dynamic TLS CA rotation for sidecar and query service

Add dynamic TLS support so that peer organization CA certificates are
automatically updated when config blocks add or remove organizations.

- DynamicTLSManager in utils/connection/ watches config block updates
  and rebuilds the trusted CA pool on the fly
- Sidecar updates TLS immediately during config block processing
- Query service polls the DB periodically for config changes
- Integration test covers add/remove/restore of peer orgs with mTLS
- Infrastructure plumbing for QueryTLSRefreshInterval and
  PeerOrganizationCount in runner config

Signed-off-by: Senthilnathan <cendhu@gmail.com>

Author: cendhu

cmd/committer/start_cmd.go

@@ -19,6 +19,7 @@ import (
 	"github.com/hyperledger/fabric-x-committer/service/sidecar"
 	"github.com/hyperledger/fabric-x-committer/service/vc"
 	"github.com/hyperledger/fabric-x-committer/service/verifier"
+	"github.com/hyperledger/fabric-x-committer/utils/connection"
 	"github.com/hyperledger/fabric-x-committer/utils/grpcservice"
 )
 
@@ -58,31 +59,59 @@ func startService(ctx context.Context, name, configPath string) error {
 
 	switch c := conf.(type) {
 	case *sidecar.Config:
-		service, err := sidecar.New(c)
+		tlsUpdater, tlsProvider, err := newDynamicTLS(c.Server)
+		if err != nil {
+			return err
+		}
+		service, err := sidecar.New(c, tlsUpdater)
 		if err != nil {
 			return errors.Wrap(err, "failed to create sidecar service")
 		}
 		defer service.Close()
-		return grpcservice.StartAndServe(ctx, service, c.Server)
+		return grpcservice.StartAndServe(ctx, service, tlsProvider, c.Server)
 
 	case *coordinator.Config:
-		return grpcservice.StartAndServe(ctx, coordinator.NewCoordinatorService(c), c.Server)
+		return grpcservice.StartAndServe(ctx, coordinator.NewCoordinatorService(c), nil, c.Server)
 
 	case *vc.Config:
 		service, err := vc.NewValidatorCommitterService(ctx, c)
 		if err != nil {
 			return errors.Wrap(err, "failed to create validator committer service")
 		}
 		defer service.Close()
-		return grpcservice.StartAndServe(ctx, service, c.Server)
+		return grpcservice.StartAndServe(ctx, service, nil, c.Server)
 
 	case *verifier.Config:
-		return grpcservice.StartAndServe(ctx, verifier.New(c), c.Server)
+		return grpcservice.StartAndServe(ctx, verifier.New(c), nil, c.Server)
 
 	case *query.Config:
-		return grpcservice.StartAndServe(ctx, query.NewQueryService(c), c.Server)
+		tlsUpdater, tlsProvider, err := newDynamicTLS(c.Server)
+		if err != nil {
+			return err
+		}
+		return grpcservice.StartAndServe(ctx, query.NewQueryService(c, tlsUpdater), tlsProvider, c.Server)
 
 	default:
 		return errors.Newf("unknown config type: %T", conf)
 	}
 }
+
+// newDynamicTLS returns the TLS interfaces separately to avoid the Go
+// nil-interface trap: a nil *DynamicTLS assigned to an interface becomes a
+// non-nil interface wrapping a nil pointer, which passes != nil checks but
+// panics on method calls. Returning interfaces directly ensures that when
+// TLS is disabled, callers receive true nil values.
+func newDynamicTLS(
+	serverConfig *connection.ServerConfig,
+) (connection.TLSCertUpdater, connection.TLSConfigProvider, error) {
+	if serverConfig == nil || serverConfig.TLS.Mode != connection.MutualTLSMode {
+		return nil, nil, nil
+	}
+
+	dynamicTLS, err := connection.NewDynamicTLSFromConfig(serverConfig.TLS)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "failed to create dynamic TLS config")
+	}
+
+	return dynamicTLS, dynamicTLS, nil
+}

