digital-asset · azure-pipelines · Dec 26, 2024
diff --git a/...anton/community/app-base/src/main/scala/com/digitalasset/canton/config/CantonConfig.scala b/...anton/community/app-base/src/main/scala/com/digitalasset/canton/config/CantonConfig.scala
@@ -716,6 +716,9 @@ object CantonConfig {
       deriveReader[LedgerApiKeepAliveServerConfig]
     lazy implicit val tlsServerConfigReader: ConfigReader[TlsServerConfig] =
       deriveReader[TlsServerConfig]
+    lazy implicit val tlsServerOnlyTrustFileConfigReader
+        : ConfigReader[TlsClientConfigOnlyTrustFile] =
+      deriveReader[TlsClientConfigOnlyTrustFile]
     lazy implicit val tlsClientConfigReader: ConfigReader[TlsClientConfig] =
       deriveReader[TlsClientConfig]
     lazy implicit val initBaseIdentityConfigReader: ConfigReader[InitConfigBase.Identity] =
@@ -764,6 +767,21 @@ object CantonConfig {
       deriveReader[ApiType.Grpc.type]
     lazy implicit val apiTypeConfigReader: ConfigReader[ApiType] = deriveReader[ApiType]
     lazy implicit val clientConfigReader: ConfigReader[ClientConfig] = deriveReader[ClientConfig]
+    lazy implicit val remoteConsoleSequencerClientConfigReader
+        : ConfigReader[SequencerApiClientConfig] =
+      deriveReader[SequencerApiClientConfig]
+        // Note that transformations are applied in reverse order,
+        // so we move the deprecated before deleting the parent path
+        .deprecateConfigPath(
+          DeprecatedConfigUtils.DeprecatedConfigPath[String](
+            "custom-trust-certificates",
+            since = "2.10.0",
+            dropPath = true,
+          )
+        )
+        .moveDeprecatedField("custom-trust-certificates.pem-file", Seq("tls.trust-collection-file"))
+        .moveDeprecatedField("transport-security", Seq("tls.enabled"))
+
     lazy implicit val remoteDomainConfigReader: ConfigReader[RemoteDomainConfig] =
       deriveReader[RemoteDomainConfig]
     lazy implicit val remoteParticipantConfigReader: ConfigReader[RemoteParticipantConfig] =
@@ -863,22 +881,6 @@ object CantonConfig {
       deriveReader[PackageMetadataViewConfig]
     lazy implicit val identityConfigReader: ConfigReader[TopologyConfig] =
       deriveReader[TopologyConfig]
-    lazy implicit val sequencerConnectionConfigCertificateFileReader
-        : ConfigReader[SequencerConnectionConfig.CertificateFile] =
-      deriveReader[SequencerConnectionConfig.CertificateFile]
-    lazy implicit val sequencerConnectionConfigCertificateStringReader
-        : ConfigReader[SequencerConnectionConfig.CertificateString] =
-      deriveReader[SequencerConnectionConfig.CertificateString]
-    lazy implicit val sequencerConnectionConfigCertificateConfigReader
-        : ConfigReader[SequencerConnectionConfig.CertificateConfig] =
-      deriveReader[SequencerConnectionConfig.CertificateConfig]
-    lazy implicit val sequencerConnectionConfigGrpcReader
-        : ConfigReader[SequencerConnectionConfig.Grpc] =
-      deriveReader[SequencerConnectionConfig.Grpc]
-    lazy implicit val sequencerConnectionConfigReader: ConfigReader[SequencerConnectionConfig] =
-      deriveReader[SequencerConnectionConfig]
-        // since the big majority of users will use GRPC, default to it so that they don't need to specify `type = grpc`
-        .orElse(ConfigReader[SequencerConnectionConfig.Grpc])
     lazy implicit val communitySequencerConfigDatabaseReader
         : ConfigReader[CommunitySequencerConfig.Database] =
       deriveReader[CommunitySequencerConfig.Database]
@@ -1126,6 +1128,9 @@ object CantonConfig {
       deriveWriter[TlsServerConfig]
     lazy implicit val tlsClientConfigWriter: ConfigWriter[TlsClientConfig] =
       deriveWriter[TlsClientConfig]
+    lazy implicit val tlsClientConfigWriterOnlyTrustFile
+        : ConfigWriter[TlsClientConfigOnlyTrustFile] =
+      deriveWriter[TlsClientConfigOnlyTrustFile]
     lazy implicit val initBaseIdentityConfigWriter: ConfigWriter[InitConfigBase.Identity] =
       deriveWriter[InitConfigBase.Identity]
     lazy implicit val initConfigWriter: ConfigWriter[InitConfig] = deriveWriter[InitConfig]
@@ -1166,6 +1171,9 @@ object CantonConfig {
     lazy implicit val communityCryptoWriter: ConfigWriter[CommunityCryptoConfig] =
       deriveWriter[CommunityCryptoConfig]
     lazy implicit val clientConfigWriter: ConfigWriter[ClientConfig] = deriveWriter[ClientConfig]
+    lazy implicit val remoteConsoleSequencerClientConfigWriter
+        : ConfigWriter[SequencerApiClientConfig] =
+      deriveWriter[SequencerApiClientConfig]
     lazy implicit val remoteDomainConfigWriter: ConfigWriter[RemoteDomainConfig] =
       deriveWriter[RemoteDomainConfig]
     lazy implicit val remoteParticipantConfigWriter: ConfigWriter[RemoteParticipantConfig] =
@@ -1272,20 +1280,6 @@ object CantonConfig {
       deriveWriter[PackageMetadataViewConfig]
     lazy implicit val identityConfigWriter: ConfigWriter[TopologyConfig] =
       deriveWriter[TopologyConfig]
-    lazy implicit val sequencerConnectionConfigCertificateFileWriter
-        : ConfigWriter[SequencerConnectionConfig.CertificateFile] =
-      deriveWriter[SequencerConnectionConfig.CertificateFile]
-    lazy implicit val sequencerConnectionConfigCertificateStringWriter
-        : ConfigWriter[SequencerConnectionConfig.CertificateString] =
-      confidentialWriter[SequencerConnectionConfig.CertificateString](_.copy(pemString = "****"))
-    lazy implicit val sequencerConnectionConfigCertificateConfigWriter
-        : ConfigWriter[SequencerConnectionConfig.CertificateConfig] =
-      deriveWriter[SequencerConnectionConfig.CertificateConfig]
-    lazy implicit val sequencerConnectionConfigGrpcWriter
-        : ConfigWriter[SequencerConnectionConfig.Grpc] =
-      deriveWriter[SequencerConnectionConfig.Grpc]
-    lazy implicit val sequencerConnectionConfigWriter: ConfigWriter[SequencerConnectionConfig] =
-      deriveWriter[SequencerConnectionConfig]
     lazy implicit val communitySequencerConfigDatabaseWriter
         : ConfigWriter[CommunitySequencerConfig.Database] =
       deriveWriter[CommunitySequencerConfig.Database]

