dynamic TLS CA rotation for sidecar and query service

Add dynamic TLS support so that peer organization CA certificates are
automatically updated when config blocks add or remove organizations.

- DynamicTLSManager in utils/connection/ watches config block updates
  and rebuilds the trusted CA pool on the fly
- Sidecar updates TLS immediately during config block processing
- Query service polls the DB periodically for config changes
- Integration test covers add/remove/restore of peer orgs with mTLS
- Infrastructure plumbing for QueryTLSRefreshInterval and
  PeerOrganizationCount in runner config

Signed-off-by: Senthilnathan <cendhu@gmail.com>

Author: cendhu

cmd/committer/start_cmd.go

@@ -19,6 +19,7 @@ import (
 	"github.com/hyperledger/fabric-x-committer/service/sidecar"
 	"github.com/hyperledger/fabric-x-committer/service/vc"
 	"github.com/hyperledger/fabric-x-committer/service/verifier"
+	"github.com/hyperledger/fabric-x-committer/utils/connection"
 	"github.com/hyperledger/fabric-x-committer/utils/grpcservice"
 )
 
@@ -58,7 +59,11 @@ func startService(ctx context.Context, name, configPath string) error {
 
 	switch c := conf.(type) {
 	case *sidecar.Config:
-		service, err := sidecar.New(c)
+		tlsUpdater, err := setTLSConfigProviderAndGetUpdater(c.Server)
+		if err != nil {
+			return err
+		}
+		service, err := sidecar.New(c, tlsUpdater)
 		if err != nil {
 			return errors.Wrap(err, "failed to create sidecar service")
 		}
@@ -80,9 +85,27 @@ func startService(ctx context.Context, name, configPath string) error {
 		return grpcservice.StartAndServe(ctx, verifier.New(c), c.Server)
 
 	case *query.Config:
-		return grpcservice.StartAndServe(ctx, query.NewQueryService(c), c.Server)
+		tlsUpdater, err := setTLSConfigProviderAndGetUpdater(c.Server)
+		if err != nil {
+			return err
+		}
+		return grpcservice.StartAndServe(ctx, query.NewQueryService(c, tlsUpdater), c.Server)
 
 	default:
 		return errors.Newf("unknown config type: %T", conf)
 	}
 }
+
+func setTLSConfigProviderAndGetUpdater(serverConfig *connection.ServerConfig) (connection.TLSCertUpdater, error) {
+	if serverConfig == nil || serverConfig.TLS.Mode != connection.MutualTLSMode {
+		return nil, nil
+	}
+
+	dynamicTLS, err := connection.NewDynamicTLSFromConfig(serverConfig.TLS)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create dynamic TLS config")
+	}
+	serverConfig.SetTLSConfigProvider(dynamicTLS)
+
+	return dynamicTLS, nil
+}

cmd/config/create_config_file.go

@@ -41,17 +41,18 @@ type (
 		DB       DatabaseConfig
 
 		// Per service configurations.
-		BlockSize            uint64                      // orderer, loadgen
-		BlockTimeout         time.Duration               // orderer
-		LedgerPath           string                      // sidecar
-		Policy               *workload.PolicyProfile     // loadgen
-		LoadGenBlockLimit    uint64                      // loadgen
-		LoadGenTXLimit       uint64                      // loadgen
-		LoadGenWorkers       uint64                      // loadgen
-		Logging              flogging.Config             // for all
-		RateLimit            *connection.RateLimitConfig // query, sidecar
-		MaxRequestKeys       int                         // query
-		MaxConcurrentStreams int                         // sidecar
+		BlockSize               uint64                      // orderer, loadgen
+		BlockTimeout            time.Duration               // orderer
+		LedgerPath              string                      // sidecar
+		Policy                  *workload.PolicyProfile     // loadgen
+		LoadGenBlockLimit       uint64                      // loadgen
+		LoadGenTXLimit          uint64                      // loadgen
+		LoadGenWorkers          uint64                      // loadgen
+		Logging                 flogging.Config             // for all
+		RateLimit               *connection.RateLimitConfig // query, sidecar
+		MaxRequestKeys          int                         // query
+		QueryTLSRefreshInterval time.Duration               // query
+		MaxConcurrentStreams    int                         // sidecar
 
