-certificate
12+
- /server-certs/ca-certificate.pem
1313
monitoring:
1414
server:
1515
endpoint: :2119
@@ -19,10 +19,10 @@ verifier:
1919
- verifier:5001
2020
tls: &ClientTLS
2121
mode: mtls
22-
cert-path: /client-certs/public-key
23-
key-path: /client-certs/private-key
22+
cert-path: /client-certs/public-key.pem
23+
key-path: /client-certs/private-key.pem
2424
ca-cert-paths:
25-
- /client-certs/ca-certificate
25+
- /client-certs/ca-certificate.pem
2626
validator-committer:
2727
endpoints:
2828
- vc:6001

cmd/config/samples/loadgen.yaml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@ server:
66
endpoint: :8001
77
tls:
88
mode: mtls
9-
cert-path: /server-certs/public-key
10-
key-path: /server-certs/private-key
9+
cert-path: /server-certs/public-key.pem
10+
key-path: /server-certs/private-key.pem
1111
ca-cert-paths:
12-
- /server-certs/ca-certificate
12+
- /server-certs/ca-certificate.pem
1313
monitoring:
1414
server:
1515
endpoint: :2118
@@ -26,10 +26,10 @@ orderer-client:
2626
endpoint: sidecar:4001
2727
tls: &clientTLS
2828
mode: mtls
29-
cert-path: /client-certs/public-key
30-
key-path: /client-certs/private-key
29+
cert-path: /client-certs/public-key.pem
30+
key-path: /client-certs/private-key.pem
3131
ca-cert-paths:
32-
- /client-certs/ca-certificate
32+
- /client-certs/ca-certificate.pem
3333
orderer:
3434
connection:
3535
endpoints:

cmd/config/samples/mock-orderer.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@ server:
66
endpoint: :7050
77
tls:
88
mode: mtls
9-
cert-path: /server-certs/public-key
10-
key-path: /server-certs/private-key
9+
cert-path: /server-certs/public-key.pem
10+
key-path: /server-certs/private-key.pem
1111
ca-cert-paths:
12-
- /server-certs/ca-certificate
12+
- /server-certs/ca-certificate.pem
1313

1414
block-size: 1024
1515
block-timeout: 30s

cmd/config/samples/query.yaml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,10 @@ server:
88
endpoint: :7001
99
tls:
1010
mode: mtls
11-
cert-path: /server-certs/public-key
12-
key-path: /server-certs/private-key
11+
cert-path: /server-certs/public-key.pem
12+
key-path: /server-certs/private-key.pem
1313
ca-cert-paths:
14-
- /server-certs/ca-certificate
15-
# Credentials for the server
14+
- /server-certs/ca-certificate.pem
1615
monitoring:
1716
server:
1817
endpoint: :2117
@@ -24,6 +23,9 @@ database:
2423
# TODO: pass password via environment variable
2524
password: "yugabyte" # The password for the database
2625
database: "yugabyte" # The database name
26+
tls:
27+
mode: tls
28+
ca-cert-path: /server-certs/ca-certificate.pem
2729
max-connections: 10 # The maximum size of the connection pool
2830
min-connections: 5 # The minimum size of the connection pool
2931
load-balance: false # Should be enabled for DB cluster

cmd/config/samples/sidecar.yaml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@ server:
66
endpoint: :4001
77
tls:
88
mode: mtls
9-
cert-path: /server-certs/public-key
10-
key-path: /server-certs/private-key
9+
cert-path: /server-certs/public-key.pem
10+
key-path: /server-certs/private-key.pem
1111
ca-cert-paths:
12-
- /server-certs/ca-certificate
12+
- /server-certs/ca-certificate.pem
1313
keep-alive:
1414
params:
1515
time: 300s
@@ -27,10 +27,10 @@ orderer:
2727
- broadcast,deliver,orderer:7050
2828
tls: &clientTLS
2929
mode: mtls
30-
cert-path: /client-certs/public-key
31-
key-path: /client-certs/private-key
30+
cert-path: /client-certs/public-key.pem
31+
key-path: /client-certs/private-key.pem
3232
ca-cert-paths:
33-
- /client-certs/ca-certificate
33+
- /client-certs/ca-certificate.pem
3434
channel-id: mychannel
3535
# identity:
3636
# root-ca-paths:

cmd/config/samples/vc.yaml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,10 @@ server:
88
endpoint: :6001
99
tls:
1010
mode: mtls
11-
cert-path: /server-certs/public-key
12-
key-path: /server-certs/private-key
11+
cert-path: /server-certs/public-key.pem
12+
key-path: /server-certs/private-key.pem
1313
ca-cert-paths:
14-
- /server-certs/ca-certificate
15-
# Credentials for the server
14+
- /server-certs/ca-certificate.pem
1615
monitoring:
1716
server:
1817
endpoint: :2116
@@ -23,6 +22,9 @@ database:
2322
# TODO: pass password via environment variable
2423
password: "yugabyte" # The password for the database
2524
database: "yugabyte" # The database name
25+
tls:
26+
mode: tls
27+
ca-cert-path: /server-certs/ca-certificate.pem
2628
max-connections: 10 # The maximum size of the connection pool
2729
min-connections: 5 # The minimum size of the connection pool.
2830
load-balance: false # Should be enabled for DB cluster.

cmd/config/samples/verifier.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@ server:
66
endpoint: :5001
77
tls:
88
mode: mtls
9-
cert-path: /server-certs/public-key
10-
key-path: /server-certs/private-key
9+
cert-path: /server-certs/public-key.pem
10+
key-path: /server-certs/private-key.pem
1111
ca-cert-paths:
12-
- /server-certs/ca-certificate
12+
- /server-certs/ca-certificate.pem
1313
monitoring:
1414
server:
1515
endpoint: :2115

0 commit comments

Comments
 (0)