diff --git a/...community/app-base/src/main/scala/com/digitalasset/canton/console/InstanceReference.scala b/...community/app-base/src/main/scala/com/digitalasset/canton/console/InstanceReference.scala
@@ -315,7 +315,7 @@ trait RemoteDomainReference extends DomainReference with GrpcRemoteInstanceRefer
     consoleEnvironment.environment.config.remoteDomainsByString(name)
 
   override def sequencerConnection: SequencerConnection =
-    config.publicApi.toConnection
+    config.publicApi.toGrpcSequencerConnection
       .fold(
         err => sys.error(s"Domain $name has invalid sequencer connection config: $err"),
         identity,
@@ -354,7 +354,7 @@ trait LocalDomainReference
     consoleEnvironment.environment.config.domainsByString(name)
 
   override def sequencerConnection: SequencerConnection =
-    config.sequencerConnectionConfig.toConnection
+    config.sequencerConnectionConfig.toGrpcSequencerConnection
       .fold(
         err => sys.error(s"Domain $name has invalid sequencer connection config: $err"),
         identity,
@@ -428,7 +428,7 @@ object ExternalLedgerApiClient {
     new ExternalLedgerApiClient(
       cc.address,
       cc.port,
-      cc.tls,
+      cc.tlsConfig,
       Some(token),
     )
   }