cmd/config/app_config_test.go

@@ -292,6 +292,7 @@ func TestReadConfigQuery(t *testing.T) {
 			MaxActiveViews:        query.DefaultMaxActiveViews,
 			MaxViewTimeout:        query.DefaultMaxViewTimeout,
 			MaxRequestKeys:        query.DefaultMaxRequestKeys,
+			TLSRefreshInterval:    query.DefaultTLSRefreshInterval,
 		},
 	}, {
 		name:           "sample",
@@ -307,6 +308,7 @@ func TestReadConfigQuery(t *testing.T) {
 			MaxActiveViews:        query.DefaultMaxActiveViews,
 			MaxViewTimeout:        query.DefaultMaxViewTimeout,
 			MaxRequestKeys:        query.DefaultMaxRequestKeys,
+			TLSRefreshInterval:    query.DefaultTLSRefreshInterval,
 		},
 	}}
 

cmd/config/create_config_file.go

@@ -42,17 +42,18 @@ type (
 		DB       DatabaseConfig
 
 		// Per service configurations.
-		BlockSize            uint64                      // orderer, loadgen
-		BlockTimeout         time.Duration               // orderer
-		LedgerPath           string                      // sidecar
-		Policy               *workload.PolicyProfile     // loadgen
-		LoadGenBlockLimit    uint64                      // loadgen
-		LoadGenTXLimit       uint64                      // loadgen
-		LoadGenWorkers       uint64                      // loadgen
-		Logging              flogging.Config             // for all
-		RateLimit            *connection.RateLimitConfig // query, sidecar
-		MaxRequestKeys       int                         // query
-		MaxConcurrentStreams int                         // sidecar
+		BlockSize               uint64                      // orderer, loadgen
+		BlockTimeout            time.Duration               // orderer
+		LedgerPath              string                      // sidecar
+		Policy                  *workload.PolicyProfile     // loadgen
+		LoadGenBlockLimit       uint64                      // loadgen
+		LoadGenTXLimit          uint64                      // loadgen
+		LoadGenWorkers          uint64                      // loadgen
+		Logging                 flogging.Config             // for all
+		RateLimit               *connection.RateLimitConfig // query, sidecar
+		MaxRequestKeys          int                         // query
+		QueryTLSRefreshInterval time.Duration               // query
+		MaxConcurrentStreams    int                         // sidecar
 
 		// VC service batching configuration (for testing).
 		VCMinTransactionBatchSize           int           // vc

cmd/config/templates/query.yaml.tmpl

@@ -8,3 +8,6 @@
 {{ include "database" . | indent 0 }}
 
 max-request-keys: {{ .MaxRequestKeys }}
+{{- if .QueryTLSRefreshInterval }}
+tls-refresh-interval: {{ .QueryTLSRefreshInterval }}
+{{- end }}

cmd/config/viper.go

@@ -82,6 +82,7 @@ func NewViperWithQueryDefaults() *viper.Viper {
 	v.SetDefault("max-active-views", query.DefaultMaxActiveViews)
 	v.SetDefault("max-view-timeout", query.DefaultMaxViewTimeout)
 	v.SetDefault("max-request-keys", query.DefaultMaxRequestKeys)
+	v.SetDefault("tls-refresh-interval", query.DefaultTLSRefreshInterval)
 	return v
 }
 

cmd/loadgen/main.go

@@ -76,7 +76,7 @@ func loadGenCMD() *cobra.Command {
 			if err != nil {
 				return err
 			}
-			return grpcservice.StartAndServe(cmd.Context(), client, conf.Server)
+			return grpcservice.StartAndServe(cmd.Context(), client, nil, conf.Server)
 		},
 	}
 	cliutil.SetDefaultFlags(cmd, &configPath)

cmd/mock/main.go

@@ -84,7 +84,7 @@ func startMockOrderer() *cobra.Command {
 			if conf.Server != nil && !conf.Server.Endpoint.Empty() {
 				serverConfigs = append(serverConfigs, conf.Server)
 			}
-			return grpcservice.StartAndServe(cmd.Context(), service, serverConfigs...)
+			return grpcservice.StartAndServe(cmd.Context(), service, nil, serverConfigs...)
 		},
 	}
 	cliutil.SetDefaultFlags(cmd, &configPath)
@@ -109,7 +109,7 @@ func startMockCoordinator() *cobra.Command {
 			defer cmd.Printf("%v ended\n", mockVerifierName)
 
