1 files changed, 24 insertions, 2 deletions

diff --git a/cmd/authzd/main.go b/cmd/authzd/main.go
index 32a7cc7..ff942e7 100644
--- a/cmd/authzd/main.go
+++ b/cmd/authzd/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"crypto/x509"
 	"net"
 	"os"
 	"os/signal"
@@ -13,6 +14,7 @@ import (
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/authz"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 )
 
@@ -20,9 +22,10 @@ func main() {
 	logger := log.New(os.Stdout, log.Fields{"app": "authzd"})
 	ctx := logger.WithContext(context.Background())
 
+	host := env.Fetch("AUTHZD_HOST", "localhost:50051")
 	connection, err := grpc.NewClient(
-		env.Fetch("AUTHZD_HOST", "localhost:50051"),
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		host,
+		grpc.WithTransportCredentials(credentialsFor(ctx, host)),
 	)
 	if err != nil {
 		pls.LogErrorNow(ctx, err)
@@ -44,3 +47,22 @@ func main() {
 	socket := x.Must(net.Listen("tcp", ":10003"))
 	pls.LogErrorNow(ctx, server.Serve(socket))
 }
+
+func credentialsFor(ctx context.Context, host string) credentials.TransportCredentials {
+	_, port, err := net.SplitHostPort(host)
+	if err != nil {
+		pls.LogError(ctx, err)
+		return insecure.NewCredentials()
+	}
+
+	if port != "443" {
+		return insecure.NewCredentials()
+	}
+
+	pool, err := x509.SystemCertPool()
+	if err != nil {
+		return insecure.NewCredentials()
+	}
+
+	return credentials.NewClientTLSFromCert(pool, "")
+}