Skip to content

[database] Add TLS support for database connections #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 26 commits into from
Nov 11, 2025
Merged

[database] Add TLS support for database connections #159

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
6ba2360
Added suppoer for YugabyteDB or PostgreSQL secure db node for the rel…
dean-amar Oct 21, 2025
2066839
* fixed template issues.
dean-amar Oct 21, 2025
30392ae
* Semantic and code-hygiene changes.
dean-amar Oct 22, 2025
91cda7f
* rebased with main.
dean-amar Oct 22, 2025
0a5f202
* updated according to main.
dean-amar Oct 30, 2025
b0d5ad6
* minor semantic change.
dean-amar Oct 30, 2025
3f8c875
* changed tls field to 'mode' - match the services tls configs.
dean-amar Oct 30, 2025
61b0fc5
* improved code readability.
dean-amar Oct 30, 2025
dcbe443
* code rebase.
dean-amar Oct 30, 2025
dd329ec
* Addressed PR comments.
dean-amar Nov 3, 2025
6171523
* Minor issues fixed.
dean-amar Nov 3, 2025
b35994d
* Revert to serial scripts execution.
dean-amar Nov 3, 2025
8ee290b
* preset permissions to certificates
dean-amar Nov 3, 2025
21af124
* revert latest changes.
dean-amar Nov 3, 2025
8818efd
* Addressed PR comments.
dean-amar Nov 4, 2025
25ca8b1
* Rebased with main.
dean-amar Nov 4, 2025
e391bc3
* Code hygiene.
dean-amar Nov 4, 2025
64d8575
* Addressed PR comments.
dean-amar Nov 10, 2025
a43e199
* Addressed PR comments.
dean-amar Nov 10, 2025
5de4bd8
* Updated according to upstream.
dean-amar Nov 10, 2025
389f4ee
* minor documentation update.
dean-amar Nov 10, 2025
0f6e259
* Addressed PR's comments.
dean-amar Nov 11, 2025
4e0ae75
* rebased to main.
dean-amar Nov 11, 2025
de0d451
* minor changes and mock-orderer yaml correction.
dean-amar Nov 11, 2025
7ec9414
* rebased to main.
dean-amar Nov 11, 2025
5a8c41f
* linter issue fixed.
dean-amar Nov 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 14 additions & 10 deletions cmd/config/app_config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,18 +34,18 @@ import (
var (
defaultServerTLSConfig = connection.TLSConfig{
Mode: connection.MutualTLSMode,
CertPath: "/server-certs/public-key",
KeyPath: "/server-certs/private-key",
CertPath: "/server-certs/public-key.pem",
KeyPath: "/server-certs/private-key.pem",
CACertPaths: []string{
"/server-certs/ca-certificate",
"/server-certs/ca-certificate.pem",
},
}
defaultClientTLSConfig = connection.TLSConfig{
Mode: connection.MutualTLSMode,
CertPath: "/client-certs/public-key",
KeyPath: "/client-certs/private-key",
CertPath: "/client-certs/public-key.pem",
KeyPath: "/client-certs/private-key.pem",
CACertPaths: []string{
"/client-certs/ca-certificate",
"/client-certs/ca-certificate.pem",
},
}
)
Expand Down Expand Up @@ -443,10 +443,14 @@ func defaultDBConfig() *vc.DatabaseConfig {

