hyperledger · dean-amar · Oct 21, 2025 · Oct 21, 2025 · Oct 22, 2025 · Oct 22, 2025
diff --git a/cmd/config/app_config_test.go b/cmd/config/app_config_test.go
@@ -34,18 +34,18 @@ import (
 var (
 	defaultServerTLSConfig = connection.TLSConfig{
 		Mode:     connection.MutualTLSMode,
-		CertPath: "/server-certs/public-key",
-		KeyPath:  "/server-certs/private-key",
+		CertPath: "/server-certs/public-key.crt",
+		KeyPath:  "/server-certs/private-key.key",
 		CACertPaths: []string{
-			"/server-certs/ca-certificate",
+			"/server-certs/ca-certificate.crt",
 		},
 	}
 	defaultClientTLSConfig = connection.TLSConfig{
 		Mode:     connection.MutualTLSMode,
-		CertPath: "/client-certs/public-key",
-		KeyPath:  "/client-certs/private-key",
+		CertPath: "/client-certs/public-key.crt",
+		KeyPath:  "/client-certs/private-key.key",
 		CACertPaths: []string{
-			"/client-certs/ca-certificate",
+			"/client-certs/ca-certificate.crt",
 		},
 	}
 )
@@ -443,10 +443,14 @@ func defaultDBConfig() *vc.DatabaseConfig {
 
 func defaultSampleDBConfig() *vc.DatabaseConfig {
 	return &vc.DatabaseConfig{
-		Endpoints:      []*connection.Endpoint{newEndpoint("db", 5433)},
-		Username:       "yugabyte",
-		Password:       "yugabyte",
-		Database:       "yugabyte",
+		Endpoints: []*connection.Endpoint{newEndpoint("db", 5433)},
+		Username:  "yugabyte",
+		Password:  "yugabyte",
+		Database:  "yugabyte",
+		TLS: connection.DatabaseTLS{
+			Activate:   true,
+			CACertPath: "/server-certs/ca-certificate.crt",
+		},
 		MaxConnections: 10,
 		MinConnections: 5,
 		LoadBalance:    false,

diff --git a/cmd/config/cobra_test_exports.go b/cmd/config/cobra_test_exports.go
@@ -64,8 +64,8 @@ func StartDefaultSystem(t *testing.T) SystemConfig {
 		},
 		DB: DatabaseConfig{
 			Name:        conn.Database,
-			LoadBalance: false,
 			Endpoints:   conn.Endpoints,
+			LoadBalance: false,
 		},
 		Policy: &workload.PolicyProfile{
 			ChannelID: "channel1",

diff --git a/cmd/config/create_config_file.go b/cmd/config/create_config_file.go
@@ -72,8 +72,10 @@ type (
 	// DatabaseConfig represents the used DB.
 	DatabaseConfig struct {
 		Name        string
+		Password    string
 		LoadBalance bool
 		Endpoints   []*connection.Endpoint
+		TLS         connection.DatabaseTLS
 	}
 )
 

diff --git a/cmd/config/samples/coordinator.yaml b/cmd/config/samples/coordinator.yaml
@@ -6,10 +6,10 @@ server:
   endpoint: :9001
   tls:
     mode: mtls
-    cert-path: /server-certs/public-key
-    key-path: /server-certs/private-key
+    cert-path: /server-certs/public-key.crt
+    key-path: /server-certs/private-key.key
     ca-cert-paths:
-      - /server-certs/ca-certificate
+      - /server-certs/ca-certificate.crt
 monitoring:
   server:
     endpoint: :2119
@@ -19,10 +19,10 @@ verifier:
     - verifier:5001
   tls: &ClientTLS
     mode: mtls
-    cert-path: /client-certs/public-key
-    key-path: /client-certs/private-key
+    cert-path: /client-certs/public-key.crt
+    key-path: /client-certs/private-key.key
     ca-cert-paths:
-      - /client-certs/ca-certificate
+      - /client-certs/ca-certificate.crt
 validator-committer:
   endpoints:
     - vc:6001

diff --git a/cmd/config/samples/loadgen.yaml b/cmd/config/samples/loadgen.yaml
@@ -6,10 +6,10 @@ server:
   endpoint: :8001
   tls:
     mode: mtls
-    cert-path: /server-certs/public-key
-    key-path: /server-certs/private-key
+    cert-path: /server-certs/public-key.crt
+    key-path: /server-certs/private-key.key
     ca-cert-paths:
-      - /server-certs/ca-certificate
+      - /server-certs/ca-certificate.crt
 monitoring:
   server:
     endpoint: :2118
@@ -26,10 +26,10 @@ orderer-client:
     endpoint: sidecar:4001
     tls:
       mode: mtls
-      cert-path: /client-certs/public-key
-      key-path: /client-certs/private-key
+      cert-path: /client-certs/public-key.crt
+      key-path: /client-certs/private-key.key
       ca-cert-paths:
-        - /client-certs/ca-certificate
+        - /client-certs/ca-certificate.crt
   orderer:
     connection:
       endpoints:

diff --git a/cmd/config/samples/query.yaml b/cmd/config/samples/query.yaml
@@ -8,11 +8,10 @@ server:
   endpoint: :7001
   tls:
     mode: mtls
-    cert-path: /server-certs/public-key
-    key-path: /server-certs/private-key
+    cert-path: /server-certs/public-key.crt
+    key-path: /server-certs/private-key.key
     ca-cert-paths:
-      - /server-certs/ca-certificate
-  # Credentials for the server
+      - /server-certs/ca-certificate.crt
 monitoring:
   server:
     endpoint: :2117
@@ -24,6 +23,9 @@ database:
   # TODO: pass password via environment variable
   password: "yugabyte" # The password for the database
   database: "yugabyte" # The database name
+  tls:
+    activate: true
+    ca-cert-path: /server-certs/ca-certificate.crt
   max-connections: 10 # The maximum size of the connection pool
   min-connections: 5 # The minimum size of the connection pool
   load-balance: false # Should be enabled for DB cluster

