Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS support for Trillian server #2164

Merged
merged 2 commits into from
Jul 23, 2024

Conversation

fghanmi
Copy link
Contributor

@fghanmi fghanmi commented Jun 30, 2024

Summary

This pull request introduces support for enabling TLS in communications with the Trillian server. By adding a new command-line flag --tls-ca-cert and implementing the necessary logic to handle TLS certificates, this update enhances the security of Rekor.

Release Note

  • Feature: Added support for TLS in communication with the Trillian server.
  • New Flag: --tls-ca-cert to specify the CA certificate file path for secure connections.
  • Behavior: If the --tls-ca-cert flag is not provided, the system will default to insecure connections.
  • Security: This update significantly enhances the security of data in transit by enabling TLS.

Resolves Issue: #2163

Documentation

@fghanmi fghanmi requested a review from a team as a code owner June 30, 2024 20:32
Copy link

codecov bot commented Jul 1, 2024

Codecov Report

Attention: Patch coverage is 8.00000% with 23 lines in your changes missing coverage. Please review.

Project coverage is 43.23%. Comparing base (488eb97) to head (c1f5a69).
Report is 166 commits behind head on main.

Files Patch % Lines
pkg/api/api.go 0.00% 23 Missing ⚠️
Additional details and impacted files
@@             Coverage Diff             @@
##             main    #2164       +/-   ##
===========================================
- Coverage   66.46%   43.23%   -23.23%     
===========================================
  Files          92      188       +96     
  Lines        9258    19368    +10110     
===========================================
+ Hits         6153     8374     +2221     
- Misses       2359    10238     +7879     
- Partials      746      756       +10     
Flag Coverage Δ
e2etests ?
unittests 43.23% <8.00%> (-4.45%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

cpanato
cpanato previously approved these changes Jul 2, 2024
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

cmd/rekor-server/app/root.go Outdated Show resolved Hide resolved
pkg/api/api.go Outdated Show resolved Hide resolved
@cpanato cpanato self-requested a review July 2, 2024 13:58
@fghanmi fghanmi force-pushed the TrillianTLSSupport branch 2 times, most recently from 06ad4f3 to b807792 Compare July 2, 2024 15:49
@fghanmi fghanmi requested a review from bobcallaway July 2, 2024 15:53
Copy link
Member

@bobcallaway bobcallaway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm minus lint issue, thanks for adding this!

cmd/rekor-server/app/root.go Outdated Show resolved Hide resolved
@fghanmi fghanmi force-pushed the TrillianTLSSupport branch 4 times, most recently from 9679d43 to bc916fa Compare July 2, 2024 22:29
@fghanmi fghanmi requested a review from bobcallaway July 3, 2024 06:44
tests/tls/ca.crt Outdated
@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

            Not Before: Jul  2 22:26:18 2024 GMT
            Not After : Aug 31 22:26:18 2024 GMT

Can we either make this expire quite far out in the future or generate the cert ephemerally on each test run?

switch {
case useSystemTrustStore:
creds = credentials.NewTLS(&tls.Config{
ServerName: rpcServer,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's unlikely, but possible that rpcServer will not simply be a hostname/IP address or hostname:port combination, as that string can be a value as defined by https://github.com/grpc/grpc/blob/master/doc/naming.md

pkg/api/api.go Outdated Show resolved Hide resolved
@fghanmi
Copy link
Contributor Author

fghanmi commented Jul 3, 2024

@bobcallaway I see that the e2e tests are failing, are they all using ./docker-compose.yaml resources ?
Meaning, should I enable TLS on all the /docker-compose*.yaml files ? ( since the trillian logserver in docker-compose.yaml is TLS enabled)

@fghanmi
Copy link
Contributor Author

fghanmi commented Jul 3, 2024

Regarding the build failure: CI / issue-872-e2e:
The script is using an old rekor-server image https://github.com/sigstore/rekor/blob/main/tests/issue-872-e2e-test.sh#L71
that does not have the new tag --tls_ca_cert and thus, it fails.
@bobcallaway is it possible to use an image with the new updates ?

@bobcallaway
Copy link
Member

Regarding the build failure: CI / issue-872-e2e: The script is using an old rekor-server image https://github.com/sigstore/rekor/blob/main/tests/issue-872-e2e-test.sh#L71 that does not have the new tag --tls_ca_cert and thus, it fails. @bobcallaway is it possible to use an image with the new updates ?

no, that specific test is for a regression that was started at that back version.

I'll need to take a closer look at the dependency structure of those various docker-compose files to better advise you.

@fghanmi
Copy link
Contributor Author

fghanmi commented Jul 7, 2024

Regarding the build failure: CI / issue-872-e2e: The script is using an old rekor-server image https://github.com/sigstore/rekor/blob/main/tests/issue-872-e2e-test.sh#L71 that does not have the new tag --tls_ca_cert and thus, it fails. @bobcallaway is it possible to use an image with the new updates ?

no, that specific test is for a regression that was started at that back version.

I'll need to take a closer look at the dependency structure of those various docker-compose files to better advise you.

We can create another trillian server trillian-log-server-no-tls and use it as the trillian server for the rekor-server-issue-872-v060 that uses an older image. (I've tested it)
What do you think ?

@bobcallaway
Copy link
Member

Let's do this for now; remove the test coverage from this PR and please open an issue on the repo to add back coverage later.

@fghanmi
Copy link
Contributor Author

fghanmi commented Jul 23, 2024

Let's do this for now; remove the test coverage from this PR and please open an issue on the repo to add back coverage later.

Done.
Issue created: #2188

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
@bobcallaway bobcallaway enabled auto-merge (squash) July 23, 2024 21:06
@bobcallaway bobcallaway merged commit 5e502df into sigstore:main Jul 23, 2024
15 checks passed
@github-actions github-actions bot added this to the v1.2.2 milestone Jul 23, 2024
fghanmi added a commit to securesign/rekor that referenced this pull request Aug 3, 2024
* Add TLS support for Trillian server

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>

* update tls_ca_cert key name

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>

---------

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
fghanmi added a commit to securesign/rekor that referenced this pull request Aug 13, 2024
* Add TLS support for Trillian server

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>

* update tls_ca_cert key name

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>

---------

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
fghanmi added a commit to securesign/rekor that referenced this pull request Aug 14, 2024
* Add TLS support for Trillian server

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>

* update tls_ca_cert key name

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>

---------

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
JasonPowr pushed a commit to securesign/rekor that referenced this pull request Aug 21, 2024
#### Summary
This pull request introduces support for enabling TLS in communications
with the Trillian server. By adding a new command-line flag
`--trillian_log_server.tls_ca_cert` and implementing the necessary logic
to handle TLS certificates, this update enhances the security of Rekor.


#### Release Note

- Feature: Added support for TLS in communication with the Trillian
server.
- New Flag: 
- `--trillian_log_server.tls_ca_cert` to specify the CA certificate file
path for secure connections.
 
Resolves Issue: sigstore#2163

---------

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants