Merge pull request #187 from VRamakrishna/main

Documentation for TLS Enablement in Relays and Drivers Involved in Testnets

Author: VRamakrishna

common/protos/README.md

@@ -3,6 +3,6 @@
 
  SPDX-License-Identifier: CC-BY-4.0
  -->
-## protos
+## Weaver Protos
 
-This repository contains the grpc service and protocol buffer definitions for the relay, drivers and other interop modules.  protos
+This repository contains the gRPC service and protocol buffer definitions for the relay, drivers, other interoperation modules, and common structures used by several Weaver components.

core/drivers/corda-driver/.env.docker.template

@@ -7,3 +7,10 @@ DOCKER_IMAGE_NAME=ghcr.io/hyperledger-labs/weaver-corda-driver
 DOCKER_TAG=1.2.3
 COMPOSE_PROJECT_NAME=<docker-compose-project-name>
 COMPOSE_PROJECT_NETWORK=<docker-compose-project-network>
+RELAY_TLS=<true|false>
+RELAY_TLSCA_TRUST_STORE=<truststore-jks-file-path>
+RELAY_TLSCA_TRUST_STORE_PASSWORD=<truststore-jks-file-password>
+RELAY_TLSCA_CERT_PATHS=<colon-separated-CA-cert-paths>
+DRIVER_TLS=<true|false>
+DRIVER_TLS_CERT_PATH=<cert-path>
+DRIVER_TLS_KEY_PATH=<private-key-path>

core/drivers/corda-driver/Dockerfile.local

@@ -0,0 +1,17 @@
+# Local build
+FROM gradle:4.10.3-jdk8 AS builder-local
+
+WORKDIR /corda-driver
+ADD build /corda-driver/build
+
+FROM builder-local as builder
+
+# Deployment Image 
+FROM openjdk:8-jre
+
+COPY --from=builder /corda-driver/build/install/corda-driver /corda-driver/
+
+WORKDIR /corda-driver
+
+ARG GIT_URL
+LABEL org.opencontainers.image.source ${GIT_URL}

core/drivers/corda-driver/Dockerfile renamed to core/drivers/corda-driver/Dockerfile.remote

@@ -1,11 +1,3 @@
-ARG BUILD_TAG
-
-# Local build
-FROM gradle:4.10.3-jdk8 AS builder-local
-
-WORKDIR /corda-driver
-ADD build /corda-driver/build
-
 # Remote build
 FROM gradle:4.10.3-jdk8 AS builder-remote
 
@@ -14,18 +6,16 @@ RUN apt-get update && apt-get install -y maven
 
 WORKDIR /corda-driver
 ADD . .
-# RUN ./gradlew build --refresh-dependencies
 RUN ./gradlew clean installDist
 
-FROM builder-${BUILD_TAG} as builder
-RUN echo "Builder ${BUILD_TAG}"
+FROM builder-remote as builder
 
 # Deployment Image 
-FROM openjdk:8-jre-alpine
+FROM openjdk:8-jre
 
 COPY --from=builder /corda-driver/build/install/corda-driver /corda-driver/
 
 WORKDIR /corda-driver
 
 ARG GIT_URL
-LABEL org.opencontainers.image.source ${GIT_URL}
+LABEL org.opencontainers.image.source ${GIT_URL}

core/drivers/corda-driver/README.md

@@ -69,17 +69,21 @@ If the relay expects a TLS connection over gRPC, you need to specify the followi
     - `RELAY_TLSCA_CERT_PATHS`: colon-separated list of CA certificate file paths
 If you wish to run the driver service with TLS enabled, you need to specify the following environment variables in the `corda-driver` command:
 - `DRIVER_TLS`: should be set to `true`
-- `DRIVER_CERT_PATH`: driver's TLS certificate file path
-- `DRIVER_KEY_PATH`: driver's TLS private key file path
+- `DRIVER_TLS_CERT_PATH`: driver's TLS certificate file path
+- `DRIVER_TLS_KEY_PATH`: driver's TLS private key file path
 - Example: both relay and driver are TLS-enabled, and a trust store is used as a certificate repository:
   ```bash
-  RELAY_TLS=true RELAY_TLSCA_TRUST_STORE_PASSWORD=password RELAY_TLSCA_TRUST_STORE=trust_store.jks DRIVER_TLS=true DRIVER_CERT_PATH=cert.pem DRIVER_KEY_PATH=key.pem ./build/install/corda-driver/bin/corda-driver
+  RELAY_TLS=true RELAY_TLSCA_TRUST_STORE_PASSWORD=password RELAY_TLSCA_TRUST_STORE=trust_store.jks DRIVER_TLS=true DRIVER_TLS_CERT_PATH=cert.pem DRIVER_TLS_KEY_PATH=key.pem ./build/install/corda-driver/bin/corda-driver
   ```
 - Example: only relay is TLS-enabled, and the driver's trusted certificates are in separate files in the filesystem:
   ```bash
   RELAY_TLS=true RELAY_TLSCA_CERT_PATHS=ca_cert1.pem:ca_cert2.pem ./build/install/corda-driver/bin/corda-driver
   ```
 
