feat(cli): support custom CA certificates (#1017)

migmartri · web-flow · commit 4d5d7f8290e5 · 2024-06-24T12:00:15.000+02:00
Signed-off-by: Miguel Martinez Trivino &lt;miguel@chainloop.dev&gt;
diff --git a/app/artifact-cas/configs/config.devel.yaml b/app/artifact-cas/configs/config.devel.yaml
@@ -13,6 +13,9 @@ server:
     # Some unary RPCs are slow, so we need to increase the timeout
     # For example, Azure Blob Storage describe takes more than 1 second to respond sometimes
     timeout: 5s
+    # tls_config:
+    #   certificate: "../../devel/devkeys/selfsigned/cas.crt"
+    #   private_key: "../../devel/devkeys/selfsigned/cas.key"
   http_metrics:
     addr: 0.0.0.0:5001
 
diff --git a/app/cli/cmd/artifact.go b/app/cli/cmd/artifact.go
@@ -50,5 +50,13 @@ func wrappedArtifactConn(cpConn *grpc.ClientConn, role pb.CASCredentialsServiceG
 		logger.Warn().Msg("API contacted in insecure mode")
 	}
 
-	return grpcconn.New(viper.GetString(confOptions.CASAPI.viperKey), resp.Result.Token, flagInsecure)
+	var opts = []grpcconn.Option{
+		grpcconn.WithInsecure(flagInsecure),
+	}
+
+	if caFilePath := viper.GetString(confOptions.CASCA.viperKey); caFilePath != "" {
+		opts = append(opts, grpcconn.WithCAFile(caFilePath))
+	}
+
+	return grpcconn.New(viper.GetString(confOptions.CASAPI.viperKey), resp.Result.Token, opts...)
 }
diff --git a/app/cli/cmd/attestation_add.go b/app/cli/cmd/attestation_add.go
@@ -68,6 +68,7 @@ func newAttestationAddCmd() *cobra.Command {
 				&action.AttestationAddOpts{
 					ActionsOpts:        actionOpts,
 					CASURI:             viper.GetString(confOptions.CASAPI.viperKey),
+					CASCAPath:          viper.GetString(confOptions.CASCA.viperKey),
 					ConnectionInsecure: flagInsecure,
 					RegistryServer:     registryServer,
 					RegistryUsername:   registryUsername,
diff --git a/app/cli/cmd/config.go b/app/cli/cmd/config.go
@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2024 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -21,7 +21,7 @@ import (
 
 // Map of all the possible configuration options that we expect viper to handle
 var confOptions = struct {
-	authToken, controlplaneAPI, CASAPI *confOpt
+	authToken, controlplaneAPI, CASAPI, controlplaneCA, CASCA *confOpt
 }{
 	authToken: &confOpt{
 		viperKey: "auth.token",
@@ -30,10 +30,18 @@ var confOptions = struct {
 		viperKey: "control-plane.API",
 		flagName: "control-plane",
 	},
+	controlplaneCA: &confOpt{
+		viperKey: "control-plane.api-ca",
+		flagName: "control-plane-ca",
+	},
 	CASAPI: &confOpt{
 		viperKey: "artifact-cas.API",
 		flagName: "artifact-cas",
 	},
+	CASCA: &confOpt{
+		viperKey: "artifact-cas.api-ca",
+		flagName: "artifact-cas-ca",
+	},
 }
 
 type confOpt struct {
diff --git a/app/cli/cmd/config_view.go b/app/cli/cmd/config_view.go
@@ -29,8 +29,10 @@ func newConfigViewCmd() *cobra.Command {
 		Run: func(cmd *cobra.Command, args []string) {
 			fmt.Printf("Config file: %s\n", viper.ConfigFileUsed())
 
-			for _, opt := range []*confOpt{confOptions.controlplaneAPI, confOptions.CASAPI} {
-				fmt.Printf("%s: %s\n", opt.flagName, viper.GetString(opt.viperKey))
+			for _, opt := range []*confOpt{confOptions.controlplaneAPI, confOptions.controlplaneCA, confOptions.CASAPI, confOptions.CASCA} {
+				if v := viper.GetString(opt.viperKey); v != "" {
+					fmt.Printf("%s: %s\n", opt.flagName, v)
+				}
 			}
 		},
 	}
diff --git a/app/cli/cmd/root.go b/app/cli/cmd/root.go
@@ -92,7 +92,15 @@ func NewRootCmd(l zerolog.Logger) *cobra.Command {
 				return err
 			}
 
-			conn, err := grpcconn.New(viper.GetString(confOptions.controlplaneAPI.viperKey), apiToken, flagInsecure)
+			var opts = []grpcconn.Option{
+				grpcconn.WithInsecure(flagInsecure),
+			}
+
+			if caFilePath := viper.GetString(confOptions.controlplaneCA.viperKey); caFilePath != "" {
+				opts = append(opts, grpcconn.WithCAFile(caFilePath))
+			}
+
+			conn, err := grpcconn.New(viper.GetString(confOptions.controlplaneAPI.viperKey), apiToken, opts...)
 			if err != nil {
 				return err
 			}
@@ -136,10 +144,20 @@ func NewRootCmd(l zerolog.Logger) *cobra.Command {
 	err := viper.BindPFlag(confOptions.controlplaneAPI.viperKey, rootCmd.PersistentFlags().Lookup(confOptions.controlplaneAPI.flagName))
 	cobra.CheckErr(err)
 
+	// Custom CAs for the control plane
+	rootCmd.PersistentFlags().String(confOptions.controlplaneCA.flagName, "", "CUSTOM CA file for the Control Plane API (optional)")
+	err = viper.BindPFlag(confOptions.controlplaneCA.viperKey, rootCmd.PersistentFlags().Lookup(confOptions.controlplaneCA.flagName))
+	cobra.CheckErr(err)
+
 	rootCmd.PersistentFlags().String(confOptions.CASAPI.flagName, defaultCASAPI, "URL for the Artifacts Content Addressable Storage (CAS)")
 	err = viper.BindPFlag(confOptions.CASAPI.viperKey, rootCmd.PersistentFlags().Lookup(confOptions.CASAPI.flagName))
 	cobra.CheckErr(err)
 
+	// Custom CAs for the CAS
+	rootCmd.PersistentFlags().String(confOptions.CASCA.flagName, "", "CUSTOM CA file for the Artifacts CAS API (optional)")
+	err = viper.BindPFlag(confOptions.CASCA.viperKey, rootCmd.PersistentFlags().Lookup(confOptions.CASCA.flagName))
+	cobra.CheckErr(err)
+
 	rootCmd.PersistentFlags().BoolVarP(&flagInsecure, "insecure", "i", false, "Skip TLS transport during connection to the control plane")
 	rootCmd.PersistentFlags().BoolVar(&flagDebug, "debug", false, "Enable debug/verbose logging mode")
 	rootCmd.PersistentFlags().StringVarP(&flagOutputFormat, "output", "o", "table", "Output format, valid options are json and table")
diff --git a/app/cli/internal/action/attestation_add.go b/app/cli/internal/action/attestation_add.go
@@ -32,15 +32,18 @@ type AttestationAddOpts struct {
 	*ActionsOpts
 	ArtifactsCASConn   *grpc.ClientConn
 	CASURI             string
+	CASCAPath          string // optional CA certificate for the CAS connection
 	ConnectionInsecure bool
 	// OCI registry credentials used for CONTAINER_IMAGE material type
 	RegistryServer, RegistryUsername, RegistryPassword string
 }
 
 type AttestationAdd struct {
 	*ActionsOpts
-	c                  *crafter.Crafter
-	casURI             string
+	c      *crafter.Crafter
+	casURI string
+	// optional CA certificate for the CAS connection
+	casCAPath          string
 	connectionInsecure bool
 }
 
