Skip to content

Commit 25f265b

Browse files
fghanmifghanmi
committed
enhance useTLS
1 parent cab998c commit 25f265b

File tree

6 files changed

+91
-19
lines changed

6 files changed

+91
-19
lines changed

internal/controller/ctlog/ctlog_controller_test.go

+7
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ import (
3232

3333
. "github.com/onsi/ginkgo/v2"
3434
. "github.com/onsi/gomega"
35+
rutils "github.com/securesign/operator/internal/controller/rekor/utils"
3536
appsv1 "k8s.io/api/apps/v1"
3637
corev1 "k8s.io/api/core/v1"
3738
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -82,6 +83,12 @@ var _ = Describe("CTlog controller", func() {
8283
})
8384

8485
It("should successfully reconcile a custom resource for CTlog", func() {
86+
87+
By("mocking UseTrillianTLS")
88+
rutils.MockUseTrillianTLS = func(ctx context.Context, serviceAddr string, tlsCACertFile string) (bool, error) {
89+
return false, nil
90+
}
91+
8592
By("creating the custom resource for the Kind CTlog")
8693
err := k8sClient.Get(ctx, typeNamespaceName, instance)
8794
if err != nil && errors.IsNotFound(err) {

internal/controller/ctlog/utils/ctlog_deployment.go

+12-5
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99
"github.com/securesign/operator/api/v1alpha1"
1010
"github.com/securesign/operator/internal/controller/common/utils"
1111
"github.com/securesign/operator/internal/controller/constants"
12+
rutils "github.com/securesign/operator/internal/controller/rekor/utils"
1213
appsv1 "k8s.io/api/apps/v1"
1314
corev1 "k8s.io/api/core/v1"
1415
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -124,12 +125,18 @@ func CreateDeployment(ctx context.Context, client client.Client, instance *v1alp
124125
},
125126
}
126127

127-
useTLS := UseTLS(instance)
128+
// TLS communication to Trillian logserver
129+
trillianSvc := fmt.Sprintf(instance.Spec.Trillian.Address+":%d", *instance.Spec.Trillian.Port)
130+
caPath, err := CAPath(ctx, client, instance)
131+
if err != nil {
132+
return nil, errors.New("failed to get CA path: " + err.Error())
133+
}
134+
135+
useTLS := false
136+
if useTLS, err = rutils.UseTrillianTLS(ctx, trillianSvc, caPath); err != nil {
137+
return nil, errors.New("failed to check TLS: " + err.Error())
138+
}
128139
if useTLS {
129-
caPath, err := CAPath(ctx, client, instance)
130-
if err != nil {
131-
return nil, errors.New("failed to get CA path: " + err.Error())
132-
}
133140
dep.Spec.Template.Spec.Containers[0].Args = append(dep.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", caPath)
134141
}
135142

internal/controller/rekor/actions/server/deployment.go

-1
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor)
7373
})
7474
return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could create server Deployment: %w", err), instance)
7575
}
76-
7776
if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil {
7877
return i.Failed(fmt.Errorf("could not set controller reference for Deployment: %w", err))
7978
}

internal/controller/rekor/rekor_controller_test.go

+7
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,7 @@ import (
4141

4242
. "github.com/onsi/ginkgo/v2"
4343
. "github.com/onsi/gomega"
44+
utils2 "github.com/securesign/operator/internal/controller/rekor/utils"
4445
batchv1 "k8s.io/api/batch/v1"
4546
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
4647
"k8s.io/apimachinery/pkg/types"
@@ -96,6 +97,12 @@ var _ = Describe("Rekor controller", func() {
9697
})
9798

9899
It("should successfully reconcile a custom resource for Rekor", func() {
100+
101+
By("mocking UseTrillianTLS")
102+
utils2.MockUseTrillianTLS = func(ctx context.Context, serviceAddr string, tlsCACertFile string) (bool, error) {
103+
return false, nil
104+
}
105+
99106
By("creating the custom resource for the Kind Rekor")
100107
err := k8sClient.Get(ctx, typeNamespaceName, instance)
101108
if err != nil && errors.IsNotFound(err) {

internal/controller/rekor/utils/rekor_deployment.go

+11-6
Original file line numberDiff line numberDiff line change
@@ -205,12 +205,17 @@ func CreateRekorDeployment(ctx context.Context, client client.Client, instance *
205205
}
206206

