Merge pull request #36 from omertuc/unouger

Remove dependency on ouger

Cargo.toml

@@ -46,4 +46,8 @@ libc = "0.2.147"
 clio = { version = "0.3.4", features = ["clap", "clap-parse"] }
 data-url = "0.3.0"
 reqwest = { version = "0.11.20", default-features = false }
+prost = "0.12.1"
+
+[build-dependencies]
+prost-build = "0.12.1"
 

Dockerfile

@@ -14,17 +14,12 @@ RUN apt-get install -y protobuf-compiler
 RUN cargo chef cook --release --recipe-path recipe.json
 COPY Cargo.toml Cargo.lock .
 COPY src/ src/
+COPY build.rs build.rs
 RUN cargo build --release --bin recert
 
-FROM docker.io/library/golang:1.19-bookworm as ouger-builder
-COPY ./ouger $GOPATH/src
-WORKDIR $GOPATH/src
-RUN go build -buildvcs=false -o $GOPATH/bin/ouger_server cmd/server/ouger_server.go
-
 FROM docker.io/library/debian:bookworm AS runtime
 WORKDIR app
 RUN apt-get update
 RUN apt-get install -y openssl
-COPY --from=ouger-builder /go/bin/ouger_server /usr/local/bin
 COPY --from=builder /app/target/release/recert /usr/local/bin
 ENTRYPOINT ["/usr/local/bin/recert"]

README.md

@@ -22,7 +22,7 @@ For more information see the [design doc](docs/design.md)
 
 ### Local Development
 
-You need protoc (dnf install protobuf-compiler), podman, etcdctl, [ouger](https://github.com/omertuc/ouger), meld, and an IBU backup seed image. Then run `./run_seed.sh <seed pullspec>`
+You need protoc (dnf install protobuf-compiler), podman, etcdctl, meld, and an IBU seed image. Then run `./run_seed.sh <seed pullspec>`
 
 ### Run on a cluster
 

build.rs

@@ -0,0 +1,24 @@
+extern crate prost_build;
+
+use std::io::Result;
+
+fn main() -> Result<()> {
+    let mut prost_build = prost_build::Config::new();
+
+    prost_build.type_attribute(".", "#[derive(serde::Serialize, serde::Deserialize)]");
+    prost_build.type_attribute(".", "#[serde(rename_all = \"camelCase\")]");
+
+    prost_build.include_file("_includes.rs");
+
+    prost_build.compile_protos(
+        &[
+            "k8s.io/api/core/v1/generated.proto",
+            "k8s.io/api/admissionregistration/v1/generated.proto",
+            "k8s.io/api/apps/v1/generated.proto",
+            "route/v1/generated.proto",
+        ],
+        &["./src/protobuf"],
+    )?;
+
+    Ok(())
+}

docs/design.md

@@ -696,11 +696,10 @@ right places and doesn't miss anything.
 #### etcd scanning
 
 recert will fetch all etcd values of `secrets`, `configmaps`, `machineconfigs`
-and a few other kinds. Since etcd doesn't store YAMLs for most resources, and
-instead stores a protobuf binary encoding of the resources, `recert` for now
-has to use [ouger](https://github.com/omertuc/ouger/) to convert those
-resources from and to YAML (this is usually done by kube-apiserver when you
-normally use kubernetes, but with recert we use direct etcd access).
+and a few other kinds. Since kube-apiserver doesn't store raw JSONs in etcd for
+most resources, and instead stores a protobuf binary encoding of the resources,
+`recert` has to use protobuf definitions copied from the kubernetes repo in
+order to be able to decode/encode those values.
 
 For each kind of resource, `recert` has specialized code to scan it for
 cryptographic objects. i.e., recert will not simply brute-force blindly
@@ -977,8 +976,8 @@ key gets discarded during installation.
 ### etcd cache
 
 During the Commit stage mentioned above, we would do many writes to etcd. It's
-very slow to go through ouger and etcd for each one, so instead we maintain an
-in-memory cache of all etcd YAMLs, and all writes actually happen in memory.
+very slow to go through etcd for each one, so instead we maintain an in-memory
+cache of all etcd YAMLs, and all writes actually happen in memory.
 
 In the end, we simply commit that cache back to etcd. This essentially batches
 all the etcd writes of the same YAML into a single operation.