[database] Add TLS support for database connections #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

dean-amar merged 26 commits into hyperledger:main from dean-amar:database-tls

Nov 11, 2025

Contributor

dean-amar commented Oct 22, 2025 •

edited

Loading

Type of change

New feature
Improvement (improvement to code, performance, etc)
Test update

Description

Add support for DB connection with TLS.
Add a secured database node creation (PostgreSQL or YugabyteDB).
Add file extensions to the TLS certificates.

Related issues

Resolves Enable TLS Authentication for YugabyteDB #24
Resolves Enable TLS Authentication for PostgreSQL #25

dean-amar added 4 commits

October 21, 2025 17:59


          Added suppoer for YugabyteDB or PostgreSQL secure db node for the rel…

6ba2360

…ease-image-integration-test.

Signed-off-by: Dean Amar <[email protected]>


          * fixed template issues.

Signed-off-by: Dean Amar <[email protected]>


          * Semantic and code-hygiene changes.

30392ae

Signed-off-by: Dean Amar <[email protected]>


          * rebased with main.

91cda7f

Signed-off-by: Dean Amar <[email protected]>

dean-amar added enhancement security labels

dean-amar added 5 commits

October 30, 2025 13:19


          * updated according to main.

0a5f202

Signed-off-by: Dean Amar <[email protected]>


          * minor semantic change.

b0d5ad6

Signed-off-by: Dean Amar <[email protected]>


          * changed tls field to 'mode' - match the services tls configs.

3f8c875

Signed-off-by: Dean Amar <[email protected]>


          * improved code readability.

61b0fc5

Signed-off-by: Dean Amar <[email protected]>


          * code rebase.

dcbe443

Signed-off-by: Dean Amar <[email protected]>

dean-amar marked this pull request as ready for review

October 30, 2025 17:31

dean-amar requested a review from liran-funaro

October 30, 2025 17:31

liran-funaro reviewed

View reviewed changes

docker/test/container_release_image_test.go Outdated Show resolved Hide resolved

cmd/config/samples/query.yaml Outdated Show resolved Hide resolved

docker/test/container_release_image_test.go Outdated Show resolved Hide resolved

docker/test/container_release_image_test.go Outdated Show resolved Hide resolved

docker/test/container_release_image_test.go Outdated Show resolved Hide resolved

service/vc/dbtest/connection.go Outdated Show resolved Hide resolved

service/vc/config.go Show resolved Hide resolved

utils/test/secure_connection.go Outdated Show resolved Hide resolved

utils/test/secure_connection.go Outdated Show resolved Hide resolved

utils/test/secure_connection.go Outdated Show resolved Hide resolved

dean-amar added 7 commits

November 3, 2025 21:01


          * Addressed PR comments.

dd329ec

Signed-off-by: Dean Amar <[email protected]>


          * Minor issues fixed.

Signed-off-by: Dean Amar <[email protected]>


          * Revert to serial scripts execution.

b35994d

Signed-off-by: Dean Amar <[email protected]>


          * preset permissions to certificates

8ee290b

Signed-off-by: Dean Amar <[email protected]>


          * revert latest changes.

21af124

Signed-off-by: Dean Amar <[email protected]>


          * Addressed PR comments.

8818efd

Signed-off-by: Dean Amar <[email protected]>


          * Rebased with main.

25ca8b1

Signed-off-by: Dean Amar <[email protected]>

dean-amar requested a review from liran-funaro

November 4, 2025 12:01


          * Code hygiene.

e391bc3

Signed-off-by: Dean Amar <[email protected]>

liran-funaro reviewed

View reviewed changes

docker/test/container_release_image_test.go Outdated Show resolved Hide resolved

utils/test/utils.go Outdated Show resolved Hide resolved

utils/connection/client_util.go Outdated Show resolved Hide resolved

utils/connection/config.go Outdated Show resolved Hide resolved

service/vc/dbtest/container.go Show resolved Hide resolved

service/vc/dbtest/container.go Outdated

    
              // is ready to accept connections.

              // It repeatedly executes `pg_isready` until the command

              // returns a successful exit code (0) or the timeout is reached.

              func (dc *DatabaseContainer) EnsurePostgresNodeReadiness(t *testing.T, port string) {

Contributor

liran-funaro Nov 10, 2025

YugabyteDB should support pg_isready

Contributor Author

dean-amar Nov 10, 2025

It is, but not naturally. We need to export the path to its postgres tools. It's easier to monitor its readiness by its logs.

service/vc/dbtest/container.go Outdated Show resolved Hide resolved

service/vc/dbtest/container.go Outdated

    
              func (dc *DatabaseContainer) ReadPasswordFromContainer(t *testing.T, filePath string) string {

              	t.Helper()

              	output, exitCode := dc.ExecuteCommand(t, []string{"cat", filePath})

              	require.Zero(t, exitCode)

Contributor

liran-funaro Nov 10, 2025

major: If the file doesn't exist, it fails the test.
But if it exists, and doesn't contain the password, it won't fail the tests.
This inconsistency is not justified.
Please fix or add a comment to justify this.

Contributor Author

dean-amar Nov 10, 2025 •

edited

Loading

We use this method only when a secured YugabyteDB node is started. If the file doesn’t exist, the test should fail. If the file exists but doesn’t contain a password, we fall back to the default password.

I'll add the above to the function's comment.

Contributor

liran-funaro Nov 11, 2025

But if we try the default password for the secured test, it will not work, right? So, isn't it best to fail the test?

Contributor Author

dean-amar Nov 11, 2025

Actually, I’m not sure how the database behaves in that case, but for consistency, we’ll fail the test in this scenario as well.

service/vc/dbtest/container.go Show resolved Hide resolved

service/vc/dbtest/container.go Outdated Show resolved Hide resolved

liran-funaro reviewed

View reviewed changes

docker/test/container_release_image_test.go Outdated Show resolved Hide resolved

dean-amar added 3 commits

November 10, 2025 18:06


          * Addressed PR comments.

64d8575

Signed-off-by: Dean Amar <[email protected]>


          * Addressed PR comments.

a43e199

Signed-off-by: Dean Amar <[email protected]>


          * Updated according to upstream.

5de4bd8

Signed-off-by: Dean Amar <[email protected]>

dean-amar requested a review from liran-funaro

November 10, 2025 16:22


          * minor documentation update.

389f4ee

Signed-off-by: Dean Amar <[email protected]>

dean-amar added 5 commits

November 11, 2025 12:56


          * Addressed PR's comments.

0f6e259

Signed-off-by: Dean Amar <[email protected]>


          * rebased to main.

4e0ae75

Signed-off-by: Dean Amar <[email protected]>


          * minor changes and mock-orderer yaml correction.

de0d451

Signed-off-by: Dean Amar <[email protected]>


          * rebased to main.

7ec9414

Signed-off-by: Dean Amar <[email protected]>


          * linter issue fixed.

5a8c41f

Signed-off-by: Dean Amar <[email protected]>

dean-amar merged commit 2f40bb4 into hyperledger:main

12 checks passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement security