Add AWS storage backend support

This change enables users to deploy Rekor v2 on AWS infrastructure.
The implementation uses AWS S3 for object storage and Aurora MySQL
(or RDS MySQL) for database operations.

The AWS backend includes:
- S3 storage with support for S3-compatible services (e.g., MinIO)
- Aurora MySQL/RDS MySQL for sequencing and deduplication
- Docker Compose configuration for local development
- Table-driven e2e tests supporting multiple backend configurations
- Updated freeze-checkpoint tool to work with S3

All existing GCP backend functionality remains unchanged.

Resolves: #572
Signed-off-by: James Carnegie <[email protected]>

Author: kipz

README.md

@@ -58,15 +58,79 @@ We provide prebuilt binaries and containers for private deployments.
 If you find any issues, follow Sigstore's [security policy](https://github.com/sigstore/rekor-tiles/security/policy)
 to report them.
 
+## Storage Backends
+
+Rekor v2 supports multiple storage backends for flexibility in deployment:
+
+### Google Cloud Platform (GCP)
+- **Object Storage**: Google Cloud Storage (GCS)
+- **Database**: Cloud Spanner
+- **Use case**: Preferred for global deployments requiring strong consistency and automatic scaling
+
+### Amazon Web Services (AWS)
+- **Object Storage**: Amazon S3
+- **Database**: Aurora MySQL (or RDS MySQL)
+- **Use case**: Cost-effective option for regional deployments with MySQL compatibility
+
 ## Local Development
 
-### Deployment
+### Deployment with GCP Emulators (Default)
 
 Run `docker compose up --build --wait` to start the service along with emulated Google Cloud Storage and Spanner instances.
 
 Run `docker compose down` to turn down the service, or `docker compose down --volumes` to turn down the service and delete
 persisted tiles.
 
+### Deployment with AWS Emulators
+
+Run `docker compose -f docker-compose-aws.yml up --build --wait` to start the service with MinIO (S3-compatible) and MySQL.
+
+Run `docker compose -f docker-compose-aws.yml down` to turn down the service, or add `--volumes` to delete persisted data.
+
+### Server Configuration
+
+When deploying your own instance, configure the storage backend using command-line flags:
+
+**GCP Backend:**
+```bash
+rekor-server serve \
+  --hostname=your-hostname \
+  --gcp-bucket=your-gcs-bucket \
+  --gcp-spanner=projects/PROJECT/instances/INSTANCE/databases/DATABASE \
+  --signer-filepath=/path/to/key.pem
+```
+
+**AWS Backend:**
+```bash
+rekor-server serve \
+  --hostname=your-hostname \
+  --aws-bucket=your-s3-bucket \
+  --aws-mysql-dsn="user:password@tcp(host:3306)/database?parseTime=true" \
+  --signer-filepath=/path/to/key.pem
+```
+
+**AWS Environment Variables:**
+
+The AWS backend requires standard AWS SDK environment variables for authentication and configuration:
+
+Required:
+- `AWS_ACCESS_KEY_ID`: AWS access key ID for authentication
+- `AWS_SECRET_ACCESS_KEY`: AWS secret access key for authentication
+- `AWS_REGION`: AWS region for S3 bucket (e.g., `us-east-1`)
+
+Optional (for S3-compatible storage like MinIO):
+- `AWS_ENDPOINT_URL`: Custom S3 endpoint URL (e.g., `http://localhost:9000`)
+- `AWS_S3_FORCE_PATH_STYLE`: Set to `true` to use path-style addressing instead of virtual-hosted-style
+
+The `--aws-mysql-dsn` format is `user:password@tcp(host:port)/database?parseTime=true`. The `parseTime=true` parameter is required for proper timestamp handling.
+
+Optional flags for both backends:
+- `--persistent-antispam`: Enable persistent deduplication (requires Spanner or MySQL)
+- `--checkpoint-interval`: Frequency of checkpoint publishing (default: 30s)
+- `--batch-max-size`: Maximum entries per batch (default: 1024)
+
+See `rekor-server serve --help` for all available options.
+
 ### Making a request
 
 Follow the [client documentation](https://github.com/sigstore/rekor-tiles/blob/main/CLIENTS.md#rekor-v2-the-bash-way)

cmd/freeze-checkpoint/app/root.go

@@ -27,6 +27,8 @@ import (
 	"time"
 
 	gcs "cloud.google.com/go/storage"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/s3"
 	grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/retry"
 	"github.com/sigstore/rekor-tiles/v2/internal/signerverifier"
 	rekornote "github.com/sigstore/rekor-tiles/v2/pkg/note"
@@ -48,12 +50,19 @@ const (
 var rootCmd = &cobra.Command{
 	Use:   "freeze-checkpoint",
 	Short: "Freeze the log checkpoint",
-	Long:  `Add an extension line to the final checkpoint to indicate to consumers that no more checkpoints are going to be published. Only supported for GCP.`,
+	Long:  `Add an extension line to the final checkpoint to indicate to consumers that no more checkpoints are going to be published. Supports both GCP (GCS) and AWS (S3) backends.`,
 	Run: func(cmd *cobra.Command, _ []string) {
 		ctx := cmd.Context()
 