 			service := mock.NewMockCoordinator()
-			return grpcservice.Serve(cmd.Context(), service, conf.Server)
+			return grpcservice.Serve(cmd.Context(), service, conf.Server, nil)
 		},
 	}
 	cliutil.SetDefaultFlags(cmd, &configPath)
@@ -134,7 +134,7 @@ func startMockVerifier() *cobra.Command {
 			defer cmd.Printf("%v ended\n", mockVerifierName)
 
 			sv := mock.NewMockSigVerifier()
-			return grpcservice.Serve(cmd.Context(), sv, conf.Server)
+			return grpcservice.Serve(cmd.Context(), sv, conf.Server, nil)
 		},
 	}
 	cliutil.SetDefaultFlags(cmd, &configPath)
@@ -159,7 +159,7 @@ func startMockVC() *cobra.Command {
 			defer cmd.Printf("%v ended\n", mockVcName)
 
 			vcs := mock.NewMockVcService()
-			return grpcservice.Serve(cmd.Context(), vcs, conf.Server)
+			return grpcservice.Serve(cmd.Context(), vcs, conf.Server, nil)
 		},
 	}
 	cliutil.SetDefaultFlags(cmd, &configPath)

integration/runner/runtime.go

@@ -102,6 +102,14 @@ type (
 		VerifierBatchTimeCutoff time.Duration
 		// VerifierBatchSizeCutoff configures the batch size cutoff for verifier service.
 		VerifierBatchSizeCutoff int
+
+		// QueryTLSRefreshInterval configures how often the query service polls the DB
+		// for config block updates to refresh dynamic TLS CA certificates.
+		QueryTLSRefreshInterval time.Duration
+
+		// PeerOrganizationCount is the number of peer organizations in the genesis config block.
+		// Defaults to 2 if not set.
+		PeerOrganizationCount uint32
 	}
 )
 
@@ -163,7 +171,7 @@ func NewRuntime(t *testing.T, conf *Config) *CommitterRuntime {
 	ordererEnv := mock.NewOrdererTestEnv(t, &mock.OrdererTestParameters{
 		NumIDs:                3,
 		ServerPerID:           2,
-		PeerOrganizationCount: 2,
+		PeerOrganizationCount: max(2, conf.PeerOrganizationCount),
 		ChanID:                TestChannelName,
 		ClientTLSConfig:       clientTLS,
 		ServerTLSConfig:       ordererServiceTLS,
@@ -205,6 +213,7 @@ func NewRuntime(t *testing.T, conf *Config) *CommitterRuntime {
 			VCTimeoutForMinTransactionBatchSize: conf.VCTimeoutForMinTransactionBatchSize,
 			VerifierBatchTimeCutoff:             conf.VerifierBatchTimeCutoff,
 			VerifierBatchSizeCutoff:             conf.VerifierBatchSizeCutoff,
+			QueryTLSRefreshInterval:             conf.QueryTLSRefreshInterval,
 		},
 		CommittedBlock:   make(chan *common.Block, 100),
 		SeedForCryptoGen: rand.New(rand.NewSource(10)),