 		// VC service batching configuration (for testing).
 		VCMinTransactionBatchSize           int           // vc

cmd/config/templates/query.yaml

@@ -54,6 +54,7 @@ database:
     max-elapsed-time: 1h
 
 max-request-keys: {{ .MaxRequestKeys }}
+tls-refresh-interval: {{ .QueryTLSRefreshInterval }}
 
 logging:
   logSpec: {{ .Logging.LogSpec }}

integration/runner/runtime.go

@@ -102,6 +102,14 @@ type (
 		VerifierBatchTimeCutoff time.Duration
 		// VerifierBatchSizeCutoff configures the batch size cutoff for verifier service.
 		VerifierBatchSizeCutoff int
+
+		// QueryTLSRefreshInterval configures how often the query service polls the DB
+		// for config block updates to refresh dynamic TLS CA certificates.
+		QueryTLSRefreshInterval time.Duration
+
+		// PeerOrganizationCount is the number of peer organizations in the genesis config block.
+		// Defaults to 2 if not set.
+		PeerOrganizationCount uint32
 	}
 )
 
@@ -163,7 +171,7 @@ func NewRuntime(t *testing.T, conf *Config) *CommitterRuntime {
 	ordererEnv := mock.NewOrdererTestEnv(t, &mock.OrdererTestParameters{
 		NumIDs:                3,
 		ServerPerID:           2,
-		PeerOrganizationCount: 2,
+		PeerOrganizationCount: max(2, conf.PeerOrganizationCount),
 		ChanID:                TestChannelName,
 		ClientTLSConfig:       clientTLS,
 		ServerTLSConfig:       ordererServiceTLS,
@@ -205,6 +213,7 @@ func NewRuntime(t *testing.T, conf *Config) *CommitterRuntime {
 			VCTimeoutForMinTransactionBatchSize: conf.VCTimeoutForMinTransactionBatchSize,
 			VerifierBatchTimeCutoff:             conf.VerifierBatchTimeCutoff,
 			VerifierBatchSizeCutoff:             conf.VerifierBatchSizeCutoff,
+			QueryTLSRefreshInterval:             conf.QueryTLSRefreshInterval,
 		},
 		CommittedBlock:   make(chan *common.Block, 100),
 		SeedForCryptoGen: rand.New(rand.NewSource(10)),