-		if viper.GetString("gcp-bucket") == "" {
-			slog.Error("must provide --gcs-bucket")
+		gcpBucket := viper.GetString("gcp-bucket")
+		awsBucket := viper.GetString("aws-bucket")
+
+		if gcpBucket == "" && awsBucket == "" {
+			slog.Error("must provide either --gcp-bucket or --aws-bucket")
+			os.Exit(1)
+		}
+		if gcpBucket != "" && awsBucket != "" {
+			slog.Error("cannot provide both --gcp-bucket and --aws-bucket")
 			os.Exit(1)
 		}
 		if viper.GetString("hostname") == "" {
@@ -77,13 +86,13 @@ var rootCmd = &cobra.Command{
 			os.Exit(1)
 		}
 
-		objReader, objWriter, err := objectAccess(ctx)
+		storage, err := objectAccess(ctx)
 		if err != nil {
 			slog.Error(err.Error())
 			os.Exit(1)
 		}
 
-		checkpoint, err := getCheckpoint(objReader, noteVerifier)
+		checkpoint, err := getCheckpoint(ctx, storage, noteVerifier)
 		if err != nil {
 			slog.Error(err.Error())
 			os.Exit(1)
@@ -93,16 +102,12 @@ var rootCmd = &cobra.Command{
 			return
 		}
 
-		err = updateCheckpoint(objWriter, noteSigner, checkpoint)
+		err = updateCheckpoint(ctx, storage, noteSigner, checkpoint)
 		if err != nil {
 			slog.Error(err.Error())
 			os.Exit(1)
 		}
 
-		if err := objWriter.Close(); err != nil {
-			slog.Error("closing object writer", "error", err.Error())
-			os.Exit(1)
-		}
 		slog.Info("Log frozen")
 	},
 }
@@ -116,6 +121,7 @@ func Execute() {
 
 func init() {
 	rootCmd.Flags().String("gcp-bucket", "", "GCS bucket for tile and checkpoint storage")
+	rootCmd.Flags().String("aws-bucket", "", "S3 bucket for tile and checkpoint storage")
 	rootCmd.Flags().String("hostname", "", "public hostname, used as the checkpoint origin")
 	rootCmd.Flags().String("signer-filepath", "", "path to the signing key")
 	rootCmd.Flags().String("signer-password", "", "password to decrypt the signing key")
@@ -183,27 +189,105 @@ func getNoteVerifier(verifier signature.Verifier) (note.Verifier, error) {
 	return noteVerifier, nil
 }
 
-func objectAccess(ctx context.Context) (*gcs.Reader, *gcs.Writer, error) {
+// objectStorage provides a backend-agnostic interface for reading and writing checkpoints
+type objectStorage interface {
+	Read(ctx context.Context) ([]byte, error)
+	Write(ctx context.Context, data []byte) error
+}
+
+// gcsStorage implements objectStorage for Google Cloud Storage
+type gcsStorage struct {
+	bucket string
+}
+
+func (g *gcsStorage) Read(ctx context.Context) ([]byte, error) {
 	client, err := gcs.NewClient(ctx, gcs.WithJSONReads())
 	if err != nil {
-		return nil, nil, fmt.Errorf("getting GCS client: %w", err)
+		return nil, fmt.Errorf("getting GCS client: %w", err)
 	}
-	bucketName := viper.GetString("gcp-bucket")
-	object := client.Bucket(bucketName).Object(layout.CheckpointPath)
+	object := client.Bucket(g.bucket).Object(layout.CheckpointPath)
 	objReader, err := object.NewReader(ctx)
 	if err != nil {
-		return nil, nil, fmt.Errorf("getting object reader: %w", err)
+		return nil, fmt.Errorf("getting object reader: %w", err)
 	}
-	contentType := "text/plain; charset=utf-8"
+	defer objReader.Close()
+	return io.ReadAll(objReader)
+}
+
+func (g *gcsStorage) Write(ctx context.Context, data []byte) error {
+	client, err := gcs.NewClient(ctx, gcs.WithJSONReads())
+	if err != nil {
+		return fmt.Errorf("getting GCS client: %w", err)
+	}
+	object := client.Bucket(g.bucket).Object(layout.CheckpointPath)
 	objWriter := object.NewWriter(ctx)
-	objWriter.ContentType = contentType
-	return objReader, objWriter, nil
+	objWriter.ContentType = "text/plain; charset=utf-8"
+	if _, err := objWriter.Write(data); err != nil {
+		objWriter.Close()
+		return fmt.Errorf("writing checkpoint: %w", err)
+	}
+	return objWriter.Close()
+}
+
+// s3Storage implements objectStorage for AWS S3
+type s3Storage struct {
+	bucket string
+}
+
+func (s *s3Storage) Read(ctx context.Context) ([]byte, error) {
+	cfg, err := config.LoadDefaultConfig(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("loading AWS config: %w", err)
+	}
+	client := s3.NewFromConfig(cfg)
+	result, err := client.GetObject(ctx, &s3.GetObjectInput{
+		Bucket: &s.bucket,
+		Key:    stringPtr(layout.CheckpointPath),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("getting object from S3: %w", err)
+	}
+	defer result.Body.Close()
+	return io.ReadAll(result.Body)
 }
 
