updates

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
sigstore · Jul 29, 2024 · ede6d28 · ede6d28
1 parent ece1d48
commit ede6d28
Show file tree

Hide file tree

Showing 5 changed files with 119 additions and 2 deletions.
diff --git a/cmd/app/serve.go b/cmd/app/serve.go
@@ -276,7 +276,7 @@ func runServeCmd(cmd *cobra.Command, args []string) { //nolint: revive
 			opts.PublicKey = string(pemPubKey)
 		}
 		var httpClient *http.Client
-		if tlsCaCertPath := viper.GetString("tls-ca-cert"); tlsCaCertPath != "" {
+		if tlsCaCertPath := viper.GetString("ct-log.tls-ca-cert"); tlsCaCertPath != "" {
 			tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCaCertPath))
 			if err != nil {
 				log.Logger.Fatal(err)

diff --git a/config/tls/ca.crt b/config/tls/ca.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFAzCCAuugAwIBAgIUHVoudGeot0qmjmziA9njcOFXGGMwDQYJKoZIhvcNAQEL
+BQAwEDEOMAwGA1UEAwwFTXkgQ0EwIBcNMjQwNzI0MjA0MDQ0WhgPMjEyNDA2MzAy
+MDQwNDRaMBAxDjAMBgNVBAMMBU15IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEAjuXxEhzC0K3w4gRDvldrI3NZSGiMFWWaghIqcjZe2cE6GnR428BG
+Mdz30kzJ0XCFcpJzECYMUAS6odwH0ZeNh9YLhTn1Hn/R/pGO1gML5+3NSH76kHMT
+mlYcn2qawXqY55iyERiPW/iamBMtTIRXQgKo0/JVThrGCsErwat117XDEE385uqS
+06rqK9aWGlvk/9SSqb1LKy1gjRnQtnQWDNwIgAt9Or0AO+thAkYqY/6+fJj5z5XK
+35E12PHd+XP9AKGu8Xcu3RUcIq0jOnZT23kycLrdLjaQKvt0sU/5u808qe2+YIe/
+ldwJCGr5SZXqKv5/Zv6giM1xNkv+RsLRaIEYlHD3CTn8qgESIImYnIuiwOa3n04q
+ZGsaG6155p0pJuvXhZegXpvGnQ7Ku+Tx8mbAwoPHWBVBESz5pS8fIRZ5zgy/p/ZI
+cz3Rgg6JXCGIe5o3y2TzlpeL0V5rgaqaQz0GLIXnrkjyGhxfK65H9fAPinZDVS4o
+qGCnMfYqJwyf+oLLPZGz1CYCA5jemSugGRgm45O0UtMvzIomRhnmZVEalA/+qDhn
+zFBOfPoY1jqHW9mWNeXOW4cpW+kQw3Chqy6TQ4hA6OADd5rXlkSKs05uW+UujWZf
+DwupgaRG9cWj0uqoTmbgqxPqAoXW+NJmIQJVXVgxe9f+87ZgGRonFUUCAwEAAaNT
+MFEwHQYDVR0OBBYEFGq8SuCoNKy7BGjUanonufX2Z7p5MB8GA1UdIwQYMBaAFGq8
+SuCoNKy7BGjUanonufX2Z7p5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggIBABb3C7izkhKirLU9hXLdqwqkc9pUteBCYni+OjIqO8793unF6fP/Q32+
+rmLWpSHJ2t0CwsUQI5b5UZCPlv9MjyMi8QsnkZNcQnENoIgv8COB+PGEM6okhH3U
+MInp+KqIekhi92QeoMxdbdzAp6e2MYW6UKgnuJU6y8oKmoJsBICLYY0H8z5dBPd0
+fdnE0AKdWGkZ99w7qvlN3dvLe9//aNg5qtxGokNsvBxtdoj7KXiPYlaz5bazl2p3
+dlboojhidLqIejzPzH0Q7gGWgAOvwRD3vFznwuoi6J596JvTzi0Wx14mBKibyeHs
+vQIndFeOVGIsLC2kK5JEW7rAPcyzRkTh7Qj3vAfvAbsDuSS7Kc8ULV8NRfxBb2lS
+QVKNHKfNDCjZ1XmsE7BWSpCF/mCEtBKuRGwtGI8dtmgxwmq4p1w8WwanrEQdtZP/
+C00my+QEnm6CxBSKEJWjkU32jP9NQb7Cnz+/iUVAQX3iZgPQ3+sF4JxyEyoxkMm3
+U/Hy4lF3D9cGH1C8ZkJuhJDimezAjO8wO1I/XKbODpzG5bbm5feIW42If0eirT90
+doBF6QrHi6lOGpLAaWc6eCtSm7HuxkJvfX0vjoefieIrLETSkq/yHzbYvToDGl0F
+iOwjfiayctH3YP+GxvOD+Q6kQP20xEG09MYgQtJIKiT0F3x0sDEs
+-----END CERTIFICATE-----
diff --git a/config/tls/tls.crt b/config/tls/tls.crt
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFRzCCAy+gAwIBAgIUUwaiANUP/pPFrbAsRqRltYFlZzUwDQYJKoZIhvcNAQEL
+BQAwEDEOMAwGA1UEAwwFTXkgQ0EwHhcNMjQwNzI0MjA0MTIzWhcNMjQwOTIyMjA0
+MTIzWjA7MQ8wDQYDVQQLDAZTZXJ2ZXIxCjAIBgNVBAMMASoxHDAaBgkqhkiG9w0B
+CQEWDXRsc0BnbWFpbC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQCbvz8gzLIYAN8PXk4kPajOVQrYbRV6SzKC0ehGd+iTTe4/Srwl2sSHE0Zlb88R
+maVyNtam/JfD8fYMjnHHyh0NyvM0jvUs0UgS0IiOoW9s7IgvJoI9yzWXXg7kX4Yw
+ZOrf13FokKQqvKy8YrpEVmmw38TGNfgCwiKnWsrNqS4jICUT/rh6VHGuAVK44Uf4
+3rX6dIE/0VuHnfefdRyHvgExs7BZOZdF8/XOFXNIlrRRIjgRldtR1AQahvzUgst7
+jMWiu+f+M5XlU5DIImMGpK198HS7rnCAjiHOdMEbpdBEqXeDU1qQu11D4iYIOPzQ
+AlEnYzXd0ynSXzRtJ9sLjfZIAGpA72u1ernLNh4k7/OwOeX6seDLYahkaNStxSip
+YmHEmReIBeq+u84YZ1K5LwJioLFI0MJdvBu7fnYV5o2Tu03M47n2RRnizX/nWwqD
+S4Mha3OPvQg2lwcO/o3zLJQ4Rf0lKeuZllQ6f7FfdjQIJW3PbQk1XTIDc94og+Cy
+z/OdRY4TuaHU+GeZCTjKyYieFl2q8vmIZQh7GHayOVNh7ts41I3bYt7QwKzMqBcR
+tzi8zjWVpB2fTkMogr4TFDtTUfJosWVnmY3YlQmAMRXqYSbVehrkQM/hi0XxDPn0
+hNZlJyg2jdQl4WiCEsCK3bglniLcCL7xL61FI03MB5IBzwIDAQABo24wbDAqBgNV
+HREEIzAhggEqghZodHRwczovL2N0X3NlcnZlcjo2OTYyhwQAAAAAMB0GA1UdDgQW
+BBTIrMR1pR30/uPPz0VHIIsj1lmCSTAfBgNVHSMEGDAWgBRqvErgqDSsuwRo1Gp6
+J7n19me6eTANBgkqhkiG9w0BAQsFAAOCAgEAF6EKMKUC/LegXLFsCxY0c5hzd2Vf
+TO0Si3/Y0lJ00zdGHgyTXCxqTXGutHYyEX9QF2+yg2WVQu7NzTpc/7tpa7FroJpo
+Wc0ll6rGuhWaLv8EYJ33sHJBU3yyU9mKUQVgdk4PJAsTu5RlkQy7gdjNUOwjPCwI
+2U/r01UfIHihbScPE3eIu5cvk39LESJEUmWixoOievUYmdZ/R0hSzwFv2XXo2HBj
++2qSnOq/O2AvltX2c2zVuoRxR9qa6TfznskP6mmXEcxwIUJV86EgnJthVVHQfWUC
+V9o9TTfBwhfKtJ7oH6C3t8dZJqjXtXFt/mzI0tZdqEN6Ozlc7zNB72mpW5pNlY3J
+1BMGEDdJesyWTG9nKzg8AjW2mbTaHKJBk72/RnRhgoV5yOY/kPcYBf83jyzbuafr
+KJBmUewPdf/T3/QSlDMaX+6rKSNNLgKgQwAlOdd+eaWdcZlT2UTJTSGJv3aANBEy
+2Ajv2ZzLcw24uAZEIFJKh8jswtkCMScvePlVlhgAY7SZMNvtO9HepQMtpwRD/jkv
+e7IRHhB7tEFUiTHmsVc7llIlJRsOewtsLjwacpfKkFWGpZQmyEy+Xxf/FkGQLyQ/
+KQJYFJ+uScq6Ae9RatWNTnhC6Ja75estMfL0SatrE1yGyZUTTGWdYohxYbiJYsgd
+bW3vUsnPEIFX0Fo=