+If the driver is deployed within a Docker container, set the same variables as above in the appropriate `.env` file. The following sample files in [./docker-testnet-envs/](./docker-testnet-envs) can be used and tweaked for Fabric drivers associated with particular testnets:
+- Corda `Corda_Network`: `.env.corda` (non-TLS) and `.env.corda.tls` (TLS)
+- Corda `Corda_Network2`: `.env.corda2` (non-TLS) and `.env.corda2.tls` (TLS)
+
 ## Driver configuration
 
 By default, the driver gRPC server listens on port `9099`. To change the port, set 
@@ -119,6 +123,13 @@ To push image to github container registry:
     - `DOCKER_TAG`: Refer here for the image tags available: [weaver-corda-driver](https://github.com/hyperledger-labs/weaver-dlt-interoperability/pkgs/container/weaver-corda-driver)
     - `COMPOSE_PROJECT_NAME`: Docker project name for the Corda network to which this driver is supposed to attach. By default, the folder name of the Corda network's `docker-compose.yml`, is the project name.
     - `COMPOSE_PROJECT_NETWORK`: Docker project network name for the Corda network to which this driver is supposed to attach. By default, `default` is the project network name.
+    - `RELAY_TLS`: Boolean flag indicating whether or not the local relay requires TLS connections
+    - `RELAY_TLSCA_TRUST_STORE`: Path to JKS file (truststore) containing TLS CA certificates
+    - `RELAY_TLSCA_TRUST_STORE_PASSWORD`: Password used to create the above JKS file
+    - `RELAY_TLSCA_CERT_PATHS`: Colon-separated TLS certificate paths for local relay
+    - `DRIVER_TLS`: Boolean flag indicating whether or not the driver requires TLS connections
+    - `DRIVER_TLS_CERT_PATH`: Driver's TLS certificate path
+    - `DRIVER_TLS_KEY_PATH`: Driver's TLS private key path
 * Create a Personal Access Token with read packages access in github. Refer [Creating a Personal Access Token](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) for help.
 * Run `docker login ghcr.io` and use your github username and personal access token as password.
 * Run: `make deploy`.

core/drivers/corda-driver/docker-compose.yaml

@@ -13,8 +13,17 @@ services:
       - DRIVER_PORT=${DRIVER_PORT}
       - DRIVER_RPC_USERNAME=${DRIVER_RPC_USERNAME}
       - DRIVER_RPC_PASSWORD=${DRIVER_RPC_PASSWORD}
+      - RELAY_TLS=${RELAY_TLS}
+      - RELAY_TLSCA_TRUST_STORE=${RELAY_TLSCA_TRUST_STORE}
+      - RELAY_TLSCA_TRUST_STORE_PASSWORD=${RELAY_TLSCA_TRUST_STORE_PASSWORD}
+      - RELAY_TLSCA_CERT_PATHS=${RELAY_TLSCA_CERT_PATHS}
+      - DRIVER_TLS=${DRIVER_TLS}
+      - DRIVER_TLS_CERT_PATH=${DRIVER_TLS_CERT_PATH}
+      - DRIVER_TLS_KEY_PATH=${DRIVER_TLS_KEY_PATH}
     ports:
       - "${DRIVER_PORT}:${DRIVER_PORT}"
+    volumes:
+      - ../../relay/credentials:/corda-driver/credentials
     command: sh -c "./bin/corda-driver"
 
 networks:

