-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS support for CTLog #1718
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1718 +/- ##
==========================================
- Coverage 57.93% 50.21% -7.72%
==========================================
Files 50 70 +20
Lines 3119 4150 +1031
==========================================
+ Hits 1807 2084 +277
- Misses 1154 1837 +683
- Partials 158 229 +71 ☔ View full report in Codecov by Sentry. |
Hey @fghanmi, sorry for the delay! Is there anything from sigstore/rekor#2164 that we should pull into this PR so this is in sync? Other question, is there any place we can add minimal tests? |
cmd/app/serve.go
Outdated
@@ -108,6 +109,7 @@ func newServeCmd() *cobra.Command { | |||
cmd.Flags().String("grpc-tls-certificate", "", "the certificate file to use for secure connections - only applies to grpc-port") | |||
cmd.Flags().String("grpc-tls-key", "", "the private key file to use for secure connections (without passphrase) - only applies to grpc-port") | |||
cmd.Flags().Duration("idle-connection-timeout", 30*time.Second, "The time allowed for connections (HTTP or gRPC) to go idle before being closed by the server") | |||
cmd.Flags().String("tls-ca-cert", "", "Path to TLS CA certificate") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should either scope this cmd line arg and/or update the help text to note that this only applies for connections to the ctlog
|
@fghanmi Hm, I didn't get such an error, I ran |
I had permissions issues on my host.. it's working fine now. One more thing, I've noticed that ct_log server is not properly serving TLS when it's enabled. I've opened a small fix PR on certificate-transparency-go and when it's merged, I'll resume tests on this PR. |
Sounds good, just ping this thread once you’ve tested it. |
@haydentherapper, the update on certificate-transparency-go has been merged and I've tests the TLS communication between Fulcio and ct_server and it works fine now. Inside Fulcio pod:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Can you resolve the conflict as well?
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
* Add TLS support for CTLog Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> * update tls-ca-cert cmd line Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> * updates Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> * update TLS certificates Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> * fix conflicts, add keys generation commands Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> --------- Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
Add TLS support for CTLog (sigstore#1718)
Summary
This pull request introduces support for enabling TLS in communications with CTLog. By adding a new command-line flag
--tls-ca-cert
and implementing the necessary logic to handle CTLog certificates verification , this update enhances security.Release Note
--tls-ca-cert
to specify the CA certificate file path for secure connections.--tls-ca-cert
flag is not provided, the system will default to insecure connections.Resolves issue: #1717
Documentation