diff --git a/...n/community/app-base/src/main/scala/com/digitalasset/canton/environment/Environment.scala b/...n/community/app-base/src/main/scala/com/digitalasset/canton/environment/Environment.scala
@@ -297,7 +297,7 @@ trait Environment extends NamedLogging with AutoCloseable with NoTracing {
       .filter(_.config.topology.open)
     def toDomainConfig(domain: DomainNodeBootstrap): Either[StartupError, DomainConnectionConfig] =
       (for {
-        connection <- domain.config.sequencerConnectionConfig.toConnection
+        connection <- domain.config.sequencerConnectionConfig.toGrpcSequencerConnection
         name <- DomainAlias.create(domain.name.unwrap)
         sequencerConnections = SequencerConnections.single(connection)
       } yield DomainConnectionConfig(name, sequencerConnections)).leftMap(err =>

diff --git a/sdk/canton/community/app/src/pack/config/remote/domain.conf b/sdk/canton/community/app/src/pack/config/remote/domain.conf
@@ -5,12 +5,12 @@ include required("../tls/mtls-admin-api.conf")
 include required("../tls/tls-public-api.conf")
 canton {
   remote-domains.mydomain {
-    public-api = ${?_shared.public-api-client-tls}
     public-api {
       address = localhost
       address = ${?REMOTE_ADDRESS}
       port = 10018
       port = ${?PUBLIC_API_PORT}
+      tls = ${?_shared.public-api-client-tls}
     }
     admin-api {
       address = localhost

diff --git a/sdk/canton/community/app/src/pack/config/remote/sequencer.conf b/sdk/canton/community/app/src/pack/config/remote/sequencer.conf
@@ -5,12 +5,12 @@ include required("../tls/mtls-admin-api.conf")
 include required("../tls/tls-public-api.conf")
 canton {
   remote-sequencers.sequencer {
-    public-api = ${?_shared.public-api-client-tls}
     public-api {
       address = localhost
       address = ${?REMOTE_ADDRESS}
       port = 10038
       port = ${?PUBLIC_API_PORT}
+      tls = ${?_shared.public-api-client-tls}
     }
     admin-api {
       address = localhost

diff --git a/sdk/canton/community/app/src/pack/config/tls/tls-public-api.conf b/sdk/canton/community/app/src/pack/config/tls/tls-public-api.conf
@@ -7,8 +7,7 @@ _shared {
         private-key-file = ${?_TLS_CERT_LOCATION}"/public-api.pem"
     }
     public-api-client-tls {
-        transport-security = true
-        // The trust collection used to verify the server certificate. Used here because of the self-signed certs.
-        custom-trust-certificates.pem-file = ${?_TLS_CERT_LOCATION}"/root-ca.crt"
+      // The trust collection used to verify the server certificate. Used here because of the self-signed certs.
+      trust-collection-file = ${?_TLS_CERT_LOCATION}"/root-ca.crt"
     }
 }
diff --git a/sdk/canton/community/app/src/pack/examples/06-messaging/contact/daml.yaml b/sdk/canton/community/app/src/pack/examples/06-messaging/contact/daml.yaml
@@ -1,4 +1,4 @@
-sdk-version: 2.10.0-snapshot.20241216.13150.0.vc832cb4a
+sdk-version: 2.10.0-snapshot.20241217.13156.0.v1da3a35b
 sandbox-options: 
 - --wall-clock-time
 name: contact

diff --git a/sdk/canton/community/app/src/pack/examples/06-messaging/message/daml.yaml b/sdk/canton/community/app/src/pack/examples/06-messaging/message/daml.yaml
@@ -1,4 +1,4 @@
-sdk-version: 2.10.0-snapshot.20241216.13150.0.vc832cb4a
+sdk-version: 2.10.0-snapshot.20241217.13156.0.v1da3a35b
 sandbox-options: 
 - --wall-clock-time
 name: message