+-----END CERTIFICATE-----
diff --git a/config/tls/tls.key b/config/tls/tls.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCbvz8gzLIYAN8P
+Xk4kPajOVQrYbRV6SzKC0ehGd+iTTe4/Srwl2sSHE0Zlb88RmaVyNtam/JfD8fYM
+jnHHyh0NyvM0jvUs0UgS0IiOoW9s7IgvJoI9yzWXXg7kX4YwZOrf13FokKQqvKy8
+YrpEVmmw38TGNfgCwiKnWsrNqS4jICUT/rh6VHGuAVK44Uf43rX6dIE/0VuHnfef
+dRyHvgExs7BZOZdF8/XOFXNIlrRRIjgRldtR1AQahvzUgst7jMWiu+f+M5XlU5DI
+ImMGpK198HS7rnCAjiHOdMEbpdBEqXeDU1qQu11D4iYIOPzQAlEnYzXd0ynSXzRt
+J9sLjfZIAGpA72u1ernLNh4k7/OwOeX6seDLYahkaNStxSipYmHEmReIBeq+u84Y
+Z1K5LwJioLFI0MJdvBu7fnYV5o2Tu03M47n2RRnizX/nWwqDS4Mha3OPvQg2lwcO
+/o3zLJQ4Rf0lKeuZllQ6f7FfdjQIJW3PbQk1XTIDc94og+Cyz/OdRY4TuaHU+GeZ
+CTjKyYieFl2q8vmIZQh7GHayOVNh7ts41I3bYt7QwKzMqBcRtzi8zjWVpB2fTkMo
+gr4TFDtTUfJosWVnmY3YlQmAMRXqYSbVehrkQM/hi0XxDPn0hNZlJyg2jdQl4WiC
+EsCK3bglniLcCL7xL61FI03MB5IBzwIDAQABAoICAD3UKVp7CIRw7BxswrauZ7Ip
+npmWjH01FwNKE1zOQ10fBeLIZ3Lbq0M4Sq0AOwLwrPZvgL1f71vRVW1cqxy2Rtxv
+4ibOTdSR7HvTnzKIMfTa3aFiNzgS0N6bb2wH4/yYQ4nDPHlXWmTA7A4JX4q7h0+5
+NaO+TwvBSAKKD5Kfg/pby3xplZCyr0J1sgJFJM5Ok42u7JSKJzzqYCBEXKQisNSr
+UenJ7BzQIZfDejWp5kGDRSDuDdgpQ8vIJNy0Y9VTaC4XTJzkm7AjgYmB5TAA9gLW
+D3FmabEPO6p7PSIdrFVltVVEJOLqDrdhMtn2zZ5CHTd2si6yopqqQuTGerXWkJsc
+OyAvgE01xLrr00Nu7eba7bkavDU7Dc2oCHJxSj45R/89J4g25lOHK/JfEv+XKmoF
+T+GKLkPCBwBG7CoB7u1CqkjXxZSMncHaqaby/3M5OIxWnXyQocJNV/HksHgSPrZj
+Ep8cDQ9x+9iCqE5bBmxJNOuBnlqcrCoATdruku0MlLHhl726vXSe+JAAgSJ/J/us
+JkX8ef//Gp9ibEvrGoh3bnqB5zUR8gRL7Nf46ywfdKKOd41XqLVJ/U8Af0CyfndB
+3wps7bEuN2MdtnKUPeBIWvbySewvJVOSIJNOXZ5S3wDx8bfrDrTzFi+tA1txUWLX
+o4O0SM6gDcDyiGpY+jmBAoIBAQDNsLeH8Sw6Y0KDz+Kf3efdkV3qGBUsLGPrA6ZL
+hrYSHZHnp5yskaru9YR1yqAJCqXws1lz/De8U8sH0qi9HU6umi2K/qx0wrs4PLY9
+dRLo1l/jIpbxhx/w8hM25nXvH3L2s08xAU0sZ7ufLYlvzpsWT2JwolGWs8xcHl4+
+Yt/RYHgSf22LNAQvFIZU/MjE/w9f2/YJyo/uSTQeGqkqbeGM3CBqzB3pbrgXzCUR
+anXDpFoDBeFyaspq38qwrHjcXhIbN8aAXyBg7xGqR4Y/9e7yCB1fb/Yfpe+iSMZR
+jRQsovbyyM7PPSmOCPB4Uxr9cuk/LnOEEf34jLreYplt4BMPAoIBAQDB11ZPam5t
+dCeSsFlB1XjtIEtXpcLrVPh5RQFbfyRtosMwGy0QczKVcZcNeQlzzMPiDCyu1FF3
+2P+WfDc/w/ls8EeBwlIRQoko0F27d8yx8iPjgzYxkYgC27bJkcZ6262bon1rBli+
+FH/B9GHzz6cO2eUYF55iqVOD3pOHY7aaEwwa9qWbHd/HKHAVE1mjN8BxCe0qwWkU
+FAWfQbX1M1aBWy+XfBrNd94JAp9TVvG1U3ul1/H+zpmMQGVtuIWCEudBeJils+ip
+kJW6Lu2+Ywjh9368cZ53bHRUxZP8+m8BfXTd2HHrxIOTHRqR9wqAKGJaHC1TEYrb
+TJKmW6CiVCVBAoIBAQCpB2/K5wXRdYBTkaJKfbDtA2iJ1wCPLGtv1a/yoOE+Qc6E
