Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TLS support for migrillian #1525

Merged
merged 1 commit into from
Jul 4, 2024
Merged

Add TLS support for migrillian #1525

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

## HEAD

* Add TLS support for Trillian: By using `--trillian_tls_ca_cert_file` flag, users can provide a CA certificate, that is used to establish a secure communication with Trillian log server. In https://github.com/google/certificate-transparency-go/pull/1525

## v1.2.1

### Fixes
Expand Down
37 changes: 36 additions & 1 deletion trillian/migrillian/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,20 @@ package main

import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"flag"
"fmt"
"net/http"
"os"
"path/filepath"
"strings"
"time"

clientv3 "go.etcd.io/etcd/client/v3"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"
"k8s.io/klog/v2"

Expand Down Expand Up @@ -57,6 +61,7 @@ var (

maxIdleConnsPerHost = flag.Int("max_idle_conns_per_host", 10, "Max idle HTTP connections per host (0 = DefaultMaxIdleConnsPerHost)")
maxIdleConns = flag.Int("max_idle_conns", 100, "Max number of idle HTTP connections across all hosts (0 = unlimited)")
tlsCACertFile = flag.String("trillian_tls_ca_cert_file", "", "CA certificate file to use for secure connections with Trillian server")
)

func main() {
Expand All @@ -77,7 +82,11 @@ func main() {
}

klog.Infof("Dialling Trillian backend: %v", *backend)
conn, err := grpc.Dial(*backend, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithBlock())
creds, err := newTrillianTransportCredentialsFromFlags(*backend)
if err != nil {
klog.Exitf("Failed to get credentials: %v", err)
}
conn, err := grpc.Dial(*backend, grpc.WithTransportCredentials(creds), grpc.WithBlock())
if err != nil {
klog.Exitf("Could not dial Trillian server: %v: %v", *backend, err)
}
Expand Down Expand Up @@ -117,6 +126,32 @@ func main() {
core.RunMigration(cctx, ctrls)
}

// newTrillianTransportCredentialsFromFlags returns "creds" of type credentials.TransportCredentials to be
// passed as credentials arguments to grpc.WithTransportCredentials. It configures TLS credentials
// if a CA certificate file is specified, otherwise it uses insecure credentials.
func newTrillianTransportCredentialsFromFlags(backend string) (credentials.TransportCredentials, error) {
var creds credentials.TransportCredentials

fghanmi marked this conversation as resolved.
Show resolved Hide resolved
if len(*tlsCACertFile) > 0 {
tlsCaCert, err := os.ReadFile(filepath.Clean(*tlsCACertFile))
mhutchinson marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
return nil, err
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(tlsCaCert) {
return nil, fmt.Errorf("failed to append CA certificate to pool")
}
creds = credentials.NewTLS(&tls.Config{
ServerName: backend,
RootCAs: certPool,
MinVersion: tls.VersionTLS12,
})
} else {
creds = insecure.NewCredentials()
}
return creds, nil
}

// getController creates a single log migration Controller.
func getController(
ctx context.Context,
Expand Down