Create separate binaries for each backend

Author: kipz

Dockerfile

@@ -16,6 +16,7 @@
 FROM --platform=$BUILDPLATFORM golang:1.25.3@sha256:6d4e5e74f47db00f7f24da5f53c1b4198ae46862a47395e30477365458347bf2 AS builder
 ARG TARGETOS
 ARG TARGETARCH
+ARG CLOUD_PROVIDER=gcp
 ENV APP_ROOT=/opt/app-root
 ENV GOPATH=$APP_ROOT
 
@@ -30,9 +31,9 @@ ADD ./internal/ $APP_ROOT/src/internal/
 
 ARG SERVER_LDFLAGS
 # Build server for deployment
-RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -ldflags "${SERVER_LDFLAGS}" ./cmd/rekor-server
+RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -ldflags "${SERVER_LDFLAGS}" -o rekor-server ./cmd/rekor-server-${CLOUD_PROVIDER}
 # Build server for debugger
-RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o rekor-server_debug ./cmd/rekor-server
+RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o rekor-server_debug ./cmd/rekor-server-${CLOUD_PROVIDER}
 
 # Multi-stage deployment build
 FROM golang:1.25.3@sha256:6d4e5e74f47db00f7f24da5f53c1b4198ae46862a47395e30477365458347bf2 AS deploy

Dockerfile.release

@@ -17,6 +17,7 @@
 FROM --platform=$BUILDPLATFORM golang:1.25.3-bookworm@sha256:4f43b271f9673eb7bd0cb3a49cc17b08d8d6ee110277e26dbacc93c43a5a7793 AS builder
 ARG TARGETOS
 ARG TARGETARCH
+ARG CLOUD_PROVIDER=gcp
 ENV APP_ROOT=/opt/app-root
 ENV GOPATH=$APP_ROOT
 
@@ -31,7 +32,7 @@ ADD ./internal/ $APP_ROOT/src/internal/
 
 ARG SERVER_LDFLAGS
 # Build server for deployment. Build without cgo since distroless/static-debian12 doesn't include lib/cgo
-RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -ldflags "${SERVER_LDFLAGS}" ./cmd/rekor-server
+RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -ldflags "${SERVER_LDFLAGS}" -o rekor-server ./cmd/rekor-server-${CLOUD_PROVIDER}
 
 # Multi-stage deployment build
 FROM gcr.io/distroless/static-debian12:nonroot@sha256:e8a4044e0b4ae4257efa45fc026c0bc30ad320d43bd4c1a7d5271bd241e386d0 AS deploy

Makefile

@@ -15,7 +15,7 @@
 
 .PHONY: all test clean lint gosec ko-local tools ldflags
 
-all: protos rekor-server
+all: protos rekor-server-gcp rekor-server-aws
 
 GIT_VERSION ?= $(shell git describe --tags --always --dirty)
 GIT_HASH ?= $(shell git rev-parse HEAD)
@@ -73,8 +73,15 @@ lint:
 gosec: ## Run gosec security scanner
 	$(GOBIN)/gosec ./...
 
-rekor-server: $(SRC) $(PROTO_SRC)
-	CGO_ENABLED=0 go build -trimpath -ldflags "$(SERVER_LDFLAGS)" -o rekor-server ./cmd/rekor-server
+rekor-server-gcp: $(SRC) $(PROTO_SRC)
+	CGO_ENABLED=0 go build -trimpath -tags gcp -ldflags "$(SERVER_LDFLAGS)" -o rekor-server-gcp ./cmd/rekor-server-gcp
+
+rekor-server-aws: $(SRC) $(PROTO_SRC)
+	CGO_ENABLED=0 go build -trimpath -tags aws -ldflags "$(SERVER_LDFLAGS)" -o rekor-server-aws ./cmd/rekor-server-aws
+
+# Legacy target for backwards compatibility - builds GCP version
+rekor-server: rekor-server-gcp
+	cp rekor-server-gcp rekor-server
 
 ldflags: ## Print ldflags
 	@echo $(SERVER_LDFLAGS)
@@ -86,7 +93,8 @@ ko-local: ## Build container images locally using ko
 	KO_DOCKER_REPO=ko.local LDFLAGS="$(SERVER_LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
 	ko publish --base-import-paths \
 		--tags $(GIT_VERSION) --tags $(GIT_HASH) --image-refs rekorImagerefs \
-		github.com/sigstore/rekor-tiles/v2/cmd/rekor-server
+		github.com/sigstore/rekor-tiles/v2/cmd/rekor-server-gcp \
+		github.com/sigstore/rekor-tiles/v2/cmd/rekor-server-aws
 
 # generate Go protobuf code
 protos:
@@ -106,7 +114,7 @@ clean: ## Remove built binaries and artifacts
 	rm -rf pkg/generated/protobuf/*
 	rm -rf dist
 	rm -rf hack/tools/bin
-	rm -rf rekor-server
+	rm -rf rekor-server rekor-server-gcp rekor-server-aws
 
 ##################
 # help

README.md

@@ -60,14 +60,19 @@ to report them.
 
