3 files changed, 26 insertions, 4 deletions

diff --git a/.runway/env-production.yml b/.runway/env-production.yml
index 2b05f63..e1f1eff 100644
--- a/.runway/env-production.yml
+++ b/.runway/env-production.yml
@@ -1,4 +1,4 @@
 APP_ENV: "production"
-AUTHZD_HOST: "authzd.runway.gitlab.net"
+AUTHZD_HOST: "authzd.staging.runway.gitlab.net:443"
 OAUTH_CLIENT_ID: "75656280b7ca60223b060b57c4eb98a8a324878531efeccafc1d25709dbee5c9"
 OIDC_ISSUER: "https://gitlab.com"
diff --git a/.runway/env-staging.yml b/.runway/env-staging.yml
index 2b2ce8e..0ae9f1d 100644
--- a/.runway/env-staging.yml
+++ b/.runway/env-staging.yml
@@ -1,4 +1,4 @@
 APP_ENV: "production"
-AUTHZD_HOST: "authzd.staging.runway.gitlab.net"
+AUTHZD_HOST: "authzd.staging.runway.gitlab.net:443"
 OAUTH_CLIENT_ID: "786e37c8d2207d200f735379ad52579c452948222f9affc7a45e74bd7074ad3c"
 OIDC_ISSUER: "https://staging.gitlab.com"
diff --git a/cmd/authzd/main.go b/cmd/authzd/main.go
index 32a7cc7..ff942e7 100644
--- a/cmd/authzd/main.go
+++ b/cmd/authzd/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"crypto/x509"
 	"net"
 	"os"
 	"os/signal"
@@ -13,6 +14,7 @@ import (
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/authz"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 )
 
@@ -20,9 +22,10 @@ func main() {
 	logger := log.New(os.Stdout, log.Fields{"app": "authzd"})
 	ctx := logger.WithContext(context.Background())
 
+	host := env.Fetch("AUTHZD_HOST", "localhost:50051")
 	connection, err := grpc.NewClient(
-		env.Fetch("AUTHZD_HOST", "localhost:50051"),
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		host,
+		grpc.WithTransportCredentials(credentialsFor(ctx, host)),
 	)
 	if err != nil {
 		pls.LogErrorNow(ctx, err)
@@ -44,3 +47,22 @@ func main() {
 	socket := x.Must(net.Listen("tcp", ":10003"))
 	pls.LogErrorNow(ctx, server.Serve(socket))
 }
+
+func credentialsFor(ctx context.Context, host string) credentials.TransportCredentials {
+	_, port, err := net.SplitHostPort(host)
+	if err != nil {
+		pls.LogError(ctx, err)
+		return insecure.NewCredentials()
+	}
+
+	if port != "443" {
+		return insecure.NewCredentials()
+	}
+
+	pool, err := x509.SystemCertPool()
+	if err != nil {
+		return insecure.NewCredentials()
+	}
+
+	return credentials.NewClientTLSFromCert(pool, "")
+}