[docker-test] Add release-image–based containerized integration tests with TLS modes

Makefile

@@ -110,7 +110,7 @@ test-integration-db-resiliency: build
 	@$(go_test) ./integration/... -run "DBResiliency.*" | gotestfmt ${GO_TEST_FMT_FLAGS}
 
 # Tests the all-in-one docker image.
-test-container: build-test-node-image
+test-container: build-test-node-image build-release-image
 	$(go_cmd) test -v -timeout 30m ./docker/...
 
 # Tests for components that directly talk to the DB, where different DBs might affect behaviour.

cmd/config/app_config_test.go

@@ -31,6 +31,25 @@ import (
 	"github.com/hyperledger/fabric-x-committer/utils/signature"
 )
 
+var (
+	defaultServerTLSConfig = connection.TLSConfig{
+		Mode:     connection.MutualTLSMode,
+		CertPath: "/certs/public-key",
+		KeyPath:  "/certs/private-key",
+		CACertPaths: []string{
+			"/certs/ca-certificate",
+		},
+	}
+	defaultClientTLSConfig = connection.TLSConfig{
+		Mode:     connection.MutualTLSMode,
+		CertPath: "/client_certs/public-key",
+		KeyPath:  "/client_certs/private-key",
+		CACertPaths: []string{
+			"/client_certs/ca-certificate",
+		},
+	}
+)
+
 func TestReadConfigSidecar(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
@@ -49,7 +68,9 @@ func TestReadConfigSidecar(t *testing.T) {
 				},
 				ChannelID: "mychannel",
 			},
-			Committer: newClientConfig("localhost", 9001),
+			Committer: &connection.ClientConfig{
+				Endpoint: newEndpoint("localhost", 9001),
+			},
 			Ledger: sidecar.LedgerConfig{
 				Path: "./ledger/",
 			},
@@ -66,6 +87,7 @@ func TestReadConfigSidecar(t *testing.T) {
 		expectedConfig: &sidecar.Config{
 			Server: &connection.ServerConfig{
 				Endpoint: *newEndpoint("", 4001),
+				TLS:      defaultServerTLSConfig,
 				KeepAlive: &connection.ServerKeepAliveConfig{
 					Params: &connection.ServerKeepAliveParamsConfig{
 						Time:    300 * time.Second,
@@ -81,12 +103,12 @@ func TestReadConfigSidecar(t *testing.T) {
 			Orderer: ordererconn.Config{
 				Connection: ordererconn.ConnectionConfig{
 					Endpoints: ordererconn.NewEndpoints(
-						0, "", newServerConfig("ordering-service", 7050),
+						0, "", newServerConfig("orderer", 7050),
 					),
 				},
 				ChannelID: "mychannel",
 			},
-			Committer: newClientConfig("coordinator", 9001),
+			Committer: newClientConfigWithDefaultTLS("coordinator", 9001),
 			Ledger: sidecar.LedgerConfig{
 				Path: "/root/sc/ledger",
 			},
@@ -132,10 +154,10 @@ func TestReadConfigCoordinator(t *testing.T) {
 		name:           "sample",
 		configFilePath: "samples/coordinator.yaml",
 		expectedConfig: &coordinator.Config{
-			Server:             newServerConfig("", 9001),
+			Server:             newServerConfigWithDefaultTLS(9001),
 			Monitoring:         newMonitoringConfig("", 2119),
-			Verifier:           newMultiClientConfig("signature-verifier", 5001),
-			ValidatorCommitter: newMultiClientConfig("validator-persister", 6001),
+			Verifier:           newMultiClientConfigWithDefaultTLS("verifier", 5001),
+			ValidatorCommitter: newMultiClientConfigWithDefaultTLS("vc", 6001),
 			DependencyGraph: &coordinator.DependencyGraphConfig{
 				NumOfLocalDepConstructors: 1,
 				WaitingTxsLimit:           100_000,
@@ -179,9 +201,9 @@ func TestReadConfigVC(t *testing.T) {