 ## Storage Backends
 
-Rekor v2 supports multiple storage backends for flexibility in deployment:
+Rekor v2 supports multiple storage backends. To avoid binary bloat from unused dependencies, separate binaries for each backend are provided:
+
+- `rekor-server-gcp`: GCP-specific binary (includes only Google Cloud dependencies)
+- `rekor-server-aws`: AWS-specific binary (includes only AWS dependencies)
 
 ### Google Cloud Platform (GCP)
+- **Binary**: `rekor-server-gcp`
 - **Object Storage**: Google Cloud Storage (GCS)
 - **Database**: Cloud Spanner
 - **Use case**: Preferred for global deployments requiring strong consistency and automatic scaling
 
 ### Amazon Web Services (AWS)
+- **Binary**: `rekor-server-aws`
 - **Object Storage**: Amazon S3
 - **Database**: Aurora MySQL (or RDS MySQL)
 - **Use case**: Cost-effective option for regional deployments with MySQL compatibility
@@ -93,7 +98,7 @@ When deploying your own instance, configure the storage backend using command-li
 
 **GCP Backend:**
 ```bash
-rekor-server serve \
+rekor-server-gcp serve \
   --hostname=your-hostname \
   --gcp-bucket=your-gcs-bucket \
   --gcp-spanner=projects/PROJECT/instances/INSTANCE/databases/DATABASE \
@@ -102,7 +107,7 @@ rekor-server serve \
 
 **AWS Backend:**
 ```bash
-rekor-server serve \
+rekor-server-aws serve \
   --hostname=your-hostname \
   --aws-bucket=your-s3-bucket \
   --aws-mysql-dsn="user:password@tcp(host:3306)/database?parseTime=true" \
@@ -129,7 +134,7 @@ Optional flags for both backends:
 - `--checkpoint-interval`: Frequency of checkpoint publishing (default: 30s)
 - `--batch-max-size`: Maximum entries per batch (default: 1024)
 
-See `rekor-server serve --help` for all available options.
+See `rekor-server-gcp serve --help` or `rekor-server-aws serve --help` for all available options.
 
 ### Making a request
 

cmd/rekor-server-aws/app/backend.go

@@ -0,0 +1,81 @@
+//
+// Copyright 2025 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package app
+
+import (
+	"crypto"
+	"fmt"
+	"log/slog"
+	"os"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+
+	"github.com/sigstore/rekor-tiles/v2/internal/signerverifier"
+	"github.com/sigstore/rekor-tiles/v2/internal/tessera"
+)
+
+// AWSBackend implements the BackendConfig interface for AWS
+type AWSBackend struct{}
+
+func (a *AWSBackend) Name() string {
+	return "aws"
+}
+
+func (a *AWSBackend) Description() string {
+	return "Amazon Web Services"
+}
+
+func (a *AWSBackend) SetupLogger(logLevel slog.Level) *slog.Logger {
+	return slog.New(slog.NewJSONHandler(os.Stderr, &slog.HandlerOptions{Level: logLevel}))
+}
+
+func (a *AWSBackend) RegisterFlags(cmd *cobra.Command) {
+	// AWS-specific storage configs
+	cmd.Flags().String("aws-bucket", "", "S3 bucket for tile and checkpoint storage")
+	cmd.Flags().String("aws-mysql-dsn", "", "MySQL DSN for Aurora/RDS (e.g., user:pass@tcp(host:3306)/dbname)")
+
+	// AWS KMS configs
+	cmd.Flags().String("signer-kmskey", "", "URI of the KMS key, in the form of awskms://keyname")
+	cmd.Flags().String("signer-tink-kek-uri", "", "encryption key for decrypting Tink keyset. Valid options are [aws-kms://keyname]")
+}
+
+func (a *AWSBackend) GetKMSSignerOptions() ([]signerverifier.Option, error) {
+	kmshash := viper.GetString("signer-kmshash")
+	hashAlg, ok := hashAlgMap[kmshash]
+	if !ok {
+		return nil, fmt.Errorf("invalid hash algorithm for --signer-kmshash: %s", kmshash)
+	}
+	// AWS KMS doesn't need the same RPC options as GCP
+	return []signerverifier.Option{signerverifier.WithKMS(viper.GetString("signer-kmskey"), hashAlg, nil)}, nil
+}
+
+func (a *AWSBackend) GetDriverConfig() (tessera.DriverConfiguration, error) {
+	return tessera.DriverConfiguration{
+		Hostname:            viper.GetString("hostname"),
+		AWSBucket:           viper.GetString("aws-bucket"),
+		AWSMySQLDSN:         viper.GetString("aws-mysql-dsn"),
+		PersistentAntispam:  viper.GetBool("persistent-antispam"),
+		ASMaxBatchSize:      viper.GetUint("antispam-max-batch-size"),
+		ASPushbackThreshold: viper.GetUint("antispam-pushback-threshold"),
+	}, nil
+}
+
+var hashAlgMap = map[string]crypto.Hash{
+	"sha256": crypto.SHA256,
+	"sha384": crypto.SHA384,
+	"sha512": crypto.SHA512,
+}

cmd/rekor-server/main.go cmd/rekor-server-aws/main.gocmd/rekor-server/main.go renamed to cmd/rekor-server-aws/main.go