integration/test/dynamic_tls_test.go

@@ -0,0 +1,169 @@
+/*
+Copyright IBM Corp. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package test
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/hyperledger/fabric-x-common/api/committerpb"
+	"github.com/onsi/gomega"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+
+	"github.com/hyperledger/fabric-x-committer/integration/runner"
+	"github.com/hyperledger/fabric-x-committer/utils/connection"
+	"github.com/hyperledger/fabric-x-committer/utils/grpcerror"
+	"github.com/hyperledger/fabric-x-committer/utils/test"
+	"github.com/hyperledger/fabric-x-committer/utils/testcrypto"
+)
+
+// TestDynamicTLS verifies that the sidecar and query service dynamically update
+// their trusted TLS CA pool when config blocks add or remove peer organizations,
+// while preserving static (YAML-configured) root CAs.
+func TestDynamicTLS(t *testing.T) {
+	t.Parallel()
+	gomega.RegisterTestingT(t)
+
+	c := runner.NewRuntime(t, &runner.Config{
+		TLSMode:                 connection.MutualTLSMode,
+		PeerOrganizationCount:   3,
+		BlockTimeout:            2 * time.Second,
+		QueryTLSRefreshInterval: 5 * time.Second,
+		CrashTest:               true,
+	})
+	// Start orderer servers in-process so SubmitConfigBlock can write directly
+	// to the orderer's block channel (separate-process orderers don't share memory).
+	c.OrdererEnv.StartServers(t)
+	c.Start(t, runner.CommitterTxPath|runner.QueryService)
+
+	serverCACertPaths := c.SystemConfig.ClientTLS.CACertPaths
+	sidecarEndpoint := c.SystemConfig.Services.Sidecar.GrpcEndpoint
+	queryEndpoint := c.SystemConfig.Services.Query.GrpcEndpoint
+
+	// Per-org mTLS configs. Crypto artifacts don't change across config block updates,
+	// so these remain valid throughout the test.
+	orgTLS := [3]connection.TLSConfig{}
+	for i := range orgTLS {
+		orgTLS[i] = test.OrgClientTLSConfig(c.OrdererEnv.ArtifactsPath, i, serverCACertPaths)
+	}
+
+	// Step 1: Assert all three peer orgs can connect to sidecar and query service.
+	// The sidecar updates dynamic TLS immediately when processing the genesis config block.
+	// The query service polls the DB periodically, so we use Eventually for it.
+	t.Log("Step 1: Initial connection - all three orgs should connect")
+	for orgIdx, tlsCfg := range orgTLS {
+		assertRPCSucceeds(t, sidecarEndpoint, tlsCfg, "sidecar", orgIdx)
+		eventuallyRPCSucceeds(t, queryEndpoint, tlsCfg, "query", orgIdx)
+	}
+
+	// Step 2: Submit config block removing peer-org-2 (keep only peer-org-0 and peer-org-1).
+	// CreateOrExtendConfigBlockWithCrypto retains existing crypto on disk, so peer-org-2's
+	// certs remain available for reconnection in Step 4.
+	t.Log("Step 2: Dynamic removal - submit config with 2 peer orgs")
+	c.OrdererEnv.SubmitConfigBlock(t, &testcrypto.ConfigBlock{
+		OrdererEndpoints:      c.OrdererEnv.AllEndpoints,
+		PeerOrganizationCount: 2,
+	})
+	c.ValidateExpectedResultsInCommittedBlock(t, &runner.ExpectedStatusInBlock{
+		Statuses: []committerpb.Status{committerpb.Status_COMMITTED},
+	})
+
+	// Step 3: Verify peer-org-2 is rejected and peer-org-0 remains trusted.
+	t.Log("Step 3: Negative assertion - peer-org-2 rejected, peer-org-0 accepted")
+
+	// Sidecar updates immediately from config block processing.
+	assertRPCSucceeds(t, sidecarEndpoint, orgTLS[0], "sidecar", 0)
+	assertRPCFails(t, sidecarEndpoint, orgTLS[2], "sidecar", 2)
+
+	// Query service polls the DB; wait for the TLS refresh (up to 15s).
+	assertRPCSucceeds(t, queryEndpoint, orgTLS[0], "query", 0)
+	gomega.Eventually(func() error {
+		return tryRPC(queryEndpoint, orgTLS[2])
+	}, 15*time.Second, time.Second).Should(gomega.HaveOccurred(),
+		"query service should reject peer-org-2 after TLS refresh")
+
+	// Step 4: Restore peer-org-2.
+	t.Log("Step 4: Restoration - add peer-org-2 back")
+	c.OrdererEnv.SubmitConfigBlock(t, &testcrypto.ConfigBlock{
+		OrdererEndpoints:      c.OrdererEnv.AllEndpoints,
+		PeerOrganizationCount: 3,
+	})
+	c.ValidateExpectedResultsInCommittedBlock(t, &runner.ExpectedStatusInBlock{
+		Statuses: []committerpb.Status{committerpb.Status_COMMITTED},
+	})
+
+	// Sidecar: peer-org-2 connects immediately.
+	assertRPCSucceeds(t, sidecarEndpoint, orgTLS[2], "sidecar", 2)
+
+	// Query service: wait for TLS refresh.
+	eventuallyRPCSucceeds(t, queryEndpoint, orgTLS[2], "query", 2)
+
+	// Step 5: Static persistence - CredentialsFactory client still works.
+	t.Log("Step 5: Static persistence - static TLS client still trusted")
+	assertRPCSucceeds(t, sidecarEndpoint, c.SystemConfig.ClientTLS, "sidecar (static)", -1)
+	assertRPCSucceeds(t, queryEndpoint, c.SystemConfig.ClientTLS, "query (static)", -1)
+}
+
+func assertRPCSucceeds( //nolint:revive // test helper, readability over argument count
+	t *testing.T, endpoint connection.WithAddress,
+	tlsConfig connection.TLSConfig, service string, orgIdx int,
+) {
+	t.Helper()
+	err := tryRPC(endpoint, tlsConfig)
+	require.NoErrorf(t, err, "%s: peer-org-%d should connect successfully", service, orgIdx)
+}
+
+func assertRPCFails( //nolint:revive // test helper, readability over argument count
+	t *testing.T, endpoint connection.WithAddress,
+	tlsConfig connection.TLSConfig, service string, orgIdx int,
+) {
+	t.Helper()
+	err := tryRPC(endpoint, tlsConfig)
+	require.Errorf(t, err, "%s: peer-org-%d should be rejected", service, orgIdx)
+}
+
+func eventuallyRPCSucceeds( //nolint:revive // test helper, readability over argument count
+	t *testing.T, endpoint connection.WithAddress,
+	tlsConfig connection.TLSConfig, service string, orgIdx int,
+) {
+	t.Helper()
+	gomega.Eventually(func() error {
+		return tryRPC(endpoint, tlsConfig)
+	}, 15*time.Second, time.Second).ShouldNot(gomega.HaveOccurred(),
+		"%s: peer-org-%d should connect successfully", service, orgIdx)
+}
+
+// tryRPC attempts a lightweight gRPC call and returns an error only if the TLS
+// handshake fails. Application-level gRPC errors (InvalidArgument, Unimplemented,
+// etc.) indicate a successful TLS connection and are treated as success.
+func tryRPC(endpoint connection.WithAddress, tlsConfig connection.TLSConfig) error {
+	creds, err := tlsConfig.ClientCredentials()
+	if err != nil {
+		return err
+	}
+	conn, err := grpc.NewClient(endpoint.Address(), grpc.WithTransportCredentials(creds))
+	if err != nil {
+		return err
+	}
+	defer conn.Close() //nolint:errcheck
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	client := committerpb.NewQueryServiceClient(conn)
+	_, err = client.GetTransactionStatus(ctx, &committerpb.TxStatusQuery{})
+	// FilterUnavailableErrorCode returns nil for transient connectivity errors
+	// (Unavailable, DeadlineExceeded) and passes through application-level errors.
+	// An application-level error means TLS succeeded, so we invert: if the filter
+	// passes through an error, the connection worked.
+	if grpcerror.FilterUnavailableErrorCode(err) != nil {
+		return nil
+	}
+	return err
+}

