-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS support for Trillian server #2164
Conversation
a5bc1cc
to
6cdb8d3
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2164 +/- ##
===========================================
- Coverage 66.46% 43.23% -23.23%
===========================================
Files 92 188 +96
Lines 9258 19368 +10110
===========================================
+ Hits 6153 8374 +2221
- Misses 2359 10238 +7879
- Partials 746 756 +10
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
6cdb8d3
to
9818847
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
06ad4f3
to
b807792
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm minus lint issue, thanks for adding this!
9679d43
to
bc916fa
Compare
tests/tls/ca.crt
Outdated
@@ -0,0 +1,29 @@ | |||
-----BEGIN CERTIFICATE----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not Before: Jul 2 22:26:18 2024 GMT
Not After : Aug 31 22:26:18 2024 GMT
Can we either make this expire quite far out in the future or generate the cert ephemerally on each test run?
switch { | ||
case useSystemTrustStore: | ||
creds = credentials.NewTLS(&tls.Config{ | ||
ServerName: rpcServer, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's unlikely, but possible that rpcServer
will not simply be a hostname/IP address
or hostname:port
combination, as that string can be a value as defined by https://github.com/grpc/grpc/blob/master/doc/naming.md
bc916fa
to
bacd9af
Compare
@bobcallaway I see that the e2e tests are failing, are they all using ./docker-compose.yaml resources ? |
bacd9af
to
6df12e8
Compare
6df12e8
to
e665262
Compare
Regarding the build failure: CI / issue-872-e2e: |
no, that specific test is for a regression that was started at that back version. I'll need to take a closer look at the dependency structure of those various docker-compose files to better advise you. |
We can create another trillian server |
Let's do this for now; remove the test coverage from this PR and please open an issue on the repo to add back coverage later. |
Done. |
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
faf01b7
to
4903305
Compare
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
* Add TLS support for Trillian server Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> * update tls_ca_cert key name Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> --------- Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
* Add TLS support for Trillian server Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> * update tls_ca_cert key name Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> --------- Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
* Add TLS support for Trillian server Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> * update tls_ca_cert key name Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> --------- Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
#### Summary This pull request introduces support for enabling TLS in communications with the Trillian server. By adding a new command-line flag `--trillian_log_server.tls_ca_cert` and implementing the necessary logic to handle TLS certificates, this update enhances the security of Rekor. #### Release Note - Feature: Added support for TLS in communication with the Trillian server. - New Flag: - `--trillian_log_server.tls_ca_cert` to specify the CA certificate file path for secure connections. Resolves Issue: sigstore#2163 --------- Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
Summary
This pull request introduces support for enabling TLS in communications with the Trillian server. By adding a new command-line flag
--tls-ca-cert
and implementing the necessary logic to handle TLS certificates, this update enhances the security of Rekor.Release Note
Resolves Issue: #2163
Documentation