207207
// TLS communication to Trillian logserver
208-
if UseTLS(instance) {
209-
caPath, err := CAPath(ctx, client, instance)
210-
if err != nil {
211-
return nil, errors.New("failed to get CA path: " + err.Error())
212-
}
213-
dep.Spec.Template.Spec.Containers[0].Args = append(dep.Spec.Template.Spec.Containers[0].Args, "--trillian_log_server.tls_ca_cert", caPath)
208+
trillianSvc := fmt.Sprintf(instance.Spec.Trillian.Address+":%d", *instance.Spec.Trillian.Port)
209+
caPath, err := CAPath(ctx, client, instance)
210+
if err != nil {
211+
return nil, errors.New("failed to get CA path: " + err.Error())
212+
}
213+
useTLS := false
214+
if useTLS, err = UseTrillianTLS(ctx, trillianSvc, caPath); err != nil {
215+
return nil, errors.New("failed to check TLS: " + err.Error())
216+
}
217+
if useTLS {
218+
dep.Spec.Template.Spec.Containers[0].Args = append(dep.Spec.Template.Spec.Containers[0].Args, "--trillian_log_server.tls=true")
214219
}
215220

216221
utils.SetProxyEnvs(dep)

internal/controller/rekor/utils/tls.go

+54-7
Original file line numberDiff line numberDiff line change
@@ -2,24 +2,71 @@ package utils
22

33
import (
44
"context"
5+
"crypto/tls"
6+
"crypto/x509"
57
"fmt"
8+
"os"
9+
"path/filepath"
10+
"strings"
11+
"time"
612

713
rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
814
"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
15+
"google.golang.org/grpc"
16+
"google.golang.org/grpc/credentials"
917
"sigs.k8s.io/controller-runtime/pkg/client"
1018
)
1119

12-
func UseTLS(instance *rhtasv1alpha1.Rekor) bool {
20+
// Mock used in tests
21+
var MockUseTrillianTLS func(ctx context.Context, serviceAddr string, tlsCACertFile string) (bool, error)
1322

14-
if instance == nil {
15-
return false
23+
// checks if trillian-logserver service supports TLS
24+
func UseTrillianTLS(ctx context.Context, serviceAddr string, tlsCACertFile string) (bool, error) {
25+
26+
if MockUseTrillianTLS != nil {
27+
return MockUseTrillianTLS(ctx, serviceAddr, "")
28+
}
29+
30+
if kubernetes.IsOpenShift() {
31+
return true, nil
32+
}
33+
34+
timeout := 5 * time.Second
35+
ctx, cancel := context.WithTimeout(ctx, timeout)
36+
defer cancel()
37+
38+
hostname := serviceAddr
39+
if idx := strings.Index(serviceAddr, ":"); idx != -1 {
40+
hostname = serviceAddr[:idx]
41+
}
42+
43+
var creds credentials.TransportCredentials
44+
if tlsCACertFile != "" {
45+
tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCACertFile))
46+
if err != nil {
47+
return false, fmt.Errorf("failed to load tls ca cert: %v", err)
48+
}
49+
certPool := x509.NewCertPool()
50+
if !certPool.AppendCertsFromPEM(tlsCaCert) {
51+
return false, fmt.Errorf("failed to append CA certificate to pool")
52+
}
53+
creds = credentials.NewTLS(&tls.Config{
54+
ServerName: hostname,
55+
RootCAs: certPool,
56+
MinVersion: tls.VersionTLS12,
57+
})
58+
}
59+
60+
conn, err := grpc.DialContext(ctx, serviceAddr, grpc.WithTransportCredentials(creds), grpc.WithBlock())
61+
if err != nil {
62+
fmt.Printf("gRPC service at %s is not TLS secured: %v\n", serviceAddr, err)
63+
return false, nil
1664
}
17-
// TLS enabled on Trillian logserver
18-
if instance.Spec.TrustedCA != nil || kubernetes.IsOpenShift() {
19-
return true
65+
if err := conn.Close(); err != nil {
66+
return false, fmt.Errorf("failed to close connection: %v", err)
2067
}
2168

22-
return false
69+
return true, nil
2370
}
2471

2572
func CAPath(ctx context.Context, cli client.Client, instance *rhtasv1alpha1.Rekor) (string, error) {

0 commit comments

Comments
 (0)