@@ -60,6 +63,7 @@ func NewAttestationAdd(cfg *AttestationAddOpts) (*AttestationAdd, error) {
 		ActionsOpts:        cfg.ActionsOpts,
 		c:                  c,
 		casURI:             cfg.CASURI,
+		casCAPath:          cfg.CASCAPath,
 		connectionInsecure: cfg.ConnectionInsecure,
 	}, nil
 }
@@ -104,7 +108,15 @@ func (action *AttestationAdd) Run(ctx context.Context, attestationID, materialNa
 		// Some CASBackends will actually upload information to the CAS server
 		// in such case we need to set up a connection
 		if !b.IsInline && creds.Result.Token != "" {
-			artifactCASConn, err := grpcconn.New(action.casURI, creds.Result.Token, action.connectionInsecure)
+			var opts = []grpcconn.Option{
+				grpcconn.WithInsecure(action.connectionInsecure),
+			}
+
+			if action.casCAPath != "" {
+				opts = append(opts, grpcconn.WithCAFile(action.casCAPath))
+			}
+
+			artifactCASConn, err := grpcconn.New(action.casURI, creds.Result.Token, opts...)
 			if err != nil {
 				return err
 			}
diff --git a/app/controlplane/configs/config.devel.yaml b/app/controlplane/configs/config.devel.yaml
@@ -12,6 +12,9 @@ server:
     addr: 0.0.0.0:9000
     # We have some slow operations such as verifying an OCI registry
     timeout: 10s
+    # tls_config:
+    #   certificate: "../../devel/devkeys/selfsigned/controlplane.crt"
+    #   private_key: "../../devel/devkeys/selfsigned/controlplane.key"
 
 certificate_authority:
   file_ca:
diff --git a/app/controlplane/pkg/biz/casclient.go b/app/controlplane/pkg/biz/casclient.go
@@ -69,7 +69,7 @@ func NewCASClientUseCase(credsProvider *CASCredentialsUseCase, config *conf.Boot
 
