Add TLS support for Trillian server

[fghanmi]

Summary

This pull request introduces support for enabling TLS in communications with the Trillian server. By adding a new command-line flag --tls-ca-cert and implementing the necessary logic to handle TLS certificates, this update enhances the security of Rekor.

Release Note

• Feature: Added support for TLS in communication with the Trillian server.
• New Flag: --tls-ca-cert to specify the CA certificate file path for secure connections.
• Behavior: If the --tls-ca-cert flag is not provided, the system will default to insecure connections.
• Security: This update significantly enhances the security of data in transit by enabling TLS.

Resolves Issue: https://github.com/sigstore/rekor/issues/2163

Documentation

[codecov[bot]]

Codecov Report

Attention: Patch coverage is 56.00000% with 11 lines in your changes missing coverage. Please review.

Project coverage is 51.71%. Comparing base (488eb97) to head (e665262). Report is 151 commits behind head on main.

Files	Patch %	Lines
pkg/api/api.go	52.17%	9 Missing and 2 partials :warning:

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #2164 +/- ## =========================================== - Coverage 66.46% 51.71% -14.75% =========================================== Files 92 188 +96 Lines 9258 19368 +10110 =========================================== + Hits 6153 10017 +3864 - Misses 2359 8272 +5913 - Partials 746 1079 +333 ``` | [Flag](https://app.codecov.io/gh/sigstore/rekor/pull/2164/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=sigstore) | Coverage Δ | | |---|---|---| | [e2etests](https://app.codecov.io/gh/sigstore/rekor/pull/2164/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=sigstore) | `50.30% <56.00%> (+2.74%)` | :arrow_up: | | [unittests](https://app.codecov.io/gh/sigstore/rekor/pull/2164/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=sigstore) | `43.24% <8.00%> (-4.44%)` | :arrow_down: | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=sigstore#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[fghanmi]

@bobcallaway I see that the e2e tests are failing, are they all using ./docker-compose.yaml resources ? Meaning, should I enable TLS on all the /docker-compose*.yaml files ? ( since the trillian logserver in docker-compose.yaml is TLS enabled)

[fghanmi]

Regarding the build failure: CI / issue-872-e2e: The script is using an old rekor-server image https://github.com/sigstore/rekor/blob/main/tests/issue-872-e2e-test.sh#L71 that does not have the new tag --tls_ca_cert and thus, it fails. @bobcallaway is it possible to use an image with the new updates ?

[bobcallaway]

Regarding the build failure: CI / issue-872-e2e: The script is using an old rekor-server image https://github.com/sigstore/rekor/blob/main/tests/issue-872-e2e-test.sh#L71 that does not have the new tag --tls_ca_cert and thus, it fails. @bobcallaway is it possible to use an image with the new updates ?

no, that specific test is for a regression that was started at that back version.

I'll need to take a closer look at the dependency structure of those various docker-compose files to better advise you.

[fghanmi]

Regarding the build failure: CI / issue-872-e2e: The script is using an old rekor-server image https://github.com/sigstore/rekor/blob/main/tests/issue-872-e2e-test.sh#L71 that does not have the new tag --tls_ca_cert and thus, it fails. @bobcallaway is it possible to use an image with the new updates ?

no, that specific test is for a regression that was started at that back version.

I'll need to take a closer look at the dependency structure of those various docker-compose files to better advise you.

We can create another trillian server trillian-log-server-no-tls and use it as the trillian server for the rekor-server-issue-872-v060 that uses an older image. (I've tested it) What do you think ?