func defaultSampleDBConfig() *vc.DatabaseConfig {
return &vc.DatabaseConfig{
Endpoints: []*connection.Endpoint{newEndpoint("db", 5433)},
Username: "yugabyte",
Password: "yugabyte",
Database: "yugabyte",
Endpoints: []*connection.Endpoint{newEndpoint("db", 5433)},
Username: "yugabyte",
Password: "yugabyte",
Database: "yugabyte",
TLS: connection.DatabaseTLSConfig{
Mode: connection.OneSideTLSMode,
CACertPath: "/server-certs/ca-certificate.pem",
},
MaxConnections: 10,
MinConnections: 5,
LoadBalance: false,
Expand Down
2 changes: 1 addition & 1 deletion cmd/config/cobra_test_exports.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,8 @@ func StartDefaultSystem(t *testing.T) SystemConfig {
},
DB: DatabaseConfig{
Name: conn.Database,
LoadBalance: false,
Endpoints: conn.Endpoints,
LoadBalance: false,
},
Policy: &workload.PolicyProfile{
ChannelID: "channel1",
Expand Down
2 changes: 2 additions & 0 deletions cmd/config/create_config_file.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,10 @@ type (
// DatabaseConfig represents the used DB.
DatabaseConfig struct {
Name string
Password string
LoadBalance bool
Endpoints []*connection.Endpoint
TLS connection.DatabaseTLSConfig
}
)

Expand Down
12 changes: 6 additions & 6 deletions cmd/config/samples/coordinator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ server:
endpoint: :9001
tls:
mode: mtls
cert-path: /server-certs/public-key
key-path: /server-certs/private-key
cert-path: /server-certs/public-key.pem
key-path: /server-certs/private-key.pem
ca-cert-paths:
- /server-certs/ca-certificate
- /server-certs/ca-certificate.pem
monitoring:
server:
endpoint: :2119
Expand All @@ -19,10 +19,10 @@ verifier:
- verifier:5001
tls: &ClientTLS
mode: mtls
cert-path: /client-certs/public-key
key-path: /client-certs/private-key
cert-path: /client-certs/public-key.pem
key-path: /client-certs/private-key.pem
ca-cert-paths:
- /client-certs/ca-certificate
- /client-certs/ca-certificate.pem
validator-committer:
endpoints:
- vc:6001
Expand Down
12 changes: 6 additions & 6 deletions cmd/config/samples/loadgen.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ server:
endpoint: :8001
tls:
mode: mtls
cert-path: /server-certs/public-key
key-path: /server-certs/private-key
cert-path: /server-certs/public-key.pem
key-path: /server-certs/private-key.pem
ca-cert-paths:
- /server-certs/ca-certificate
- /server-certs/ca-certificate.pem
monitoring:
server:
endpoint: :2118
Expand All @@ -26,10 +26,10 @@ orderer-client:
endpoint: sidecar:4001
tls:
mode: mtls
cert-path: /client-certs/public-key
key-path: /client-certs/private-key
cert-path: /client-certs/public-key.pem
key-path: /client-certs/private-key.pem
ca-cert-paths:
- /client-certs/ca-certificate
- /client-certs/ca-certificate.pem
orderer:
connection:
endpoints:
Expand Down
10 changes: 6 additions & 4 deletions cmd/config/samples/query.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,10 @@ server:
endpoint: :7001
tls:
mode: mtls
cert-path: /server-certs/public-key
key-path: /server-certs/private-key
cert-path: /server-certs/public-key.pem
key-path: /server-certs/private-key.pem
ca-cert-paths:
- /server-certs/ca-certificate
# Credentials for the server
- /server-certs/ca-certificate.pem
monitoring:
server:
endpoint: :2117
Expand All @@ -24,6 +23,9 @@ database:
# TODO: pass password via environment variable
password: "yugabyte" # The password for the database
database: "yugabyte" # The database name
tls:
mode: tls
ca-cert-path: /server-certs/ca-certificate.pem
max-connections: 10 # The maximum size of the connection pool
min-connections: 5 # The minimum size of the connection pool
load-balance: false # Should be enabled for DB cluster
Expand Down
12 changes: 6 additions & 6 deletions cmd/config/samples/sidecar.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ server:
endpoint: :4001
tls:
mode: mtls
cert-path: /server-certs/public-key
key-path: /server-certs/private-key
cert-path: /server-certs/public-key.pem
key-path: /server-certs/private-key.pem
ca-cert-paths:
- /server-certs/ca-certificate
- /server-certs/ca-certificate.pem
keep-alive:
params:
time: 300s
Expand Down Expand Up @@ -40,10 +40,10 @@ committer:
endpoint: coordinator:9001
tls:
mode: mtls
cert-path: /client-certs/public-key
key-path: /client-certs/private-key
cert-path: /client-certs/public-key.pem
key-path: /client-certs/private-key.pem
ca-cert-paths:
- /client-certs/ca-certificate
- /client-certs/ca-certificate.pem
ledger:
path: /root/sc/ledger
notification:
Expand Down
10 changes: 6 additions & 4 deletions cmd/config/samples/vc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,10 @@ server:
endpoint: :6001
tls:
mode: mtls
cert-path: /server-certs/public-key
key-path: /server-certs/private-key
cert-path: /server-certs/public-key.pem
key-path: /server-certs/private-key.pem
ca-cert-paths:
- /server-certs/ca-certificate
# Credentials for the server
- /server-certs/ca-certificate.pem
monitoring:
server:
endpoint: :2116
Expand All @@ -23,6 +22,9 @@ database:
# TODO: pass password via environment variable
password: "yugabyte" # The password for the database
database: "yugabyte" # The database name
tls:
mode: tls
ca-cert-path: /server-certs/ca-certificate.pem
max-connections: 10 # The maximum size of the connection pool
min-connections: 5 # The minimum size of the connection pool.
load-balance: false # Should be enabled for DB cluster.
Expand Down
6 changes: 3 additions & 3 deletions cmd/config/samples/verifier.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ server:
endpoint: :5001
tls:
mode: mtls
cert-path: /server-certs/public-key
key-path: /server-certs/private-key
cert-path: /server-certs/public-key.pem
key-path: /server-certs/private-key.pem
ca-cert-paths:
- /server-certs/ca-certificate
- /server-certs/ca-certificate.pem
monitoring:
server:
endpoint: :2115
Expand Down
5 changes: 4 additions & 1 deletion cmd/config/templates/query.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,12 @@ database:
{{- end }}
username: "yugabyte"
# TODO: pass password via environment variable
password: "yugabyte"
password: {{ .DB.Password }}
database: {{ .DB.Name }}
load-balance: {{ .DB.LoadBalance }}
tls:
mode: {{ .DB.TLS.Mode }}
ca-cert-path: {{ .DB.TLS.CACertPath }}
max-connections: 10
min-connections: 5
retry:
Expand Down
5 changes: 4 additions & 1 deletion cmd/config/templates/vc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,12 @@ database:
{{- end }}
username: "yugabyte"
# TODO: pass password via environment variable
password: "yugabyte"
password: {{ .DB.Password }}
database: {{ .DB.Name }}
load-balance: {{ .DB.LoadBalance }}
tls:
mode: {{ .DB.TLS.Mode }}
ca-cert-path: {{ .DB.TLS.CACertPath }}
max-connections: 10
min-connections: 5
retry:
Expand Down
4 changes: 4 additions & 0 deletions docker/images/test_node/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ ENV SC_SIDECAR_COMMITTER_TLS_MODE="none"
ENV SC_VC_SERVER_TLS_MODE="none"
ENV SC_VERIFIER_SERVER_TLS_MODE="none"

# Disable TLS usage for db.
ENV SC_VC_DATABASE_TLS_MODE="none"
ENV SC_QUERY_DATABASE_TLS_MODE="none"

COPY ${ARCHBIN_PATH}/${TARGETOS}-${TARGETARCH}/* ${BINS_PATH}/
COPY ./docker/images/test_node/run ${BINS_PATH}/
COPY ./cmd/config/samples $CONFIGS_PATH
Expand Down
2 changes: 1 addition & 1 deletion docker/test/common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ func getContainerMappedHostPort(
info, err := createDockerClient(t).ContainerInspect(ctx, containerName)
require.NoError(t, err)
require.NotNil(t, info)
portKey := nat.Port(fmt.Sprintf("%s/%s", containerPort, "tcp"))
portKey := nat.Port(fmt.Sprintf("%s/tcp", containerPort))
bindings, ok := info.NetworkSettings.Ports[portKey]
require.True(t, ok)
require.NotEmpty(t, bindings)
Expand Down
Loading