integration/test/dynamic_tls_test.go

@@ -0,0 +1,169 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package test
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/hyperledger/fabric-x-common/api/committerpb"
+	"github.com/onsi/gomega"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+
+	"github.com/hyperledger/fabric-x-committer/integration/runner"
+	"github.com/hyperledger/fabric-x-committer/utils/connection"
+	"github.com/hyperledger/fabric-x-committer/utils/grpcerror"
+	"github.com/hyperledger/fabric-x-committer/utils/test"
+	"github.com/hyperledger/fabric-x-committer/utils/testcrypto"
+)
+
+// TestDynamicTLS verifies that the sidecar and query service dynamically update
+// their trusted TLS CA pool when config blocks add or remove peer organizations,
+// while preserving static (YAML-configured) root CAs.
+func TestDynamicTLS(t *testing.T) {
+	t.Parallel()
+	gomega.RegisterTestingT(t)
+
+	c := runner.NewRuntime(t, &runner.Config{
+		TLSMode:                 connection.MutualTLSMode,
+		PeerOrganizationCount:   3,
+		BlockTimeout:            2 * time.Second,
+		QueryTLSRefreshInterval: 5 * time.Second,
+		CrashTest:               true,
+	})
+	// Start orderer servers in-process so SubmitConfigBlock can write directly
+	// to the orderer's block channel (separate-process orderers don't share memory).
+	c.OrdererEnv.StartServers(t)
+	c.Start(t, runner.CommitterTxPath|runner.QueryService)
+
+	serverCACertPaths := c.SystemConfig.ClientTLS.CACertPaths
+	sidecarEndpoint := c.SystemConfig.Services.Sidecar.GrpcEndpoint
+	queryEndpoint := c.SystemConfig.Services.Query.GrpcEndpoint
+
+	// Per-org mTLS configs. Crypto artifacts don't change across config block updates,
+	// so these remain valid throughout the test.
+	orgTLS := [3]connection.TLSConfig{}
+	for i := range orgTLS {
+		orgTLS[i] = test.OrgClientTLSConfig(c.OrdererEnv.ArtifactsPath, i, serverCACertPaths)
+	}
+
+	// Step 1: Assert all three peer orgs can connect to sidecar and query service.
+	// The sidecar updates dynamic TLS immediately when processing the genesis config block.
+	// The query service polls the DB periodically, so we use Eventually for it.
+	t.Log("Step 1: Initial connection - all three orgs should connect")
+	for orgIdx, tlsCfg := range orgTLS {
+		assertRPCSucceeds(t, sidecarEndpoint, tlsCfg, "sidecar", orgIdx)
+		eventuallyRPCSucceeds(t, queryEndpoint, tlsCfg, "query", orgIdx)
+	}
+
+	// Step 2: Submit config block removing peer-org-2 (keep only peer-org-0 and peer-org-1).
+	// CreateOrExtendConfigBlockWithCrypto retains existing crypto on disk, so peer-org-2's
+	// certs remain available for reconnection in Step 4.
+	t.Log("Step 2: Dynamic removal - submit config with 2 peer orgs")
+	c.OrdererEnv.SubmitConfigBlock(t, &testcrypto.ConfigBlock{
+		OrdererEndpoints:      c.OrdererEnv.AllEndpoints,
+		PeerOrganizationCount: 2,
+	})
+	c.ValidateExpectedResultsInCommittedBlock(t, &runner.ExpectedStatusInBlock{
+		Statuses: []committerpb.Status{committerpb.Status_COMMITTED},
+	})
+
+	// Step 3: Verify peer-org-2 is rejected and peer-org-0 remains trusted.
+	t.Log("Step 3: Negative assertion - peer-org-2 rejected, peer-org-0 accepted")
+
+	// Sidecar updates immediately from config block processing.
+	assertRPCSucceeds(t, sidecarEndpoint, orgTLS[0], "sidecar", 0)
+	assertRPCFails(t, sidecarEndpoint, orgTLS[2], "sidecar", 2)
+
+	// Query service polls the DB; wait for the TLS refresh (up to 15s).
+	assertRPCSucceeds(t, queryEndpoint, orgTLS[0], "query", 0)
+	gomega.Eventually(func() error {
+		return tryRPC(queryEndpoint, orgTLS[2])
+	}, 15*time.Second, time.Second).Should(gomega.HaveOccurred(),