core/drivers/corda-driver/docker-testnet-envs/.env.corda

@@ -3,7 +3,14 @@ DRIVER_PORT=9099
 DRIVER_RPC_USERNAME=driverUser1
 DRIVER_RPC_PASSWORD=test
 DOCKER_IMAGE_NAME=ghcr.io/hyperledger-labs/weaver-corda-driver
-DOCKER_TAG=1.2.3
+DOCKER_TAG=1.2.4-alpha.6
 EXTERNAL_NETWORK=corda_default
 COMPOSE_PROJECT_NAME=corda
-COMPOSE_PROJECT_NETWORK=default
+COMPOSE_PROJECT_NETWORK=default
+RELAY_TLS=false
+RELAY_TLSCA_TRUST_STORE=
+RELAY_TLSCA_TRUST_STORE_PASSWORD=
+RELAY_TLSCA_CERT_PATHS=
+DRIVER_TLS=false
+DRIVER_TLS_CERT_PATH=
+DRIVER_TLS_KEY_PATH=

core/drivers/corda-driver/docker-testnet-envs/.env.corda.tls

@@ -0,0 +1,16 @@
+NETWORK_NAME=Corda_Network
+DRIVER_PORT=9099
+DRIVER_RPC_USERNAME=driverUser1
+DRIVER_RPC_PASSWORD=test
+DOCKER_IMAGE_NAME=ghcr.io/hyperledger-labs/weaver-corda-driver
+DOCKER_TAG=1.2.4-alpha.6
+EXTERNAL_NETWORK=corda_default
+COMPOSE_PROJECT_NAME=corda
+COMPOSE_PROJECT_NETWORK=default
+RELAY_TLS=true
+RELAY_TLSCA_TRUST_STORE=/corda-driver/credentials/docker/relay_drivers_trust_store.jks
+RELAY_TLSCA_TRUST_STORE_PASSWORD=trelay
+RELAY_TLSCA_CERT_PATHS=/corda-driver/credentials/docker/ca-cert.pem
+DRIVER_TLS=true
+DRIVER_TLS_CERT_PATH=/corda-driver/credentials/docker/corda-driver-cert.pem
+DRIVER_TLS_KEY_PATH=/corda-driver/credentials/docker/corda-driver-key.pem

core/drivers/corda-driver/docker-testnet-envs/.env.corda2

@@ -3,7 +3,14 @@ DRIVER_PORT=9098
 DRIVER_RPC_USERNAME=driverUser1
 DRIVER_RPC_PASSWORD=test
 DOCKER_IMAGE_NAME=ghcr.io/hyperledger-labs/weaver-corda-driver
-DOCKER_TAG=1.2.3
+DOCKER_TAG=1.2.4-alpha.6
 EXTERNAL_NETWORK=corda_network2_default
 COMPOSE_PROJECT_NAME=corda_network2
-COMPOSE_PROJECT_NETWORK=default
+COMPOSE_PROJECT_NETWORK=default
+RELAY_TLS=false
+RELAY_TLSCA_TRUST_STORE=
+RELAY_TLSCA_TRUST_STORE_PASSWORD=
+RELAY_TLSCA_CERT_PATHS=
+DRIVER_TLS=false
+DRIVER_TLS_CERT_PATH=
+DRIVER_TLS_KEY_PATH=

core/drivers/corda-driver/docker-testnet-envs/.env.corda2.tls

@@ -0,0 +1,16 @@
+NETWORK_NAME=Corda_Network2
+DRIVER_PORT=9098
+DRIVER_RPC_USERNAME=driverUser1
+DRIVER_RPC_PASSWORD=test
+DOCKER_IMAGE_NAME=ghcr.io/hyperledger-labs/weaver-corda-driver
+DOCKER_TAG=1.2.4-alpha.6
+EXTERNAL_NETWORK=corda_network2_default
+COMPOSE_PROJECT_NAME=corda_network2
+COMPOSE_PROJECT_NETWORK=default
+RELAY_TLS=true
+RELAY_TLSCA_TRUST_STORE=/corda-driver/credentials/docker/relay_drivers_trust_store.jks
+RELAY_TLSCA_TRUST_STORE_PASSWORD=trelay
+RELAY_TLSCA_CERT_PATHS=/corda-driver/credentials/docker/ca-cert.pem
+DRIVER_TLS=true
+DRIVER_TLS_CERT_PATH=/corda-driver/credentials/docker/corda2-driver-cert.pem
+DRIVER_TLS_KEY_PATH=/corda-driver/credentials/docker/corda2-driver-key.pem