loadgen/client_test.go

@@ -237,7 +237,7 @@ func TestLoadGenForSidecar(t *testing.T) {
 				},
 				Orderer: e.OrdererConnConfig,
 			}
-			service, err := sidecar.New(sidecarConf)
+			service, err := sidecar.New(sidecarConf, nil)
 			require.NoError(t, err)
 			t.Cleanup(service.Close)
 			test.RunServiceAndGrpcForTest(t.Context(), t, service, sidecarConf.Server)
@@ -279,7 +279,7 @@ func TestLoadGenForOrderer(t *testing.T) {
 			}
 
 			// Start sidecar.
-			service, err := sidecar.New(sidecarConf)
+			service, err := sidecar.New(sidecarConf, nil)
 			require.NoError(t, err)
 			t.Cleanup(service.Close)
 			test.RunServiceAndGrpcForTest(t.Context(), t, service, sidecarConf.Server)

service/query/config.go

@@ -48,4 +48,7 @@ type Config struct {
 	// GetTransactionStatus (number of transaction IDs).
 	// Set to 0 to disable the limit.
 	MaxRequestKeys int `mapstructure:"max-request-keys"`
+	// TLSRefreshInterval is the interval at which the query service polls the database
+	// for config block updates to refresh TLS CA certificates. Defaults to 1 minute.
+	TLSRefreshInterval time.Duration `mapstructure:"tls-refresh-interval"`
 }