+		"query service should reject peer-org-2 after TLS refresh")
+
+	// Step 4: Restore peer-org-2.
+	t.Log("Step 4: Restoration - add peer-org-2 back")
+	c.OrdererEnv.SubmitConfigBlock(t, &testcrypto.ConfigBlock{
+		OrdererEndpoints:      c.OrdererEnv.AllEndpoints,
+		PeerOrganizationCount: 3,
+	})
+	c.ValidateExpectedResultsInCommittedBlock(t, &runner.ExpectedStatusInBlock{
+		Statuses: []committerpb.Status{committerpb.Status_COMMITTED},
+	})
+
+	// Sidecar: peer-org-2 connects immediately.
+	assertRPCSucceeds(t, sidecarEndpoint, orgTLS[2], "sidecar", 2)
+
+	// Query service: wait for TLS refresh.
+	eventuallyRPCSucceeds(t, queryEndpoint, orgTLS[2], "query", 2)
+
+	// Step 5: Static persistence - CredentialsFactory client still works.
+	t.Log("Step 5: Static persistence - static TLS client still trusted")
+	assertRPCSucceeds(t, sidecarEndpoint, c.SystemConfig.ClientTLS, "sidecar (static)", -1)
+	assertRPCSucceeds(t, queryEndpoint, c.SystemConfig.ClientTLS, "query (static)", -1)
+}
+
+func assertRPCSucceeds( //nolint:revive // test helper, readability over argument count
+	t *testing.T, endpoint connection.WithAddress,
+	tlsConfig connection.TLSConfig, service string, orgIdx int,
+) {
+	t.Helper()
+	err := tryRPC(endpoint, tlsConfig)
+	require.NoErrorf(t, err, "%s: peer-org-%d should connect successfully", service, orgIdx)
+}
+
+func assertRPCFails( //nolint:revive // test helper, readability over argument count
+	t *testing.T, endpoint connection.WithAddress,
+	tlsConfig connection.TLSConfig, service string, orgIdx int,
+) {
+	t.Helper()
+	err := tryRPC(endpoint, tlsConfig)
+	require.Errorf(t, err, "%s: peer-org-%d should be rejected", service, orgIdx)
+}
+
+func eventuallyRPCSucceeds( //nolint:revive // test helper, readability over argument count
+	t *testing.T, endpoint connection.WithAddress,
+	tlsConfig connection.TLSConfig, service string, orgIdx int,
+) {
+	t.Helper()
+	gomega.Eventually(func() error {
+		return tryRPC(endpoint, tlsConfig)
+	}, 15*time.Second, time.Second).ShouldNot(gomega.HaveOccurred(),
+		"%s: peer-org-%d should connect successfully", service, orgIdx)
+}
+
+// tryRPC attempts a lightweight gRPC call and returns an error only if the TLS
+// handshake fails. Application-level gRPC errors (InvalidArgument, Unimplemented,
+// etc.) indicate a successful TLS connection and are treated as success.
+func tryRPC(endpoint connection.WithAddress, tlsConfig connection.TLSConfig) error {
+	creds, err := tlsConfig.ClientCredentials()
+	if err != nil {
+		return err
+	}
+	conn, err := grpc.NewClient(endpoint.Address(), grpc.WithTransportCredentials(creds))
+	if err != nil {
+		return err
+	}
+	defer conn.Close() //nolint:errcheck
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	client := committerpb.NewQueryServiceClient(conn)
+	_, err = client.GetTransactionStatus(ctx, &committerpb.TxStatusQuery{})
+	// FilterUnavailableErrorCode returns nil for transient connectivity errors
+	// (Unavailable, DeadlineExceeded) and passes through application-level errors.
+	// An application-level error means TLS succeeded, so we invert: if the filter
+	// passes through an error, the connection worked.
+	if grpcerror.FilterUnavailableErrorCode(err) != nil {
+		return nil
+	}
+	return err
+}

loadgen/adapters/sidecar.go

@@ -55,7 +55,7 @@ func (c *SidecarAdapter) RunWorkload(ctx context.Context, txStream *workload.Str
 	g, gCtx := errgroup.WithContext(dCtx)
 
 	g.Go(func() error {
-		return grpcservice.StartAndServe(gCtx, orderer, c.config.OrdererServers...)
+		return grpcservice.StartAndServe(gCtx, orderer, nil, c.config.OrdererServers...)
 	})
 
 	g.Go(func() error {