Add TLS support for Trillian server

fghanmi · fghanmi · commit 6cdb8d3b572a · 2024-06-30T22:36:03.000+02:00
Signed-off-by: Firas Ghanmi &lt;fghanmi@redhat.com&gt;
diff --git a/cmd/rekor-server/app/root.go b/cmd/rekor-server/app/root.go
@@ -117,6 +117,7 @@ Memory and file-based signers should only be used for testing.`)
 	rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password")
 	rootCmd.PersistentFlags().Bool("redis_server.enable-tls", false, "Whether to enable TLS verification when connecting to Redis endpoint")
 	rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint, only applicable when 'redis_server.enable-tls' is set to 'true'")
+	rootCmd.PersistentFlags().String("tls-ca-cert", "", "Certificate file to use for secure connections with Trillian server")
 
 	rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage")
 	rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket")
diff --git a/pkg/api/api.go b/pkg/api/api.go
@@ -22,12 +22,15 @@ import (
 	"crypto/x509"
 	"encoding/hex"
 	"fmt"
+	"os"
+	"path/filepath"
 
 	"github.com/google/trillian"
 	"github.com/redis/go-redis/v9"
 	"github.com/spf13/viper"
 	"golang.org/x/exp/slices"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 
 	"github.com/sigstore/rekor/pkg/indexstorage"
@@ -47,7 +50,24 @@ import (
 
 func dial(rpcServer string) (*grpc.ClientConn, error) {
 	// Set up and test connection to rpc server
-	creds := insecure.NewCredentials()
+	var creds credentials.TransportCredentials
+	tlsCACertFile := viper.GetString("tls-ca-cert")
+	if tlsCACertFile == "" {
+		creds = insecure.NewCredentials()
+	} else {
+		tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCACertFile))
+		if err != nil {
+			log.Logger.Fatalf("Failed to load tls-ca-cert:", err)
+		}
+		certPool := x509.NewCertPool()
+		if !certPool.AppendCertsFromPEM(tlsCaCert) {
+			return nil, fmt.Errorf("failed to append CA certificate to pool")
+		}
+		creds = credentials.NewTLS(&tls.Config{
+			ServerName: rpcServer,
+			RootCAs:    certPool,
+		})
+	}
 	conn, err := grpc.NewClient(rpcServer, grpc.WithTransportCredentials(creds))
 	if err != nil {
 		log.Logger.Fatalf("Failed to connect to RPC server:", err)