 		},
 	}, {
 		name:           "sample",
-		configFilePath: "samples/vcservice.yaml",
+		configFilePath: "samples/vc.yaml",
 		expectedConfig: &vc.Config{
-			Server:     newServerConfig("", 6001),
+			Server:     newServerConfigWithDefaultTLS(6001),
 			Monitoring: newMonitoringConfig("", 2116),
 			Database:   defaultSampleDBConfig(),
 			ResourceLimits: &vc.ResourceLimitsConfig{
@@ -227,9 +249,9 @@ func TestReadConfigVerifier(t *testing.T) {
 		},
 	}, {
 		name:           "sample",
-		configFilePath: "samples/sigservice.yaml",
+		configFilePath: "samples/verifier.yaml",
 		expectedConfig: &verifier.Config{
-			Server:     newServerConfig("", 5001),
+			Server:     newServerConfigWithDefaultTLS(5001),
 			Monitoring: newMonitoringConfig("", 2115),
 			ParallelExecutor: verifier.ExecutorConfig{
 				BatchSizeCutoff:   50,
@@ -273,9 +295,9 @@ func TestReadConfigQuery(t *testing.T) {
 		},
 	}, {
 		name:           "sample",
-		configFilePath: "samples/queryservice.yaml",
+		configFilePath: "samples/query.yaml",
 		expectedConfig: &query.Config{
-			Server:                newServerConfig("", 7001),
+			Server:                newServerConfigWithDefaultTLS(7001),
 			Monitoring:            newMonitoringConfig("", 2117),
 			Database:              defaultSampleDBConfig(),
 			MinBatchKeys:          1024,
@@ -317,7 +339,7 @@ func TestReadConfigLoadGen(t *testing.T) {
 		name:           "sample",
 		configFilePath: "samples/loadgen.yaml",
 		expectedConfig: &loadgen.ClientConfig{
-			Server: newServerConfig("", 8001),
+			Server: newServerConfigWithDefaultTLS(8001),
 			Monitoring: metrics.Config{
 				Config: newMonitoringConfig("", 2118),
 				Latency: metrics.LatencyConfig{
@@ -333,11 +355,11 @@ func TestReadConfigLoadGen(t *testing.T) {
 			},
 			Adapter: adapters.AdapterConfig{
 				OrdererClient: &adapters.OrdererClientConfig{
-					SidecarClient: newClientConfig("sidecar", 4001),
+					SidecarClient: newClientConfigWithDefaultTLS("sidecar", 4001),
 					Orderer: ordererconn.Config{
 						Connection: ordererconn.ConnectionConfig{
 							Endpoints: ordererconn.NewEndpoints(
-								0, "", newServerConfig("ordering-service", 7050),
+								0, "", newServerConfig("orderer", 7050),
 							),
 						},
 						ChannelID:     "mychannel",
@@ -365,7 +387,7 @@ func TestReadConfigLoadGen(t *testing.T) {
 							ID:       0,
 							MspID:    "org",
 							API:      []string{"broadcast", "deliver"},
-							Endpoint: *newEndpoint("ordering-service", 7050),
+							Endpoint: *newEndpoint("orderer", 7050),
 						}},
 					},
 				},
@@ -438,17 +460,19 @@ func defaultSampleDBConfig() *vc.DatabaseConfig {
 	}
 }
 
-func newClientConfig(host string, port int) *connection.ClientConfig {
+func newClientConfigWithDefaultTLS(host string, port int) *connection.ClientConfig {
 	return &connection.ClientConfig{
 		Endpoint: newEndpoint(host, port),
+		TLS:      defaultClientTLSConfig,
 	}
 }
 
-func newMultiClientConfig(host string, port int) connection.MultiClientConfig {
+func newMultiClientConfigWithDefaultTLS(host string, port int) connection.MultiClientConfig {
 	return connection.MultiClientConfig{
 		Endpoints: []*connection.Endpoint{
 			newEndpoint(host, port),
 		},
+		TLS: defaultClientTLSConfig,
 	}
 }
 
