|
| 1 | +// |
| 2 | +// Copyright 2026 The Sigstore Authors. |
| 3 | +// |
| 4 | +// Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | +// you may not use this file except in compliance with the License. |
| 6 | +// You may obtain a copy of the License at |
| 7 | +// |
| 8 | +// http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +// |
| 10 | +// Unless required by applicable law or agreed to in writing, software |
| 11 | +// distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +// See the License for the specific language governing permissions and |
| 14 | +// limitations under the License. |
| 15 | + |
| 16 | +package app |
| 17 | + |
| 18 | +import ( |
| 19 | + "context" |
| 20 | + "crypto/x509" |
| 21 | + "encoding/base64" |
| 22 | + "log/slog" |
| 23 | + "os" |
| 24 | + |
| 25 | + "k8s.io/klog/v2" |
| 26 | + |
| 27 | + "github.com/spf13/cobra" |
| 28 | + "github.com/spf13/viper" |
| 29 | + "sigs.k8s.io/release-utils/version" |
| 30 | + |
| 31 | + "github.com/sigstore/rekor-tiles/v2/internal/algorithmregistry" |
| 32 | + "github.com/sigstore/rekor-tiles/v2/internal/cli" |
| 33 | + "github.com/sigstore/rekor-tiles/v2/internal/server" |
| 34 | + "github.com/sigstore/rekor-tiles/v2/internal/signerverifier" |
| 35 | + "github.com/sigstore/rekor-tiles/v2/internal/tessera" |
| 36 | + posixDriver "github.com/sigstore/rekor-tiles/v2/internal/tessera/posix" |
| 37 | + "github.com/sigstore/rekor-tiles/v2/pkg/note" |
| 38 | + "github.com/sigstore/sigstore/pkg/signature/options" |
| 39 | +) |
| 40 | + |
| 41 | +var serveCmd = &cobra.Command{ |
| 42 | + Use: "serve", |
| 43 | + Short: "start the Rekor server", |
| 44 | + Long: "start the Rekor server", |
| 45 | + Run: func(cmd *cobra.Command, _ []string) { |
| 46 | + ctx := cmd.Context() |
| 47 | + |
| 48 | + logLevel := slog.LevelInfo |
| 49 | + if err := logLevel.UnmarshalText([]byte(viper.GetString("log-level"))); err != nil { |
| 50 | + slog.Error("invalid log-level specified; must be one of 'debug', 'info', 'error', or 'warn'") |
| 51 | + os.Exit(1) |
| 52 | + } |
| 53 | + slog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: logLevel}))) |
| 54 | + |
| 55 | + // tessera uses klog so pipe all klog messages to be written through slog |
| 56 | + klog.SetSlogLogger(slog.Default()) |
| 57 | + |
| 58 | + slog.Info("starting rekor-server", "version", version.GetVersionInfo()) |
| 59 | + |
| 60 | + if viper.GetString("signer-filepath") == "" { |
| 61 | + slog.Error("--signer-filepath must be set") |
| 62 | + os.Exit(1) |
| 63 | + } |
| 64 | + signer, err := signerverifier.NewFileSignerVerifier(viper.GetString("signer-filepath"), viper.GetString("signer-password")) |
| 65 | + if err != nil { |
| 66 | + slog.Error("failed to initialize signer", "error", err) |
| 67 | + os.Exit(1) |
| 68 | + } |
| 69 | + pubkey, err := signer.PublicKey() |
| 70 | + if err != nil { |
| 71 | + slog.Error("failed to get public key from signing key", "error", err) |
| 72 | + os.Exit(1) |
| 73 | + } |
| 74 | + der, err := x509.MarshalPKIXPublicKey(pubkey) |
| 75 | + if err != nil { |
| 76 | + slog.Error("failed to marshal public key to DER", "error", err) |
| 77 | + os.Exit(1) |
| 78 | + } |
| 79 | + slog.Info("Loaded signing key", "pubkey in base64 DER", base64.StdEncoding.EncodeToString(der)) |
| 80 | + |
| 81 | + appendOptions, err := tessera.NewAppendOptions(ctx, viper.GetString("hostname"), signer) |
| 82 | + if err != nil { |
| 83 | + slog.Error("failed to initialize append options", "error", err) |
| 84 | + os.Exit(1) |
| 85 | + } |
| 86 | + // Compute log ID for TransparencyLogEntry, to be used by clients to look up |
| 87 | + // the correct instance in a trust root. Log ID is equivalent to the non-truncated |
| 88 | + // hash of the public key and origin per the signed-note C2SP spec. |
| 89 | + pubKey, err := signer.PublicKey(options.WithContext(ctx)) |
| 90 | + if err != nil { |
| 91 | + slog.Error("failed to get public key", "error", err) |
| 92 | + os.Exit(1) |
| 93 | + } |
| 94 | + _, logID, err := note.KeyHash(viper.GetString("hostname"), pubKey) |
| 95 | + if err != nil { |
| 96 | + slog.Error("failed to get log ID", "error", err) |
| 97 | + os.Exit(1) |
| 98 | + } |
| 99 | + |
| 100 | + readOnly := viper.GetBool("read-only") |
| 101 | + var tesseraStorage tessera.Storage |
| 102 | + shutdownFn := func(_ context.Context) error { return nil } |