 	// generate a client from the given configuration
 	defaultCasClientFactory := func(conf *conf.Bootstrap_CASServer, token string) (casclient.DownloaderUploader, func(), error) {
-		conn, err := grpcconn.New(conf.GetGrpc().GetAddr(), token, conf.GetInsecure())
+		conn, err := grpcconn.New(conf.GetGrpc().GetAddr(), token, grpcconn.WithInsecure(conf.GetInsecure()))
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to create grpc connection: %w", err)
 		}
diff --git a/devel/devkeys/selfsigned/cas.crt b/devel/devkeys/selfsigned/cas.crt
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgzCCAmugAwIBAgIUcdwQLV/RVxdC8W4TE957yQf1LqEwDQYJKoZIhvcNAQEL
+BQAwSjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB1NldmlsbGUxGjAYBgNVBAoMEUNo
+YWlubG9vcCBSb290IENBMQ0wCwYDVQQLDARjb3JlMB4XDTI0MDYyMzIyMjUzMloX
+DTI1MDYyMzIyMjUzMlowRDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYD
+VQQKDAtNeU9yZywgSW5jLjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsdEbOuLzhe1fLPaAAimP9VcCO5b0f9JkYEo+
+9AN9XdUbU3DCbAuStTsa83qizzRD9IBYTih3hlFnGH+s3mBJVV4xfqJLqB1DbrZT
+Wbr2aqiQeJCwNDx3jtrKrLt1xXd97rE/VvZEU6UsqgBpKM5nJuWd2d4lt5N2jc3q
+u222dKCA79SpaaEsorIzK9x4EparWiIZ092oM7Kq0KyNvFac76uiHn3eO+7F6r8i
+TQApLBRZM4p0zGGDbr7HVKMjMBim4wc/Epra9dqUeGwxJiJgfmciY7/wpZ2sBIiU
+NvwzmTKOzimfu1bSk5GyGXRBPgncnyzjm5j0QI9D/qlgEbC7XQIDAQABo2cwZTAj
+BgNVHREEHDAagglsb2NhbGhvc3SCDWFub3RoZXJkb21haW4wHQYDVR0OBBYEFDeM
+DkYKHa7chpYqU8e7JFejVTXWMB8GA1UdIwQYMBaAFPT/S8Z/rtqDnPlhNzOM1QN6
+iJP5MA0GCSqGSIb3DQEBCwUAA4ICAQCYVzzTWhZTxQdGCIT0EmDvfMVldZi9KOaY
+8Ai4IuHrTvQyk1C5K2gPtJucX9UVJVGG200f7kFHdk54YUWR0wEMojxNpURor/Pv
+mxGt2hDH4NEMo74F0+coo/3Wb648eCTlWb06/FgYe5oWR6Hg0aWtuB+R559Ry6KT
+gP2Ay473MXLljtd3fU1dsvxviB+klVtRBHMQ43jYm2UFGDCE9MIyxUtVxuQGJX0e
+FBSB5XgLM6cXe2eEFURkwyQGS0cRLwvrtBkRR0yLOvoCFQ0LZ/AZy2f12gOaZm1I
+HGx6YSQfzboTPPbBbLceDxVIox2Vyh9Zy4qij6nqljDdNYOue2/D0TTrDmbzWnih
+ode3ux1fNtLLy5oTHId2QSygsT7HeDne2avrDVrhSPb4wn1pd0rDk54hxrT8nz/8
+4NKlEUwOkfKGQryW/ZjGBS369Tf872NWR9CV4za7b8plM0uw39YphDnNMpi/SQEa
+Ef9RRAPIU8BlsAguceX3HkE+qiciqsTA2NiCLnawa2bIS6sLJ8E5hIB1IZYMctm8
++qBstHaMU3vdq7dmtJWJ0cxI6y4vCEFMzEkGUj617VOeHRvyXsVhtu880Ha7kBJj
+pMMnSqVNLJF7RgFNz7GiM7nQ9twZ5J6W4c50IO3alXwgt+ZSTMmL/0qi8sBZfteD
+t1dozsM17A==
+-----END CERTIFICATE-----
diff --git a/devel/devkeys/selfsigned/controlplane.crt b/devel/devkeys/selfsigned/controlplane.crt
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgzCCAmugAwIBAgIUcdwQLV/RVxdC8W4TE957yQf1LqAwDQYJKoZIhvcNAQEL
+BQAwSjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB1NldmlsbGUxGjAYBgNVBAoMEUNo
+YWlubG9vcCBSb290IENBMQ0wCwYDVQQLDARjb3JlMB4XDTI0MDYyMjIxMjYxN1oX
+DTI1MDYyMjIxMjYxN1owRDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYD
+VQQKDAtNeU9yZywgSW5jLjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1KSfjn/0OjnB7gw0tRfmhVuMJzjb3B/V+sm
+M1+ONrLLuGGHJ2ua4MRBV3ge611BJuUkWWZ/xj3/b241qnEHowYPqNjGs+BKR4nS
+s3uqerZcXN31RweuyMGlwMgFJgvZVeo/c9Ao07e0B/noNnLMmVBaYRUwFs0IqM9Y
+fxSNNfRXXF5qa6dwR+BQtNkD/Sxx+ldgBOQ3EVVqMDq2gygXvNTDT98GTUFQYMQO
+l5T6GhmAj/cedRY+qjPA91pc701RPT0KiREBpy2TKXStOS5x/LhFpDbhCisKaZTz
+Z4UoTBZz0f1zWuiVxHWO1Dq2UZADEUMctY5gNbGmfcMOnRLFZQIDAQABo2cwZTAj
+BgNVHREEHDAagglsb2NhbGhvc3SCDWFub3RoZXJkb21haW4wHQYDVR0OBBYEFPCM
