add GRPC interface

[bobcallaway]

This adds a GRPC interface to fulcio and moves the HTTP interface to be a wrapper around GRPC (via grpc-gateway) to ensure compatibility.

The purpose of this is to provide a simpler, cleaner interface for client code generation across sigstore libraries/services and other consumers. I am also looking to move Rekor over to a similar model but wanted to start here since the API is simpler.

Signed-off-by: Bob Callaway bcallaway@google.com

[codecov-commenter]

Codecov Report

Merging #472 (b57e30e) into main (2605dbf) will decrease coverage by 10.25%.
The diff coverage is 25.51%.

@@             Coverage Diff             @@
##             main     #472       +/-   ##
===========================================
- Coverage   43.91%   33.65%   -10.26%     
===========================================
  Files          16       18        +2     
  Lines        1273     1352       +79     
===========================================
- Hits          559      455      -104     
- Misses        633      834      +201     
+ Partials       81       63       -18     

Impacted Files	Coverage Δ
pkg/api/client.go	0.00% <0.00%> (-75.23%)	⬇️
pkg/api/legacy_server.go	0.00% <0.00%> (ø)
pkg/api/version.go	0.00% <0.00%> (ø)
pkg/challenges/challenges.go	21.47% <0.00%> (-1.55%)	⬇️
pkg/api/grpc_server.go	44.72% <44.72%> (ø)
pkg/api/error.go	100.00% <100.00%> (+50.00%)	⬆️
pkg/ca/fileca/load.go	68.96% <0.00%> (+10.34%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2605dbf...b57e30e. Read the comment docs.

[dlorenc]

This adds a GRPC interface to fulcio and moves the HTTP interface to be a wrapper around GRPC (via grpc-gateway) to ensure compatibility.

The purpose of this is to provide a simpler, cleaner interface for client code generation across sigstore libraries/services and other consumers. I am also looking to move Rekor over to a similar model but wanted to start here since the API is simpler.

Big +1, OpenAPI/swagger just don't add enough value for the complexity.

[bobcallaway]

@loosebazooka @mattmoor @dlorenc any chance I can get one of you to look at and/or recreate the failed test in kind outside of CI? I can't seem to reproduce it running locally (either with kind or docker-compose).

The error from the check-oidc job in the latest run is:

2022-03-13T18:32:08.144448806Z stderr F Generating ephemeral keys...
2022-03-13T18:32:08.14469571Z stderr F Retrieving signed certificate...
2022-03-13T18:32:08.759737048Z stderr F tlog entry created with index: 1651798
2022-03-13T18:32:08.75984375Z stderr F Error: signing [registry.local:5000/fulcio/fulcio-bd4d600f674b081a535a886a15cb8d9a@sha256:cb7bf620bb822701f48b440114f846a0aef307bab344346a7d676777467a2f88]: signing digest: error during PEM decoding
2022-03-13T18:32:08.759853651Z stderr F main.go:46: error during command execution: signing [registry.local:5000/fulcio/fulcio-bd4d600f674b081a535a886a15cb8d9a@sha256:cb7bf620bb822701f48b440114f846a0aef307bab344346a7d676777467a2f88]: signing digest: error during PEM decoding

I read this as: cosign's interaction with fulcio went fine (denoted by the fact we were successfully able to upload the signature to rekor), the failure seems to occur when adding the signature back to the registry for the container where there is some issue parsing the cert or the chain for the OCI signature.

I'm also able to query and parse the root cert for fulcio just fine:

[bcallawa@bcallawa-m900z cosign]$ curl -s http://127.0.0.1:5555/api/v1/rootCert | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b6:4d:00:f1:5d:c4:73:f0:8d:e0:e5:a0:3c:32:60:28:40:3b:fe
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: O = sigstore.dev, CN = sigstore
        Validity
            Not Before: Oct  7 13:56:59 2021 GMT
            Not After : Oct  5 13:56:58 2031 GMT
        Subject: O = sigstore.dev, CN = sigstore
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:fb:5d:e1:53:e2:b6:f7:3d:01:b0:4b:82:1a:8e:
                    d2:e4:df:f3:a5:9e:98:1a:9e:06:81:72:56:29:b1:
                    80:6b:e6:2f:b8:ca:70:74:ed:c7:9b:dc:b3:f4:38:
                    83:99:77:17:b1:5f:af:5c:e6:25:6e:c8:94:50:f8:
                    7c:f4:e7:28:be:50:5d:ee:05:60:25:1e:98:92:e6:
                    c8:74:f8:7d:86:1c:4e:d2:5e:b9:35:10:2e:66:d5:
                    3a:f5:f4:bf:60:83:dd
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                58:C0:1E:5F:91:45:A5:66:A9:7A:CC:90:A1:93:22:D0:2A:C5:C5:FA
            X509v3 Authority Key Identifier: 
                keyid:58:C0:1E:5F:91:45:A5:66:A9:7A:CC:90:A1:93:22:D0:2A:C5:C5:FA

    Signature Algorithm: ecdsa-with-SHA384
         30:66:02:31:00:8f:59:c7:79:76:69:fb:5d:cd:58:13:5a:f8:
         40:ec:0c:ff:06:d5:65:a0:d6:d0:8c:58:ff:d6:1c:fa:a9:69:
         5a:34:8e:1b:30:78:d1:59:81:2b:34:78:4e:f0:60:8e:2a:02:
         31:00:d9:60:7d:a2:df:7c:b0:89:28:17:7b:d9:61:d7:77:fd:
         5b:56:07:96:fd:4c:d3:1e:6b:b2:31:fe:cb:49:e5:37:dc:2c:
         b7:80:04:b1:38:04:d2:4e:b1:0e:2f:9c:11:c9

[mattmoor]

Generally +1, but I didn't review it super thoroughly.

The dance we have to do for the weird content types some of the APIs use is unfortunate, but hopefully we can switch the main consumers to the GRPC path.

cc @nsmith5 @tstromberg

[mattmoor]

Can we document some of the custom response munging we have to do on the HTTP path? I could see folks naively trying to reimplement this proto API and having a bad time.

[bobcallaway]

I could resurrect the old openapi.yaml doc and make sure it is up to date

[mattmoor]

Oh, I was just talking about in the rpc comment. Pretty sure you can generate swagger docs from these as well, although if I've done it it's been years...

[haydentherapper]

Left a bunch of API-specific comments. The main consumer annoyance I predict is around consuming a certificate chain. I think we should try to resolve that here with a repeated field.

[nsmith5]

Super awesome work ❤️ Really excited for this to land and mega kudos for not breaking the v1 API in the process. Extra special high-fives to wiring up the OIDC token into the context and passing context through to the CTlog client!

Feedback is just nits and questions for my own learning mostly

[nsmith5]

Question: Do we actually support anything outside ECDSA key-pairs right now? I've seen places around sigstore project where its sort of hard coded to ECDSA and wasn't sure if there is actually flexibility there

[haydentherapper]

We support RSA, ECDSA, and ED25519 keys. There may be a couple lingering places in Cosign that still hardcode ECDSA, but most code paths should use the helper function from Sigstore that builds the signer/verifier regardless of type.

FWIW, this algorithm is ignored currently, the functions Fulcio calls can parse the key regardless of type.

[nsmith5]

Right right, is there even a need for this ever? What is the API even supposed to do if there is a mismatch? The alg type is always available in the public key anyways right?

[haydentherapper]

What handles routing to the correct host? Is Nginx/Kubernetes aware of if the request is a GRPC or HTTP request?

[bobcallaway]

two lines below, there is a separate listener on a different port for grpc requests VS http requests.

[haydentherapper]

I was wondering what handles routing, since both will be accessible from https://fulcio.sigstore.dev

[bobcallaway]

Nginx should be able to handle it

[lukehinds]

What determines if legacyGRPCServer is set , does this bubble up from config?

[bobcallaway]

it doesn't bubble up from config (yet), but if we wanted to deprecate and turn that off we could just set it to nil

[lukehinds]

gotcha, I was thinking there might be a flag/config leveraged that would decide on what runs (restAPI or gPRC (or even both)).

[bobcallaway]

hmm, interesting thought. let me noodle on that for a bit.

[nsmith5]

❤️ Looks good to me!

[dlorenc]

I'm happy with this whenever you're all ready for the merge!

[dlorenc]

Merge when ready!