Drop OpenAPI for the client/server.

We serve a single handler, so OpenAPI creates a ton of overhead for our use case.

This change switches to a relatively simple http.Handler based API, and a hand-rolled API client.  This also contains unit testing of the client/server using a trivial OIDC implementation and ephemeralca.

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>

.gitattributes

@@ -1,2 +0,0 @@
-/pkg/generated/** linguist-generated
-/pkg/generated/restapi/configure_fulcio_server.go -linguist-generated

.github/workflows/main.yml

@@ -33,9 +33,6 @@ jobs:
         with:
           go-version: ${{ env.GOVERSION }}
 
-      - name: Validate OpenAPI with Swagger
-        run: make validate-openapi
-
       - name: Build
         run: make -C $GITHUB_WORKSPACE all
       - name: Test

Makefile

@@ -19,9 +19,8 @@ all: fulcio
 # Ensure Make is run with bash shell as some syntax below is bash-specific
 SHELL:=/usr/bin/env bash
 
-GENSRC = pkg/generated/models/%.go pkg/generated/restapi/%.go
 OPENAPIDEPS = openapi.yaml
-SRCS = $(shell find cmd -iname "*.go") $(shell find pkg -iname "*.go"|grep -v pkg/generated) pkg/generated/restapi/configure_fulcio_server.go $(GENSRC)
+SRCS = $(shell find cmd -iname "*.go") $(shell find pkg -iname "*.go")
 TOOLS_DIR := hack/tools
 TOOLS_BIN_DIR := $(abspath $(TOOLS_DIR)/bin)
 BIN_DIR := $(abspath $(ROOT_DIR)/bin)
@@ -44,16 +43,6 @@ endif
 
 SERVER_PKG=github.com/sigstore/fulcio/cmd/app
 SERVER_LDFLAGS="-X $(SERVER_PKG).gitVersion=$(GIT_VERSION) -X $(SERVER_PKG).gitCommit=$(GIT_HASH) -X $(SERVER_PKG).gitTreeState=$(GIT_TREESTATE) -X $(SERVER_PKG).buildDate=$(BUILD_DATE)"
-
-# Binaries
-SWAGGER := $(TOOLS_BIN_DIR)/swagger
-
-$(GENSRC): $(SWAGGER) $(OPENAPIDEPS)
-	$(SWAGGER) generate server -f openapi.yaml -q -r COPYRIGHT.txt -t pkg/generated --exclude-main -A fulcio_server --exclude-spec --flag-strategy=pflag --principal github.com/coreos/go-oidc/v3/oidc.IDToken --additional-initialism=SCT
-	$(SWAGGER) generate client -f openapi.yaml -q -r COPYRIGHT.txt -t pkg/generated --principal github.com/coreos/go-oidc/v3/oidc.IDToken
-
-# this exists to override pattern match rule above since this file is in the generated directory but should not be treated as generated code
-pkg/generated/restapi/configure_fulcio_server.go: $(OPENAPIDEPS)
 
 
 lint:
@@ -82,10 +71,6 @@ debug:
 	docker-compose -f docker-compose.yml -f docker-compose.debug.yml up fulcio-server-debug
 
 
-.PHONY: validate-openapi
-validate-openapi: $(SWAGGER)
-	$(SWAGGER) validate openapi.yaml
-
 ## --------------------------------------
 ## Modules
 ## --------------------------------------
@@ -104,9 +89,3 @@ dist:
 	mkdir -p dist
 	docker run -it -v $(PWD):/go/src/sigstore/fulcio -w /go/src/sigstore/fulcio golang:1.16.6 /bin/bash -c "GOOS=linux GOARCH=amd64 go build -trimpath -o dist/fulcio-server-linux-amd64"
 
-## --------------------------------------
-## Tooling Binaries
-## --------------------------------------
-
-$(SWAGGER): $(TOOLS_DIR)/go.mod
-	cd $(TOOLS_DIR); go build -trimpath -tags=tools -o $(TOOLS_BIN_DIR)/swagger github.com/go-swagger/go-swagger/cmd/swagger

cmd/app/serve.go

@@ -19,8 +19,8 @@ import (
 	"flag"
 	"fmt"
 	"net/http"
+	"os"
 
-	"github.com/go-openapi/loads"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/sigstore/fulcio/pkg/api"
 	certauth "github.com/sigstore/fulcio/pkg/ca"
@@ -29,8 +29,6 @@ import (
 	googlecav1beta1 "github.com/sigstore/fulcio/pkg/ca/googleca/v1beta1"
 	"github.com/sigstore/fulcio/pkg/ca/x509ca"
 	"github.com/sigstore/fulcio/pkg/config"
-	"github.com/sigstore/fulcio/pkg/generated/restapi"
-	"github.com/sigstore/fulcio/pkg/generated/restapi/operations"
 	"github.com/sigstore/fulcio/pkg/log"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -66,14 +64,6 @@ var serveCmd = &cobra.Command{
 		// from https://github.com/golang/glog/commit/fca8c8854093a154ff1eb580aae10276ad6b1b5f
 		_ = flag.CommandLine.Parse([]string{})
 