+vcr5gNK/4xmSs+VWLGGEqP37MB8GA1UdIwQYMBaAFPT/S8Z/rtqDnPlhNzOM1QN6
+iJP5MA0GCSqGSIb3DQEBCwUAA4ICAQBZ96W82mga5haFv96J6ispuoa4T5EZWLy7
+6fE2j5M2hR5SUiYpwf/Tyy/OIBc+B3IVMCuxemv6j5Vrl/rulxikcjeoDv6nV2QM
+kihEOtQ6V5Tdek9HvrXD/4fEb4qJ8XJH/+6QTuPYvA4a2bTcQzqbEZ4ZY/WE/Kno
+cRL3Vpvaf9AMiZWW146fph/eym29cark4uncivvbeUoPXtswNOS2UL3lWKXXvu5+
+lZysKhun29FTkWRMirGTWiNepT+Lpty40kfNI/Zwqi+O1wY60L321sm6+4zzLXJ/
+c3O6LKK+NKlURUR4DfjqVAM6JF3qXWUvqU2wHq9yfNBUgGCinSgibwaTQQMWcPv+
+jHGwNSYwgA5J0uj/ZVNt/VMdwwqXutZrZ7Didn/U0w68+ndS/6KhGzB3TmRcobIF
+1W+gnOEn2Ua0ck5rNfZoPxivSm34fDy45ROXorN1eOKiNjPn/2rWx0QCeT8SuEPQ
+98d46Ly7cg+9i+HjU8B54DQiJuIYP5JAk/vbVSAtj5h/g7t6jPCkKrGK23Q+/Zro
+eG5Jv9NDbATEvyjx2fh94Fp5m2SmIzAZyepu5wCwjVrVSc3jaX4F/AO+vhQXUK9b
+rDkyK9fctLvPYNryAeW+A+MC/oyC4q1sxfpmhbmnVtlHgNIt9EdPIcljnq5ONRUG
+0mhMGeugig==
+-----END CERTIFICATE-----
diff --git a/devel/devkeys/selfsigned/rootCA.crt b/devel/devkeys/selfsigned/rootCA.crt
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFdTCCA12gAwIBAgIUeVeikQul8YDvogKmLCtOeKF/x5gwDQYJKoZIhvcNAQEL
+BQAwSjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB1NldmlsbGUxGjAYBgNVBAoMEUNo
+YWlubG9vcCBSb290IENBMQ0wCwYDVQQLDARjb3JlMB4XDTI0MDYyMTE0MzAyMFoX
+DTI3MDQxMTE0MzAyMFowSjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB1NldmlsbGUx
+GjAYBgNVBAoMEUNoYWlubG9vcCBSb290IENBMQ0wCwYDVQQLDARjb3JlMIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvI8njRnv7XSXlUd2bzbwAllbT/rO
+u0hZvChp/fOWu3WN45fgHqw/QXU4iD7S2lrq8Q6ibuZLRXZsBwsasaI2mowWt3Qg
+ss4vQsHJkHoHEFeEA0D13ZY++gHfkw2r8ehzgpBa9jjHe9FMgQfXEu3K0RMpOs4c
+4oktzMU7E/L170P2fA9DM7w2KRyl5ih3ZQthpFXR/voh47R5u3S6Jb4zt3GaTlhS
+lotHPjPgVAp00O0+K+3aSkMBCFcphKfOXfGgl+c82fghwJxT+Ns3oWq7yeW2Os92
+3KwlK5G6KHtp8pIkuwRYx6mDf3bsFOcs8l6Lex70MRxHlxujPiSq4D3YTRkm7yAc
+qgBp1VlgAyikadK9Cxynte97aT0BpPUhDAoDFbki46MOX7J+b/L+OAwuzYw4eWYn
+JCJ0qWWdqQG681xJ59q19vzL7q6Ge5pBtq2wbd/RiIByt5GFwLscjAi+Z4i8Hvt4
+04pnaDFfmsMMkLMpiE06UT1IMO8nH1oir/ixrAAMv4L6oXvp7kth4Krp0I+HzuPg
+IsTla8a1rkcAGp/MWqF7A1DB+ZhmkHBDyShPaVPVuD/8WLtLxfCRYiHXyIg7+Vek
+eF/PYfjww61KxriL7hGSvJycZs1f3EfvAG5UucqcMrUlOetM5f4M4Kob1kaa3T8u
+MtGxj6RehkGU7nUCAwEAAaNTMFEwHQYDVR0OBBYEFPT/S8Z/rtqDnPlhNzOM1QN6
+iJP5MB8GA1UdIwQYMBaAFPT/S8Z/rtqDnPlhNzOM1QN6iJP5MA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGEkv4/Oryvnf+yP5gAkbu63rTgh+V9x
+SR9jIpwarxkx4+Jnzzj8912BQI//R+EbFIjle5PSvDYwDRPflid3m5os8V0oqBFj
+/SOrRt4BTdAhvpMVLuDN1b6Z2IzvYZ61o3xC1qjcUy+wxwok/i0zkuTgFdziPdbX
+fFBq19GpKTlFWVdjnmKwQ8EWht29lnVEHDCrSGmhAKu+U5cXmsHyk7ktMlXcSbKD
+6w0u5ddRcK1YnVTalXihm7izRThUNah/wta0JyItC+S+AhSEsP6wARuRoZuWe5w8
+5ituwJNYcHF1QYhVzc6c4kUogeYavY8YF6mFmKsQi4fFmvaRK3guimEBdFoERlbS
+Nsiqa3E1n7hiAuRYgC47wmwesEyxWv6u5HDH0PwK8z0O0/oSILx5+bk3Oo9FRw6M
+S2Ey3Dk+CeFEje0stJMFm2kZZrkYbQgesnZmvYN3Avp5jWH0HUQdrDyJCsTpuEVB
+TsCPciURzXkq5gyoM86s2zSxjUtappS9DNAKrtxrg15JgKnHDs3PpGprI++VrqVy
+su8slcS2izzPKeKFrMYsChjk93okA/JSLOvXUVSDdIVQeLej06B37H5MYLN2Su0g
+2gNcqotasUwUcQxPo9Aktw4ADfvvtitEPYHnn4BUPvG1l+2/G462IxJRIHTkkrGr
+TDqJFHPGYkvg
+-----END CERTIFICATE-----
diff --git a/internal/grpcconn/grpcconn.go b/internal/grpcconn/grpcconn.go
@@ -18,19 +18,45 @@ package grpcconn
 import (
 	"context"
 	"crypto/x509"
+	"fmt"
+	"os"
 
