-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS support for migrillian #1525
Conversation
Hello, |
f1e140e
to
4b960ec
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you clarify in the PR description that this support is only for TLS certs signed by a CA. This does not add support for self-signed TLS certs.
7b95849
to
9593986
Compare
CA certificate can be self-generated. Here, we only need the CA certificate to validate Trillian's TLS certificates to establish the secure communication. |
Don't worry about it. Thinking about this some more, the self-signed cert method will still work using this approach as far as I can see because the end-cert is also its own root cert. |
/gcbrun |
I've checked the govulncheck / Run govulncheck (pull_request) error, and it seems, master does have the same issue. |
Yeah that's because govulncheck isn't hermetic and so the master branch fails now, even though it passed when it was last updated. I'll try to get a PR in that fixes it 👍 |
9593986
to
ec708d9
Compare
I was just about to merge this and noticed that you haven't updated the CHANGELOG file. Can you copy in the notes from this PR description into the CHANGELOG.md file? Thanks! |
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
ec708d9
to
c270698
Compare
/gcbrun |
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
Summary
This pull request introduces the option to specify a CA certificate for establishing secure connections with the Trillian server.
By using
--trillian_tls_ca_cert_file
flag, users can provide a CA certificate, that is used to establish a secure communication with Trillian server.Release Note
New Flag:
--trillian_tls_ca_cert_file
to specify the file path to the CA certificate.Behavior: If
--trillian_tls_ca_cert_file
flag is not provided, the system will default to insecure connections.Security: This update significantly enhances the security of data in transit by enabling TLS.
Resolves Issue: #1524
Checklist