@@ -458,6 +482,13 @@ func newMonitoringConfig(host string, port int) monitoring.Config {
 	}
 }
 
+func newServerConfigWithDefaultTLS(port int) *connection.ServerConfig {
+	return &connection.ServerConfig{
+		Endpoint: *newEndpoint("", port),
+		TLS:      defaultServerTLSConfig,
+	}
+}
+
 func newServerConfig(host string, port int) *connection.ServerConfig {
 	return &connection.ServerConfig{
 		Endpoint: *newEndpoint(host, port),

cmd/config/samples/coordinator.yaml

@@ -4,16 +4,29 @@
 #
 server:
   endpoint: :9001
+  tls:
+    mode: mtls
+    cert-path: /certs/public-key
+    key-path: /certs/private-key
+    ca-cert-paths:
+      - /certs/ca-certificate
 monitoring:
   server:
     endpoint: :2119
 
 verifier:
   endpoints:
-    - signature-verifier:5001
+    - verifier:5001
+  tls: &ClientTLS
+    mode: mtls
+    cert-path: /client_certs/public-key
+    key-path: /client_certs/private-key
+    ca-cert-paths:
+      - /client_certs/ca-certificate
 validator-committer:
   endpoints:
-    - validator-persister:6001
+    - vc:6001
+  tls: *ClientTLS
 
 dependency-graph:
   num-of-local-dep-constructors: 1

cmd/config/samples/loadgen.yaml

@@ -4,6 +4,12 @@
 #
 server:
   endpoint: :8001
+  tls:
+    mode: mtls
+    cert-path: /certs/public-key
+    key-path: /certs/private-key
+    ca-cert-paths:
+      - /certs/ca-certificate
 monitoring:
   server:
     endpoint: :2118
@@ -18,10 +24,16 @@ monitoring:
 orderer-client:
   sidecar-client:
     endpoint: sidecar:4001
+    tls:
+      mode: mtls
+      cert-path: /client_certs/public-key
+      key-path: /client_certs/private-key
+      ca-cert-paths:
+        - /client_certs/ca-certificate
   orderer:
     connection:
       endpoints:
-        - broadcast,deliver,ordering-service:7050
+        - broadcast,deliver,orderer:7050
     consensus-type: BFT
     channel-id: mychannel
   # We set low values to reduce the CPU load during tests.
@@ -45,7 +57,7 @@ load-profile:
           scheme: ECDSA
           seed: 11
       orderer-endpoints:
-        - id=0,msp-id=org,broadcast,deliver,ordering-service:7050
+        - id=0,msp-id=org,broadcast,deliver,orderer:7050
   conflicts:
     invalid-signatures: 0.1
   seed: 12345

cmd/config/samples/queryservice.yaml → cmd/config/samples/query.yaml

@@ -6,6 +6,12 @@
 server:
   # The server's endpoint configuration
   endpoint: :7001
+  tls:
+    mode: mtls
+    cert-path: /certs/public-key
+    key-path: /certs/private-key
+    ca-cert-paths:
+      - /certs/ca-certificate
   # Credentials for the server
 monitoring:
   server:

cmd/config/samples/sidecar.yaml

@@ -4,6 +4,12 @@
 #
 server:
   endpoint: :4001
+  tls:
+    mode: mtls
+    cert-path: /certs/public-key
+    key-path: /certs/private-key
+    ca-cert-paths:
+      - /certs/ca-certificate
   keep-alive:
     params:
       time: 300s
@@ -18,7 +24,7 @@ monitoring:
 orderer:
   connection:
     endpoints:
-      - broadcast,deliver,ordering-service:7050
+      - broadcast,deliver,orderer:7050
   channel-id: mychannel
   # identity:
   #   root-ca-paths:
@@ -32,6 +38,12 @@ orderer:
   #       Hash: SHA2
 committer:
   endpoint: coordinator:9001
+  tls:
+    mode: mtls
+    cert-path: /client_certs/public-key
+    key-path: /client_certs/private-key
+    ca-cert-paths:
+      - /client_certs/ca-certificate
 ledger:
   path: /root/sc/ledger
 notification:

cmd/config/samples/vcservice.yaml → cmd/config/samples/vc.yaml

@@ -6,6 +6,12 @@
 server:
   # The server's endpoint configuration
   endpoint: :6001
+  tls:
+    mode: mtls
+    cert-path: /certs/public-key
+    key-path: /certs/private-key
+    ca-cert-paths:
+      - /certs/ca-certificate
   # Credentials for the server
 monitoring:
   server:

cmd/config/samples/sigservice.yaml → cmd/config/samples/verifier.yaml

@@ -4,6 +4,12 @@
 #
 server:
   endpoint: :5001
+  tls:
+    mode: mtls
+    cert-path: /certs/public-key
+    key-path: /certs/private-key
+    ca-cert-paths:
+      - /certs/ca-certificate
 monitoring:
   server:
     endpoint: :2115

docker/images/test_node/Dockerfile

@@ -23,6 +23,18 @@ ENV SC_LOADGEN_ORDERER_CLIENT_ORDERER_CONNECTION_ENDPOINTS=localhost:7050
 ENV SC_LOADGEN_LOAD_PROFILE_TRANSACTION_POLICY_ORDERER_ENDPOINTS="id=0,msp-id=org,broadcast,deliver,localhost:7050"
 ENV SC_LOADGEN_ORDERER_CLIENT_SIDECAR_CLIENT_ENDPOINT=localhost:4001
 
+# Set TLS mode to none-tls.
+ENV SC_COORDINATOR_SERVER_TLS_MODE="none"
+ENV SC_COORDINATOR_VERIFIER_TLS_MODE="none"
+ENV SC_COORDINATOR_VALIDATOR_COMMITTER_TLS_MODE="none"
+ENV SC_LOADGEN_SERVER_TLS_MODE="none"
+ENV SC_LOADGEN_ORDERER_CLIENT_SIDECAR_CLIENT_TLS_MODE="none"
+ENV SC_QUERY_SERVER_TLS_MODE="none"
+ENV SC_SIDECAR_SERVER_TLS_MODE="none"
+ENV SC_SIDECAR_COMMITTER_TLS_MODE="none"
+ENV SC_VC_SERVER_TLS_MODE="none"
+ENV SC_VERIFIER_SERVER_TLS_MODE="none"
+
 COPY ${ARCHBIN_PATH}/${TARGETOS}-${TARGETARCH}/* ${BINS_PATH}/
 COPY ./docker/images/test_node/run ${BINS_PATH}/
 COPY ./cmd/config/samples $CONFIGS_PATH

docker/images/test_node/run

@@ -20,9 +20,9 @@ if [[ $ops == *"orderer"* ]]; then
 fi
 
 if [[ $ops == *"committer"* ]]; then
-  "$BINS_PATH/committer" start-verifier    --config "$CONFIGS_PATH/sigservice.yaml" &
-  "$BINS_PATH/committer" start-vc          --config "$CONFIGS_PATH/vcservice.yaml" &
-  "$BINS_PATH/committer" start-query       --config "$CONFIGS_PATH/queryservice.yaml" &
+  "$BINS_PATH/committer" start-verifier    --config "$CONFIGS_PATH/verifier.yaml" &
+  "$BINS_PATH/committer" start-vc          --config "$CONFIGS_PATH/vc.yaml" &
+  "$BINS_PATH/committer" start-query       --config "$CONFIGS_PATH/query.yaml" &
   "$BINS_PATH/committer" start-coordinator --config "$CONFIGS_PATH/coordinator.yaml" &
   "$BINS_PATH/committer" start-sidecar     --config "$CONFIGS_PATH/sidecar.yaml" &
 fi