Skip to content

Commit

Permalink
enhance useTLS
Browse files Browse the repository at this point in the history
  • Loading branch information
@fghanmi
fghanmi committed Sep 18, 2024
1 parent cab998c commit 25f265b
Show file tree
Hide file tree
Showing 6 changed files with 91 additions and 19 deletions.
7 changes: 7 additions & 0 deletions internal/controller/ctlog/ctlog_controller_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import (

. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
rutils "github.com/securesign/operator/internal/controller/rekor/utils"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -82,6 +83,12 @@ var _ = Describe("CTlog controller", func() {
})

It("should successfully reconcile a custom resource for CTlog", func() {

By("mocking UseTrillianTLS")
rutils.MockUseTrillianTLS = func(ctx context.Context, serviceAddr string, tlsCACertFile string) (bool, error) {
return false, nil
}

By("creating the custom resource for the Kind CTlog")
err := k8sClient.Get(ctx, typeNamespaceName, instance)
if err != nil && errors.IsNotFound(err) {
Expand Down
17 changes: 12 additions & 5 deletions internal/controller/ctlog/utils/ctlog_deployment.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"github.com/securesign/operator/api/v1alpha1"
"github.com/securesign/operator/internal/controller/common/utils"
"github.com/securesign/operator/internal/controller/constants"
rutils "github.com/securesign/operator/internal/controller/rekor/utils"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -124,12 +125,18 @@ func CreateDeployment(ctx context.Context, client client.Client, instance *v1alp
},
}

useTLS := UseTLS(instance)
// TLS communication to Trillian logserver
trillianSvc := fmt.Sprintf(instance.Spec.Trillian.Address+":%d", *instance.Spec.Trillian.Port)
caPath, err := CAPath(ctx, client, instance)
if err != nil {
return nil, errors.New("failed to get CA path: " + err.Error())
}

useTLS := false
if useTLS, err = rutils.UseTrillianTLS(ctx, trillianSvc, caPath); err != nil {
return nil, errors.New("failed to check TLS: " + err.Error())
}
if useTLS {
caPath, err := CAPath(ctx, client, instance)
if err != nil {
return nil, errors.New("failed to get CA path: " + err.Error())
}
dep.Spec.Template.Spec.Containers[0].Args = append(dep.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", caPath)
}

Expand Down
1 change: 0 additions & 1 deletion internal/controller/rekor/actions/server/deployment.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor)
})
return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could create server Deployment: %w", err), instance)
}

if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil {
return i.Failed(fmt.Errorf("could not set controller reference for Deployment: %w", err))
}
Expand Down
7 changes: 7 additions & 0 deletions internal/controller/rekor/rekor_controller_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ import (

. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
utils2 "github.com/securesign/operator/internal/controller/rekor/utils"
batchv1 "k8s.io/api/batch/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
Expand Down Expand Up @@ -96,6 +97,12 @@ var _ = Describe("Rekor controller", func() {
})

It("should successfully reconcile a custom resource for Rekor", func() {

By("mocking UseTrillianTLS")
utils2.MockUseTrillianTLS = func(ctx context.Context, serviceAddr string, tlsCACertFile string) (bool, error) {
return false, nil
}

By("creating the custom resource for the Kind Rekor")
err := k8sClient.Get(ctx, typeNamespaceName, instance)
if err != nil && errors.IsNotFound(err) {
Expand Down
17 changes: 11 additions & 6 deletions internal/controller/rekor/utils/rekor_deployment.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,12 +205,17 @@ func CreateRekorDeployment(ctx context.Context, client client.Client, instance *
}

// TLS communication to Trillian logserver
if UseTLS(instance) {
caPath, err := CAPath(ctx, client, instance)
if err != nil {
return nil, errors.New("failed to get CA path: " + err.Error())
}
dep.Spec.Template.Spec.Containers[0].Args = append(dep.Spec.Template.Spec.Containers[0].Args, "--trillian_log_server.tls_ca_cert", caPath)
trillianSvc := fmt.Sprintf(instance.Spec.Trillian.Address+":%d", *instance.Spec.Trillian.Port)
caPath, err := CAPath(ctx, client, instance)
if err != nil {
return nil, errors.New("failed to get CA path: " + err.Error())
}
useTLS := false
if useTLS, err = UseTrillianTLS(ctx, trillianSvc, caPath); err != nil {
return nil, errors.New("failed to check TLS: " + err.Error())
}
if useTLS {
dep.Spec.Template.Spec.Containers[0].Args = append(dep.Spec.Template.Spec.Containers[0].Args, "--trillian_log_server.tls=true")
}

utils.SetProxyEnvs(dep)
Expand Down
61 changes: 54 additions & 7 deletions internal/controller/rekor/utils/tls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,71 @@ package utils

import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"os"
"path/filepath"
"strings"
"time"

rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"sigs.k8s.io/controller-runtime/pkg/client"
)

func UseTLS(instance *rhtasv1alpha1.Rekor) bool {
// Mock used in tests
var MockUseTrillianTLS func(ctx context.Context, serviceAddr string, tlsCACertFile string) (bool, error)

if instance == nil {
return false
// checks if trillian-logserver service supports TLS
func UseTrillianTLS(ctx context.Context, serviceAddr string, tlsCACertFile string) (bool, error) {

if MockUseTrillianTLS != nil {
return MockUseTrillianTLS(ctx, serviceAddr, "")
}

if kubernetes.IsOpenShift() {
return true, nil
}

timeout := 5 * time.Second
ctx, cancel := context.WithTimeout(ctx, timeout)
defer cancel()

hostname := serviceAddr
if idx := strings.Index(serviceAddr, ":"); idx != -1 {
hostname = serviceAddr[:idx]
}

var creds credentials.TransportCredentials
if tlsCACertFile != "" {
tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCACertFile))
if err != nil {
return false, fmt.Errorf("failed to load tls ca cert: %v", err)
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(tlsCaCert) {
return false, fmt.Errorf("failed to append CA certificate to pool")
}
creds = credentials.NewTLS(&tls.Config{
ServerName: hostname,
RootCAs: certPool,
MinVersion: tls.VersionTLS12,
})
}

conn, err := grpc.DialContext(ctx, serviceAddr, grpc.WithTransportCredentials(creds), grpc.WithBlock())
if err != nil {
fmt.Printf("gRPC service at %s is not TLS secured: %v\n", serviceAddr, err)
return false, nil
}
// TLS enabled on Trillian logserver
if instance.Spec.TrustedCA != nil || kubernetes.IsOpenShift() {
return true
if err := conn.Close(); err != nil {
return false, fmt.Errorf("failed to close connection: %v", err)
}

return false
return true, nil
}

func CAPath(ctx context.Context, cli client.Client, instance *rhtasv1alpha1.Rekor) (string, error) {
Expand Down

0 comments on commit 25f265b

Please sign in to comment.