| 103 | + // if in read-only mode, don't start the appender, because we don't want new checkpoints being published. |
| 104 | + if !readOnly { |
| 105 | + driverConfig := posixDriver.DriverConfiguration{ |
| 106 | + StorageDir: viper.GetString("storage-dir"), |
| 107 | + PersistentAntispam: viper.GetBool("persistent-antispam"), |
| 108 | + ASMaxBatchSize: viper.GetUint("antispam-max-batch-size"), |
| 109 | + ASPushbackThreshold: viper.GetUint("antispam-pushback-threshold"), |
| 110 | + } |
| 111 | + tesseraDriver, persistentAntispam, err := posixDriver.NewDriver(ctx, driverConfig) |
| 112 | + if err != nil { |
| 113 | + slog.Error("failed to initialize driver", "error", err) |
| 114 | + os.Exit(1) |
| 115 | + } |
| 116 | + appendOptions = tessera.WithLifecycleOptions(appendOptions, viper.GetUint("batch-max-size"), viper.GetDuration("batch-max-age"), viper.GetDuration("checkpoint-interval"), viper.GetUint("pushback-max-outstanding")) |
| 117 | + appendOptions = tessera.WithAntispamOptions(appendOptions, persistentAntispam) |
| 118 | + if wpf := viper.GetString("witness-policy-path"); wpf != "" { |
| 119 | + f, err := os.ReadFile(wpf) |
| 120 | + if err != nil { |
| 121 | + slog.Error("failed to read witness policy file", "file", wpf, "error", err) |
| 122 | + os.Exit(1) |
| 123 | + } |
| 124 | + appendOptions, err = tessera.WithWitnessing(appendOptions, f) |
| 125 | + if err != nil { |
| 126 | + slog.Error("failed to initialize witnessing", "error", err) |
| 127 | + os.Exit(1) |
| 128 | + } |
| 129 | + } |
| 130 | + tesseraStorage, shutdownFn, err = tessera.NewStorage(ctx, viper.GetString("hostname"), tesseraDriver, appendOptions) |
| 131 | + if err != nil { |
| 132 | + slog.Error("failed to initialize tessera storage", "error", err) |
| 133 | + os.Exit(1) |
| 134 | + } |
| 135 | + } |
| 136 | + algorithmRegistry, err := algorithmregistry.AlgorithmRegistry(viper.GetStringSlice("client-signing-algorithms")) |
| 137 | + if err != nil { |
| 138 | + slog.Error("failed to get algorithm registry", "error", err) |
| 139 | + os.Exit(1) |
| 140 | + } |
| 141 | + |
| 142 | + rekorServer := server.NewIdentityServer(tesseraStorage, readOnly, algorithmRegistry, logID) |
| 143 | + |
| 144 | + server.Serve( |
| 145 | + ctx, |
| 146 | + server.NewHTTPConfig( |
| 147 | + server.WithHTTPPort(viper.GetInt("http-port")), |
| 148 | + server.WithHTTPHost(viper.GetString("http-address")), |
| 149 | + server.WithHTTPTimeout(viper.GetDuration("server-timeout")), |
| 150 | + server.WithHTTPMaxRequestBodySize(viper.GetInt("max-request-body-size")), |
| 151 | + server.WithHTTPMetricsPort(viper.GetInt("http-metrics-port")), |
| 152 | + server.WithHTTPTLSCredentials(viper.GetString("http-tls-cert-file"), viper.GetString("http-tls-key-file")), |
| 153 | + server.WithGRPCTLSCredentials(viper.GetString("grpc-tls-cert-file")), |
| 154 | + ), |
| 155 | + server.NewGRPCConfig( |
| 156 | + server.WithGRPCPort(viper.GetInt("grpc-port")), |
| 157 | + server.WithGRPCHost(viper.GetString("grpc-address")), |
| 158 | + server.WithGRPCTimeout(viper.GetDuration("server-timeout")), |
| 159 | + server.WithGRPCMaxMessageSize(viper.GetInt("max-request-body-size")), |
| 160 | + server.WithGRPCLogLevel(logLevel, viper.GetBool("request-response-logging")), |
| 161 | + server.WithTLSCredentials(viper.GetString("grpc-tls-cert-file"), viper.GetString("grpc-tls-key-file")), |
| 162 | + ), |
| 163 | + viper.GetDuration("tlog-timeout"), |
| 164 | + rekorServer, |
| 165 | + shutdownFn, |
| 166 | + ) |
| 167 | + }, |
| 168 | +} |
| 169 | + |
| 170 | +func init() { |
| 171 | + if err := cli.Initialize(serveCmd); err != nil { |
| 172 | + slog.Error(err.Error()) |
| 173 | + os.Exit(1) |
| 174 | + } |
| 175 | + |
| 176 | + // POSIX configs |
| 177 | + serveCmd.Flags().String("storage-dir", "", "directory for tile and checkpoint storage for a POSIX log") |
| 178 | + |
| 179 | + // checkpoint signing configs |
| 180 | + serveCmd.Flags().String("signer-filepath", "", "path to the signing key") |
| 181 | + serveCmd.Flags().String("signer-password", "", "password to decrypt the signing key") |
| 182 | + |
| 183 | + if err := viper.BindPFlags(serveCmd.Flags()); err != nil { |
| 184 | + slog.Error(err.Error()) |
| 185 | + os.Exit(1) |
| 186 | + } |
| 187 | + rootCmd.AddCommand(serveCmd) |
| 188 | +} |
0 commit comments