+79hwd8RgWqJfqgOZaoazJq98AOhMew99fj/sKQlfspN6hY5y5RO1Qy7/khXYAVMK
+9IHWOZSmDEh99SU1PELdOLz7KHai5xvn0yP+HWqVCud6Z+lkTpzBlrMb0WTcSsph
+aRY8LqLBjbxWWuUh/fhEbh3iLfPZfY62rnIVy/ZuKvb4zIRIMBRYegp8JWBhRc4y
+bcK2o8tzyDRou1MWxLdcZplZJNMW1V9O7zgDl7akbsa0hu1bVKF4WxWeLrFFfSYy
+nZJV+40Ki44RUzn6zVOf+Cw1fBOZDQ0Dc0NiZ6FBAoIBAGwJiAqFSHzqw2+nqGfg
+AiEv4a49LjGZz09P3ZzQdU5B7EYwr2I+wo+2mrkgn9sR4o9nt7PNlIaWxIVsQCLj
+KG7GUSSKWNFT4zyDPerRr53yVnxk0ly4PzVQnkUkYZpyPAXFf9+ZzvZKWJaSjdGl
+B/hoC57s8xMMSwbxlApe0hR3z0Rr+gtFkEbhS+8DNO+akECwhqZQ3C8bpbKInlDG
+x00btJ/axNmGGJOvCXwatmcY246omDErlzsrXRzVPlwsCwZbn8CjUGbJthnqNAns
+CrRfDB0dunPXV9Mzt/LE5f/Pm8ZV79C3W5owG3IFXa3mVELi94QX/+uQdyAPa61t
+9sECggEAMAgBQc/i923+jWpV6VFEKaEq27T6krgg2lnXN+6HLspWycCiCLbcMeGT
+wBIaCi05tbkv6h4/4CssND+3pvnPOnRpMKaBHvVhpaXPbsqGFsv8l9CbGZ8KAg8x
+T/0qa4BVb9CRmBcOMRSWMHo8EDza4ZoXwZm2e3z0o5+Qw3KScc9JL+RhfYTJEhpl
+U3sLpI4l6WydsQRnx2Yjo3JttFRgZUBfhr9fSkySx2VoOwr3F/5U/ggc0NjjNiGg
+jcQaWv6y/hmWYT+e+cmJut53Edkm7BQ/ysO4gNm5CItGBXRQ8P6i0dCrE2bOVNsd
+e9uMuhkyG/mPqX9db3CrBUy0kbq14Q==
+-----END PRIVATE KEY-----
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -26,7 +26,8 @@ services:
       "--port=5555",
       "--grpc-port=5554",
       "--ca=ephemeralca",
-      "--ct-log-url=http://ct_server:6962/test",
+      "--ct-log-url=https://ct_server:6962/test",
+      "--ct-log.tls-ca-cert=/config/tls/ca.crt",
       # Uncomment this for production logging
       # "--log_type=prod",
       ]
@@ -38,6 +39,7 @@ services:
     volumes:
       - ~/.config/gcloud:/root/.config/gcloud/:z # for GCP authentication
       - ${FULCIO_CONFIG:-./config/config.jsn}:/etc/fulcio-config/config.json:z
+      - ./config/tls:/config/tls:z
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:5555/healthz"]
       interval: 10s
@@ -79,10 +81,13 @@ services:
     image: gcr.io/trillian-opensource-ci/ctfe
     volumes:
       - ctfeConfig:/etc/config/:ro
+      - ./config/tls:/config/tls:z
     command: [
         "--log_config" ,"/etc/config/ct_server.cfg",
         "--log_rpc_server", "trillian-log-server:8096",
         "--http_endpoint", "0.0.0.0:6962",
+        "--tls_certificate", "/config/tls/tls.crt",
+        "--tls_key", "/config/tls/tls.key",
         "--alsologtostderr",
     ]
     restart: always # retry while ctfe_init is running