diff --git a/cmd/config/samples/sidecar.yaml b/cmd/config/samples/sidecar.yaml
@@ -6,10 +6,10 @@ server:
   endpoint: :4001
   tls:
     mode: mtls
-    cert-path: /server-certs/public-key
-    key-path: /server-certs/private-key
+    cert-path: /server-certs/public-key.crt
+    key-path: /server-certs/private-key.key
     ca-cert-paths:
-      - /server-certs/ca-certificate
+      - /server-certs/ca-certificate.crt
   keep-alive:
     params:
       time: 300s
@@ -40,10 +40,10 @@ committer:
   endpoint: coordinator:9001
   tls:
     mode: mtls
-    cert-path: /client-certs/public-key
-    key-path: /client-certs/private-key
+    cert-path: /client-certs/public-key.crt
+    key-path: /client-certs/private-key.key
     ca-cert-paths:
-      - /client-certs/ca-certificate
+      - /client-certs/ca-certificate.crt
 ledger:
   path: /root/sc/ledger
 notification:

diff --git a/cmd/config/samples/vc.yaml b/cmd/config/samples/vc.yaml
@@ -8,11 +8,10 @@ server:
   endpoint: :6001
   tls:
     mode: mtls
-    cert-path: /server-certs/public-key
-    key-path: /server-certs/private-key
+    cert-path: /server-certs/public-key.crt
+    key-path: /server-certs/private-key.key
     ca-cert-paths:
-      - /server-certs/ca-certificate
-  # Credentials for the server
+      - /server-certs/ca-certificate.crt
 monitoring:
   server:
     endpoint: :2116
@@ -23,6 +22,9 @@ database:
   # TODO: pass password via environment variable
   password: "yugabyte" # The password for the database
   database: "yugabyte" # The database name
+  tls:
+    activate: true
+    ca-cert-path: /server-certs/ca-certificate.crt
   max-connections: 10 # The maximum size of the connection pool
   min-connections: 5 # The minimum size of the connection pool.
   load-balance: false # Should be enabled for DB cluster.

diff --git a/cmd/config/samples/verifier.yaml b/cmd/config/samples/verifier.yaml
@@ -6,10 +6,10 @@ server:
   endpoint: :5001
   tls:
     mode: mtls
-    cert-path: /server-certs/public-key
-    key-path: /server-certs/private-key
+    cert-path: /server-certs/public-key.crt
+    key-path: /server-certs/private-key.key
     ca-cert-paths:
-      - /server-certs/ca-certificate
+      - /server-certs/ca-certificate.crt
 monitoring:
   server:
     endpoint: :2115

diff --git a/cmd/config/templates/query.yaml b/cmd/config/templates/query.yaml
@@ -24,9 +24,12 @@ database:
     {{- end }}
   username: "yugabyte"
   # TODO: pass password via environment variable
-  password: "yugabyte"
+  password: {{ .DB.Password }}
   database: {{ .DB.Name }}
   load-balance: {{ .DB.LoadBalance }}
+  tls:
+    activate: {{ .DB.TLS.Activate }}
+    ca-cert-path: {{ .DB.TLS.CACertPath }}
   max-connections: 10
   min-connections: 5
   retry:

diff --git a/cmd/config/templates/vc.yaml b/cmd/config/templates/vc.yaml
@@ -23,9 +23,12 @@ database:
     {{- end }}
   username: "yugabyte"
   # TODO: pass password via environment variable
-  password: "yugabyte"
+  password: {{ .DB.Password }}
   database: {{ .DB.Name }}
   load-balance: {{ .DB.LoadBalance }}
+  tls:
+    activate: {{ .DB.TLS.Activate }}
+    ca-cert-path: {{ .DB.TLS.CACertPath }}
   max-connections: 10
   min-connections: 5
   retry:

diff --git a/docker/images/test_node/Dockerfile b/docker/images/test_node/Dockerfile
@@ -35,6 +35,10 @@ ENV SC_SIDECAR_COMMITTER_TLS_MODE="none"
 ENV SC_VC_SERVER_TLS_MODE="none"
 ENV SC_VERIFIER_SERVER_TLS_MODE="none"
 
+# Disable TLS usage for db.
+ENV SC_VC_DATABASE_TLS_ACTIVATE=false
+ENV SC_QUERY_DATABASE_TLS_ACTIVATE=false
+
 COPY ${ARCHBIN_PATH}/${TARGETOS}-${TARGETARCH}/* ${BINS_PATH}/
 COPY ./docker/images/test_node/run ${BINS_PATH}/
 COPY ./cmd/config/samples $CONFIGS_PATH

diff --git a/docker/test/common.go b/docker/test/common.go
@@ -134,7 +134,7 @@ func getContainerMappedHostPort(
 	info, err := createDockerClient(t).ContainerInspect(ctx, containerName)
 	require.NoError(t, err)
 	require.NotNil(t, info)
-	portKey := nat.Port(fmt.Sprintf("%s/%s", containerPort, "tcp"))
+	portKey := nat.Port(fmt.Sprintf("%s/tcp", containerPort))
 	bindings, ok := info.NetworkSettings.Ports[portKey]
 	require.True(t, ok)
 	require.NotEmpty(t, bindings)