@@ -15,8 +15,11 @@
 
 package main
 
-import "github.com/sigstore/rekor-tiles/v2/cmd/rekor-server/app"
+import (
+	sharedapp "github.com/sigstore/rekor-tiles/v2/cmd/rekor-server/app"
+	"github.com/sigstore/rekor-tiles/v2/cmd/rekor-server-aws/app"
+)
 
 func main() {
-	app.Execute()
+	sharedapp.Execute(&app.AWSBackend{})
 }

cmd/rekor-server-gcp/app/backend.go

@@ -0,0 +1,93 @@
+//
+// Copyright 2025 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package app
+
+import (
+	"crypto"
+	"fmt"
+	"log/slog"
+	"time"
+
+	clog "github.com/chainguard-dev/clog/gcp"
+	grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/retry"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"google.golang.org/api/option"
+	"google.golang.org/grpc"
+
+	"github.com/sigstore/rekor-tiles/v2/internal/signerverifier"
+	"github.com/sigstore/rekor-tiles/v2/internal/tessera"
+	"github.com/sigstore/sigstore/pkg/signature"
+	"github.com/sigstore/sigstore/pkg/signature/kms/gcp"
+)
+
+// GCPBackend implements the BackendConfig interface for GCP
+type GCPBackend struct{}
+
+func (g *GCPBackend) Name() string {
+	return "gcp"
+}
+
+func (g *GCPBackend) Description() string {
+	return "Google Cloud Platform"
+}
+
+func (g *GCPBackend) SetupLogger(logLevel slog.Level) *slog.Logger {
+	return slog.New(clog.NewHandler(logLevel))
+}
+
+func (g *GCPBackend) RegisterFlags(cmd *cobra.Command) {
+	// GCP-specific storage configs
+	cmd.Flags().String("gcp-bucket", "", "GCS bucket for tile and checkpoint storage")
+	cmd.Flags().String("gcp-spanner", "", "Spanner database URI")
+
+	// GCP KMS configs
+	cmd.Flags().String("signer-kmskey", "", "URI of the KMS key, in the form of gcpkms://keyname")
+	cmd.Flags().String("signer-tink-kek-uri", "", "encryption key for decrypting Tink keyset. Valid options are [gcp-kms://keyname]")
+	cmd.Flags().Uint("gcp-kms-retries", 0, "number of retries for GCP KMS requests")
+	cmd.Flags().Uint32("gcp-kms-timeout", 0, "sets the RPC timeout per call for GCP KMS requests in seconds, defaults to 0 (no timeout)")
+}
+
+func (g *GCPBackend) GetKMSSignerOptions() ([]signerverifier.Option, error) {
+	kmshash := viper.GetString("signer-kmshash")
+	hashAlg, ok := hashAlgMap[kmshash]
+	if !ok {
+		return nil, fmt.Errorf("invalid hash algorithm for --signer-kmshash: %s", kmshash)
+	}
+	// initialize optional RPC options for GCP KMS
+	rpcOpts := make([]signature.RPCOption, 0)
+	callOpts := []grpc_retry.CallOption{grpc_retry.WithMax(viper.GetUint("gcp-kms-retries")), grpc_retry.WithPerRetryTimeout(time.Duration(viper.GetUint32("gcp-kms-timeout")) * time.Second)}
+	rpcOpts = append(rpcOpts, gcp.WithGoogleAPIClientOption(option.WithGRPCDialOption(grpc.WithUnaryInterceptor(grpc_retry.UnaryClientInterceptor(callOpts...)))))
+
+	return []signerverifier.Option{signerverifier.WithKMS(viper.GetString("signer-kmskey"), hashAlg, rpcOpts)}, nil
+}
+
+func (g *GCPBackend) GetDriverConfig() (tessera.DriverConfiguration, error) {
+	return tessera.DriverConfiguration{
+		Hostname:            viper.GetString("hostname"),
+		GCPBucket:           viper.GetString("gcp-bucket"),
+		GCPSpannerDB:        viper.GetString("gcp-spanner"),
+		PersistentAntispam:  viper.GetBool("persistent-antispam"),
+		ASMaxBatchSize:      viper.GetUint("antispam-max-batch-size"),
+		ASPushbackThreshold: viper.GetUint("antispam-pushback-threshold"),
+	}, nil
+}
+
+var hashAlgMap = map[string]crypto.Hash{
+	"sha256": crypto.SHA256,
+	"sha384": crypto.SHA384,
+	"sha512": crypto.SHA512,
+}

cmd/rekor-server-gcp/main.go

@@ -0,0 +1,25 @@
+//
+// Copyright 2025 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	sharedapp "github.com/sigstore/rekor-tiles/v2/cmd/rekor-server/app"
+	"github.com/sigstore/rekor-tiles/v2/cmd/rekor-server-gcp/app"
+)
+
+func main() {
+	sharedapp.Execute(&app.GCPBackend{})
+}