 	grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/retry"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	grpc_insecure "google.golang.org/grpc/credentials/insecure"
 )
 
+type newOptionalArg struct {
+	caFilePath string
+	insecure   bool
+}
+
+type Option func(*newOptionalArg)
+
+func WithCAFile(caFilePath string) Option {
+	return func(opt *newOptionalArg) {
+		opt.caFilePath = caFilePath
+	}
+}
+
+func WithInsecure(insecure bool) Option {
+	return func(opt *newOptionalArg) {
+		opt.insecure = insecure
+	}
+}
+
 // Simple wrapper around grpc.Dial that returns a grpc.ClientConn
 // It sets up the connection with the correct credentials headers
-func New(uri, authToken string, insecure bool) (*grpc.ClientConn, error) {
+func New(uri, authToken string, opt ...Option) (*grpc.ClientConn, error) {
+	optionalArgs := &newOptionalArg{}
+	for _, o := range opt {
+		o(optionalArgs)
+	}
+
 	var opts []grpc.DialOption
 	if authToken != "" {
-		grpcCreds := newTokenAuth(authToken, insecure)
+		grpcCreds := newTokenAuth(authToken, optionalArgs.insecure)
 
 		opts = []grpc.DialOption{
 			grpc.WithPerRPCCredentials(grpcCreds),
@@ -41,13 +67,21 @@ func New(uri, authToken string, insecure bool) (*grpc.ClientConn, error) {
 
