enhance useTLS

fghanmi · fghanmi · commit 25f265b6a82a · 2024-09-18T10:06:35.000+02:00
diff --git a/internal/controller/ctlog/ctlog_controller_test.go b/internal/controller/ctlog/ctlog_controller_test.go
@@ -32,6 +32,7 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	rutils "github.com/securesign/operator/internal/controller/rekor/utils"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -82,6 +83,12 @@ var _ = Describe("CTlog controller", func() {
 		})
 
 		It("should successfully reconcile a custom resource for CTlog", func() {
+
+			By("mocking UseTrillianTLS")
+			rutils.MockUseTrillianTLS = func(ctx context.Context, serviceAddr string, tlsCACertFile string) (bool, error) {
+				return false, nil
+			}
+
 			By("creating the custom resource for the Kind CTlog")
 			err := k8sClient.Get(ctx, typeNamespaceName, instance)
 			if err != nil && errors.IsNotFound(err) {
diff --git a/internal/controller/ctlog/utils/ctlog_deployment.go b/internal/controller/ctlog/utils/ctlog_deployment.go
@@ -9,6 +9,7 @@ import (
 	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/common/utils"
 	"github.com/securesign/operator/internal/controller/constants"
+	rutils "github.com/securesign/operator/internal/controller/rekor/utils"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -124,12 +125,18 @@ func CreateDeployment(ctx context.Context, client client.Client, instance *v1alp
 		},
 	}
 
-	useTLS := UseTLS(instance)
+	// TLS communication to Trillian logserver
+	trillianSvc := fmt.Sprintf(instance.Spec.Trillian.Address+":%d", *instance.Spec.Trillian.Port)
+	caPath, err := CAPath(ctx, client, instance)
+	if err != nil {
+		return nil, errors.New("failed to get CA path: " + err.Error())
+	}
+
+	useTLS := false
+	if useTLS, err = rutils.UseTrillianTLS(ctx, trillianSvc, caPath); err != nil {
+		return nil, errors.New("failed to check TLS: " + err.Error())
+	}
 	if useTLS {
-		caPath, err := CAPath(ctx, client, instance)
-		if err != nil {
-			return nil, errors.New("failed to get CA path: " + err.Error())
-		}
 		dep.Spec.Template.Spec.Containers[0].Args = append(dep.Spec.Template.Spec.Containers[0].Args, "--trillian_tls_ca_cert_file", caPath)
 	}
 
diff --git a/internal/controller/rekor/actions/server/deployment.go b/internal/controller/rekor/actions/server/deployment.go
@@ -73,7 +73,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor)
 		})
 		return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could create server Deployment: %w", err), instance)
 	}
-
 	if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil {
 		return i.Failed(fmt.Errorf("could not set controller reference for Deployment: %w", err))
 	}
diff --git a/internal/controller/rekor/rekor_controller_test.go b/internal/controller/rekor/rekor_controller_test.go
@@ -41,6 +41,7 @@ import (
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	utils2 "github.com/securesign/operator/internal/controller/rekor/utils"
 	batchv1 "k8s.io/api/batch/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -96,6 +97,12 @@ var _ = Describe("Rekor controller", func() {
 		})
 
 		It("should successfully reconcile a custom resource for Rekor", func() {
+
+			By("mocking UseTrillianTLS")
+			utils2.MockUseTrillianTLS = func(ctx context.Context, serviceAddr string, tlsCACertFile string) (bool, error) {
+				return false, nil
+			}
+
 			By("creating the custom resource for the Kind Rekor")
 			err := k8sClient.Get(ctx, typeNamespaceName, instance)
 			if err != nil && errors.IsNotFound(err) {
diff --git a/internal/controller/rekor/utils/rekor_deployment.go b/internal/controller/rekor/utils/rekor_deployment.go
@@ -205,12 +205,17 @@ func CreateRekorDeployment(ctx context.Context, client client.Client, instance *
 	}
 