diff --git a/sdk/canton/community/app/src/test/resources/deprecated-configs/backwards-compatible.conf b/sdk/canton/community/app/src/test/resources/deprecated-configs/backwards-compatible.conf
@@ -40,3 +40,33 @@ canton {
     }
   }
 }
+
+// deprecated 'transport-security' and 'custom-trust-certificates.pem-file' fields
+// newly added 'tls.enabled' field (with default value 'true')
+canton.remote-domains.domain1 {
+  public-api {
+    address = localhost
+    port = 10038
+    transport-security = true
+    custom-trust-certificates.pem-file = "community/app/src/test/resources/deprecated-configs/backwards-compatible.conf"
+  }
+  admin-api {
+    address = localhost
+    port = 10039
+    tls = {
+      trust-collection-file = "community/app/src/test/resources/deprecated-configs/backwards-compatible.conf"
+    }
+  }
+}
+
+// Negative example for newly added 'tls.enabled' field (with default value 'true')
+canton.remote-domains.domain2 {
+  public-api {
+    address = localhost
+    port = 10038
+  }
+  admin-api {
+    address = localhost
+    port = 10039
+  }
+}
diff --git a/...ommunity/app/src/test/resources/deprecated-configs/new-config-fields-take-precedence.conf b/...ommunity/app/src/test/resources/deprecated-configs/new-config-fields-take-precedence.conf
@@ -56,3 +56,33 @@ canton {
     domain2.domain-parameters.unique-contract-keys = false
   }
 }
+
+// deprecated 'transport-security' and 'custom-trust-certificates.pem-file' fields
+// newly added 'tls.enabled' field (with default value 'true')
+canton.remote-domains.domain1 {
+  public-api {
+    address = localhost
+    port = 10038
+    transport-security = true
+    custom-trust-certificates.pem-file = "community/app/src/test/resources/deprecated-configs/new-config-fields-take-precedence.conf"
+  }
+  admin-api {
+    address = localhost
+    port = 10039
+    tls = {
+      trust-collection-file = "community/app/src/test/resources/deprecated-configs/new-config-fields-take-precedence.conf"
+    }
+  }
+}
+
+// Negative example for newly added 'tls.enabled' field (with default value 'true')
+canton.remote-domains.domain2 {
+  public-api {
+    address = localhost
+    port = 10038
+  }
+  admin-api {
+    address = localhost
+    port = 10039
+  }
+}
diff --git a/...mmunity/app/src/test/scala/com/digitalasset/canton/config/CantonCommunityConfigTest.scala b/...mmunity/app/src/test/scala/com/digitalasset/canton/config/CantonCommunityConfigTest.scala
@@ -104,6 +104,17 @@ class CantonCommunityConfigTest extends AnyWordSpec with BaseTest {
 
       domain1Parameters.uniqueContractKeys shouldBe false
       domain2parameters.uniqueContractKeys shouldBe true
+
+      // test deprecated field 'custom-trust-certificates'
+      val remoteDomain1 = config.remoteDomains.get(InstanceName.tryCreate("domain1")).value
+      remoteDomain1.publicApi.tlsConfig.flatMap(_.trustCollectionFile).isDefined shouldBe true
+
+      // test newly added tls.enabled field
+      remoteDomain1.adminApi.tlsConfig.isDefined shouldBe true
+      remoteDomain1.adminApi.tlsConfig.value.enabled shouldBe true
+      val remoteDomain2 = config.remoteDomains.get(InstanceName.tryCreate("domain2")).value
+      remoteDomain2.adminApi.tlsConfig.isDefined shouldBe false
+      remoteDomain2.publicApi.tlsConfig.isDefined shouldBe false
     }
 
     // In this test case, both deprecated and new fields are set with opposite values, we make sure the new fields

diff --git a/...munity/base/src/main/scala/com/digitalasset/canton/config/SequencerConnectionConfig.scala b/...munity/base/src/main/scala/com/digitalasset/canton/config/SequencerConnectionConfig.scala