 	// Currently we only support system tls certs
 	var tlsDialOption grpc.DialOption
-	if insecure {
+	if optionalArgs.insecure {
 		tlsDialOption = grpc.WithTransportCredentials(grpc_insecure.NewCredentials())
 	} else {
+		var err error
 		certsPool, err := x509.SystemCertPool()
 		if err != nil {
 			return nil, err
 		}
+
+		if optionalArgs.caFilePath != "" {
+			if err = appendCAFromFile(optionalArgs.caFilePath, certsPool); err != nil {
+				return nil, fmt.Errorf("failed to load CA cert: %w", err)
+			}
+		}
+
 		tlsDialOption = grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(certsPool, ""))
 	}
 
@@ -61,6 +95,20 @@ func New(uri, authToken string, insecure bool) (*grpc.ClientConn, error) {
 	return conn, nil
 }
 
+func appendCAFromFile(path string, certsPool *x509.CertPool) error {
+	// Load CA cert
+	caCert, err := os.ReadFile(path)
+	if err != nil {
+		return fmt.Errorf("failed to read CA cert: %w", err)
+	}
+
+	if ok := certsPool.AppendCertsFromPEM(caCert); !ok {
+		return fmt.Errorf("failed to append CA cert to pool")
+	}
+
+	return nil
+}
+
 type tokenAuth struct {
 	token    string
 	insecure bool

Original file line number	Diff line number	Diff line change
`@@ -50,5 +50,13 @@ func wrappedArtifactConn(cpConn *grpc.ClientConn, role pb.CASCredentialsServiceG`
`50`	`50`	`logger.Warn().Msg("API contacted in insecure mode")`
`51`	`51`	`}`
`52`	`52`
`53`		`- return grpcconn.New(viper.GetString(confOptions.CASAPI.viperKey), resp.Result.Token, flagInsecure)`
	`53`	`+ var opts = []grpcconn.Option{`
	`54`	`+ grpcconn.WithInsecure(flagInsecure),`
	`55`	`+ }`
	`56`	`+`
	`57`	`+ if caFilePath := viper.GetString(confOptions.CASCA.viperKey); caFilePath != "" {`
	`58`	`+ opts = append(opts, grpcconn.WithCAFile(caFilePath))`
	`59`	`+ }`
	`60`	`+`
	`61`	`+ return grpcconn.New(viper.GetString(confOptions.CASAPI.viperKey), resp.Result.Token, opts...)`
`54`	`62`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,8 +29,10 @@ func newConfigViewCmd() *cobra.Command {`
`29`	`29`	`Run: func(cmd *cobra.Command, args []string) {`
`30`	`30`	`fmt.Printf("Config file: %s\n", viper.ConfigFileUsed())`
`31`	`31`
`32`		`- for _, opt := range []*confOpt{confOptions.controlplaneAPI, confOptions.CASAPI} {`
`33`		`- fmt.Printf("%s: %s\n", opt.flagName, viper.GetString(opt.viperKey))`
	`32`	`+ for _, opt := range []*confOpt{confOptions.controlplaneAPI, confOptions.controlplaneCA, confOptions.CASAPI, confOptions.CASCA} {`
	`33`	`+ if v := viper.GetString(opt.viperKey); v != "" {`
	`34`	`+ fmt.Printf("%s: %s\n", opt.flagName, v)`
	`35`	`+ }`
`34`	`36`	`}`
`35`	`37`	`},`
`36`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ func NewCASClientUseCase(credsProvider CASCredentialsUseCase, config conf.Boot`
`69`	`69`
`70`	`70`	`// generate a client from the given configuration`
`71`	`71`	`defaultCasClientFactory := func(conf *conf.Bootstrap_CASServer, token string) (casclient.DownloaderUploader, func(), error) {`
`72`		`- conn, err := grpcconn.New(conf.GetGrpc().GetAddr(), token, conf.GetInsecure())`
	`72`	`+ conn, err := grpcconn.New(conf.GetGrpc().GetAddr(), token, grpcconn.WithInsecure(conf.GetInsecure()))`
`73`	`73`	`if err != nil {`
`74`	`74`	`return nil, nil, fmt.Errorf("failed to create grpc connection: %w", err)`
`75`	`75`	`}`