Add TLS support for migrillian#1525
Conversation
|
Hello, |
f1e140e to
4b960ec
Compare
mhutchinson
left a comment
There was a problem hiding this comment.
Can you clarify in the PR description that this support is only for TLS certs signed by a CA. This does not add support for self-signed TLS certs.
7b95849 to
9593986
Compare
CA certificate can be self-generated. Here, we only need the CA certificate to validate Trillian's TLS certificates to establish the secure communication. |
Don't worry about it. Thinking about this some more, the self-signed cert method will still work using this approach as far as I can see because the end-cert is also its own root cert. |
|
/gcbrun |
I've checked the govulncheck / Run govulncheck (pull_request) error, and it seems, master does have the same issue. |
Yeah that's because govulncheck isn't hermetic and so the master branch fails now, even though it passed when it was last updated. I'll try to get a PR in that fixes it 👍 |
9593986 to
ec708d9
Compare
|
I was just about to merge this and noticed that you haven't updated the CHANGELOG file. Can you copy in the notes from this PR description into the CHANGELOG.md file? Thanks! |
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
ec708d9 to
c270698
Compare
|
/gcbrun |
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
Summary
This pull request introduces the option to specify a CA certificate for establishing secure connections with the Trillian server.
By using
--trillian_tls_ca_cert_fileflag, users can provide a CA certificate, that is used to establish a secure communication with Trillian server.Release Note
New Flag:
--trillian_tls_ca_cert_fileto specify the file path to the CA certificate.Behavior: If
--trillian_tls_ca_cert_fileflag is not provided, the system will default to insecure connections.Security: This update significantly enhances the security of data in transit by enabling TLS.
Resolves Issue: #1524
Checklist