diff --git a/cmd/rekor-server/app/root.go b/cmd/rekor-server/app/root.go index cebc28d2a..11c0db39b 100644 --- a/cmd/rekor-server/app/root.go +++ b/cmd/rekor-server/app/root.go @@ -117,6 +117,7 @@ Memory and file-based signers should only be used for testing.`) rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password") rootCmd.PersistentFlags().Bool("redis_server.enable-tls", false, "Whether to enable TLS verification when connecting to Redis endpoint") rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint, only applicable when 'redis_server.enable-tls' is set to 'true'") + rootCmd.PersistentFlags().String("tls-ca-cert", "", "Certificate file to use for secure connections with Trillian server") rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage") rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket") diff --git a/pkg/api/api.go b/pkg/api/api.go index aba59b25e..ef3dedf0d 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -22,12 +22,15 @@ import ( "crypto/x509" "encoding/hex" "fmt" + "os" + "path/filepath" "github.com/google/trillian" "github.com/redis/go-redis/v9" "github.com/spf13/viper" "golang.org/x/exp/slices" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials/insecure" "github.com/sigstore/rekor/pkg/indexstorage" @@ -47,7 +50,24 @@ import ( func dial(rpcServer string) (*grpc.ClientConn, error) { // Set up and test connection to rpc server - creds := insecure.NewCredentials() + var creds credentials.TransportCredentials + tlsCACertFile := viper.GetString("tls-ca-cert") + if tlsCACertFile == "" { + creds = insecure.NewCredentials() + } else { + tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCACertFile)) + if err != nil { + log.Logger.Fatalf("Failed to load tls-ca-cert:", err) + } + certPool := x509.NewCertPool() + if !certPool.AppendCertsFromPEM(tlsCaCert) { + return nil, fmt.Errorf("failed to append CA certificate to pool") + } + creds = credentials.NewTLS(&tls.Config{ + ServerName: rpcServer, + RootCAs: certPool, + }) + } conn, err := grpc.NewClient(rpcServer, grpc.WithTransportCredentials(creds)) if err != nil { log.Logger.Fatalf("Failed to connect to RPC server:", err)