 	// TLS communication to Trillian logserver
-	if UseTLS(instance) {
-		caPath, err := CAPath(ctx, client, instance)
-		if err != nil {
-			return nil, errors.New("failed to get CA path: " + err.Error())
-		}
-		dep.Spec.Template.Spec.Containers[0].Args = append(dep.Spec.Template.Spec.Containers[0].Args, "--trillian_log_server.tls_ca_cert", caPath)
+	trillianSvc := fmt.Sprintf(instance.Spec.Trillian.Address+":%d", *instance.Spec.Trillian.Port)
+	caPath, err := CAPath(ctx, client, instance)
+	if err != nil {
+		return nil, errors.New("failed to get CA path: " + err.Error())
+	}
+	useTLS := false
+	if useTLS, err = UseTrillianTLS(ctx, trillianSvc, caPath); err != nil {
+		return nil, errors.New("failed to check TLS: " + err.Error())
+	}
+	if useTLS {
+		dep.Spec.Template.Spec.Containers[0].Args = append(dep.Spec.Template.Spec.Containers[0].Args, "--trillian_log_server.tls=true")
 	}
 
 	utils.SetProxyEnvs(dep)
diff --git a/internal/controller/rekor/utils/tls.go b/internal/controller/rekor/utils/tls.go
@@ -2,24 +2,71 @@ package utils
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
 
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-func UseTLS(instance *rhtasv1alpha1.Rekor) bool {
+// Mock used in tests
+var MockUseTrillianTLS func(ctx context.Context, serviceAddr string, tlsCACertFile string) (bool, error)
 
-	if instance == nil {
-		return false
+// checks if trillian-logserver service supports TLS
+func UseTrillianTLS(ctx context.Context, serviceAddr string, tlsCACertFile string) (bool, error) {
+
+	if MockUseTrillianTLS != nil {
+		return MockUseTrillianTLS(ctx, serviceAddr, "")
+	}
+
+	if kubernetes.IsOpenShift() {
+		return true, nil
+	}
+
+	timeout := 5 * time.Second
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	hostname := serviceAddr
+	if idx := strings.Index(serviceAddr, ":"); idx != -1 {
+		hostname = serviceAddr[:idx]
+	}
+
+	var creds credentials.TransportCredentials
+	if tlsCACertFile != "" {
+		tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCACertFile))
+		if err != nil {
+			return false, fmt.Errorf("failed to load tls ca cert: %v", err)
+		}
+		certPool := x509.NewCertPool()
+		if !certPool.AppendCertsFromPEM(tlsCaCert) {
+			return false, fmt.Errorf("failed to append CA certificate to pool")
+		}
+		creds = credentials.NewTLS(&tls.Config{
+			ServerName: hostname,
+			RootCAs:    certPool,
+			MinVersion: tls.VersionTLS12,
+		})
+	}
+
+	conn, err := grpc.DialContext(ctx, serviceAddr, grpc.WithTransportCredentials(creds), grpc.WithBlock())
+	if err != nil {
+		fmt.Printf("gRPC service at %s is not TLS secured: %v\n", serviceAddr, err)
+		return false, nil
 	}
-	// TLS enabled on Trillian logserver
-	if instance.Spec.TrustedCA != nil || kubernetes.IsOpenShift() {
-		return true
+	if err := conn.Close(); err != nil {
+		return false, fmt.Errorf("failed to close connection: %v", err)
 	}
 
-	return false
+	return true, nil
 }
 
 func CAPath(ctx context.Context, cli client.Client, instance *rhtasv1alpha1.Rekor) (string, error) {

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,6 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor)`
`73`	`73`	`})`
`74`	`74`	`return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could create server Deployment: %w", err), instance)`
`75`	`75`	`}`
`76`		`-`
`77`	`76`	`if err = controllerutil.SetControllerReference(instance, dp, i.Client.Scheme()); err != nil {`
`78`	`77`	`return i.Failed(fmt.Errorf("could not set controller reference for Deployment: %w", err))`
`79`	`78`	`}`