-		doc, _ := loads.Embedded(restapi.SwaggerJSON, restapi.FlatSwaggerJSON)
-		server := restapi.NewServer(operations.NewFulcioServerAPI(doc))
-		defer func() {
-			if err := server.Shutdown(); err != nil {
-				log.Logger.Error(err)
-			}
-		}()
-
 		cfg, err := config.Load(viper.GetString("config-path"))
 		if err != nil {
 			log.Logger.Fatalf("error loading config: %v", err)
@@ -110,31 +100,41 @@ var serveCmd = &cobra.Command{
 			log.Logger.Fatal(err)
 		}
 
-		server.EnabledListeners = []string{"http"}
+		decorateHandler := func(h http.Handler) http.Handler {
+			return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+				ctx := r.Context()
 
-		server.ConfigureAPI()
+				// For each request, infuse context with our snapshot of the FulcioConfig.
+				// TODO(mattmoor): Consider periodically (every minute?) refreshing the ConfigMap
+				// from disk, so that we don't need to cycle pods to pick up config updates.
+				// Alternately we could take advantage of Knative's configmap watcher.
+				ctx = config.With(ctx, cfg)
+				ctx = api.WithCA(ctx, baseca)
+				ctx = api.WithCTLogURL(ctx, viper.GetString("ct-log-url"))
 
-		h := server.GetHandler()
-		server.SetHandler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			ctx := r.Context()
-
-			// For each request, infuse context with our snapshot of the FulcioConfig.
-			// TODO(mattmoor): Consider periodically (every minute?) refreshing the ConfigMap
-			// from disk, so that we don't need to cycle pods to pick up config updates.
-			// Alternately we could take advantage of Knative's configmap watcher.
-			ctx = config.With(ctx, cfg)
-			ctx = api.WithCA(ctx, baseca)
-			ctx = api.WithCTLogURL(ctx, viper.GetString("ct-log-url"))
-
-			h.ServeHTTP(rw, r.WithContext(ctx))
-		}))
+				h.ServeHTTP(rw, r.WithContext(ctx))
+			})
+		}
 
-		http.Handle("/metrics", promhttp.Handler())
+		prom := http.Server{
+			Addr:    ":2112",
+			Handler: promhttp.Handler(),
+		}
 		go func() {
-			_ = http.ListenAndServe(":2112", nil)
+			_ = prom.ListenAndServe()
 		}()
 
-		if err := server.Serve(); err != nil {
+		port := os.Getenv("PORT")
+		if port == "" {
+			port = "8080"
+		}
+
+		api := http.Server{
+			Addr:    ":" + port,
+			Handler: decorateHandler(api.NewHandler()),
+		}
+
+		if err := api.ListenAndServe(); err != nil {
 			log.Logger.Fatal(err)
 		}
 	},

config/deployment.yaml

@@ -42,11 +42,12 @@ spec:
         - containerPort: 2112 # metrics
         args: [
           "serve",
-          "--host=0.0.0.0", "--port=5555",
           "--ca=googleca", "--gcp_private_ca_parent=$(CA_PARENT)", "--gcp_private_ca_version=v1",
           "--ct-log-url=http://ct-log/test", "--log_type=prod",
         ]
         env:
+        - name: PORT
+          value: "5555"
         - name: CA_PARENT
           valueFrom:
             configMapKeyRef:

go.mod

@@ -6,37 +6,26 @@ require (
 	cloud.google.com/go/security v1.1.0
 	github.com/PaesslerAG/jsonpath v0.1.1
 	github.com/ThalesIgnite/crypto11 v1.2.5
-	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/coreos/go-oidc/v3 v3.1.0
 	github.com/go-chi/chi v4.1.2+incompatible
-	github.com/go-openapi/errors v0.20.1
-	github.com/go-openapi/loads v0.21.0
-	github.com/go-openapi/runtime v0.21.0
-	github.com/go-openapi/spec v0.20.4
-	github.com/go-openapi/strfmt v0.21.1
-	github.com/go-openapi/swag v0.19.15
-	github.com/go-openapi/validate v0.20.3
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/go-cmp v0.5.6
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/golang-lru v0.5.4
-	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mitchellh/mapstructure v1.4.3
+	github.com/mitchellh/mapstructure v1.4.3 // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.11.0
 	github.com/prometheus/common v0.29.0 // indirect
 	github.com/prometheus/procfs v0.7.0 // indirect
-	github.com/rs/cors v1.8.0
 	github.com/sigstore/sigstore v1.0.1
 	github.com/spf13/cobra v1.2.1
-	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.9.0
 	github.com/stretchr/testify v1.7.0
-	github.com/tidwall/pretty v1.2.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
 	go.uber.org/zap v1.19.1
-	golang.org/x/net v0.0.0-20210614182718-04defd469f4e
+	golang.org/x/text v0.3.7 // indirect
 	google.golang.org/genproto v0.0.0-20211027162914-98a5263abeca
 	google.golang.org/protobuf v1.27.1
+	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 )