-func getCheckpoint(objReader *gcs.Reader, noteVerifier note.Verifier) (*logformat.Checkpoint, error) {
-	rawCheckpoint, err := io.ReadAll(objReader)
+func (s *s3Storage) Write(ctx context.Context, data []byte) error {
+	cfg, err := config.LoadDefaultConfig(ctx)
 	if err != nil {
-		return nil, fmt.Errorf("reading object: %w", err)
+		return fmt.Errorf("loading AWS config: %w", err)
+	}
+	client := s3.NewFromConfig(cfg)
+	contentType := "text/plain; charset=utf-8"
+	_, err = client.PutObject(ctx, &s3.PutObjectInput{
+		Bucket:      &s.bucket,
+		Key:         stringPtr(layout.CheckpointPath),
+		Body:        bytes.NewReader(data),
+		ContentType: &contentType,
+	})
+	if err != nil {
+		return fmt.Errorf("writing checkpoint to S3: %w", err)
+	}
+	return nil
+}
+
+func stringPtr(s string) *string {
+	return &s
+}
+
+func objectAccess(_ context.Context) (objectStorage, error) {
+	if gcpBucket := viper.GetString("gcp-bucket"); gcpBucket != "" {
+		return &gcsStorage{bucket: gcpBucket}, nil
+	}
+	if awsBucket := viper.GetString("aws-bucket"); awsBucket != "" {
+		return &s3Storage{bucket: awsBucket}, nil
+	}
+	return nil, fmt.Errorf("no storage backend configured")
+}
+
+func getCheckpoint(ctx context.Context, storage objectStorage, noteVerifier note.Verifier) (*logformat.Checkpoint, error) {
+	rawCheckpoint, err := storage.Read(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("reading checkpoint: %w", err)
 	}
 	noteObj, err := note.Open(rawCheckpoint, note.VerifierList(noteVerifier))
 	if err != nil {
@@ -221,8 +305,8 @@ func getCheckpoint(objReader *gcs.Reader, noteVerifier note.Verifier) (*logforma
 }
 
 // updateCheckpoint writes an extension line to the checkpoint note to indicate the checkpoint is frozen,
-// re-signs it and re-uploads it to the GCS backend.
-func updateCheckpoint(objWriter *gcs.Writer, noteSigner note.Signer, checkpoint *logformat.Checkpoint) error {
+// re-signs it and re-uploads it to the storage backend.
+func updateCheckpoint(ctx context.Context, storage objectStorage, noteSigner note.Signer, checkpoint *logformat.Checkpoint) error {
 	// Marshaled checkpoint contains the origin, size, and hash of the checkpoint, not the signatures.
 	// The final checkpoint object will contain the origin, size, hash, extension line, and signature.
 	buf := bytes.NewBuffer(checkpoint.Marshal())
@@ -234,8 +318,5 @@ func updateCheckpoint(objWriter *gcs.Writer, noteSigner note.Signer, checkpoint
 	if err != nil {
 		return fmt.Errorf("re-signing checkpoint: %w", err)
 	}
-	if _, err := objWriter.Write(signedNote); err != nil {
-		return fmt.Errorf("writing checkpoint: %w", err)
-	}
-	return nil
+	return storage.Write(ctx, signedNote)
 }

cmd/rekor-server/app/serve.go

@@ -137,6 +137,8 @@ var serveCmd = &cobra.Command{
 				Hostname:            viper.GetString("hostname"),
 				GCPBucket:           viper.GetString("gcp-bucket"),
 				GCPSpannerDB:        viper.GetString("gcp-spanner"),
+				AWSBucket:           viper.GetString("aws-bucket"),
+				AWSMySQLDSN:         viper.GetString("aws-mysql-dsn"),
 				PersistentAntispam:  viper.GetBool("persistent-antispam"),
 				ASMaxBatchSize:      viper.GetUint("antispam-max-batch-size"),
 				ASPushbackThreshold: viper.GetUint("antispam-pushback-threshold"),
@@ -216,6 +218,10 @@ func init() {
 	serveCmd.Flags().String("gcp-bucket", "", "GCS bucket for tile and checkpoint storage")
 	serveCmd.Flags().String("gcp-spanner", "", "Spanner database URI")
 
+	// aws configs
+	serveCmd.Flags().String("aws-bucket", "", "S3 bucket for tile and checkpoint storage")
+	serveCmd.Flags().String("aws-mysql-dsn", "", "MySQL DSN for Aurora/RDS (e.g., user:pass@tcp(host:3306)/dbname)")
+
 	// checkpoint signing configs
 	serveCmd.Flags().String("signer-filepath", "", "path to the signing key")
 	serveCmd.Flags().String("signer-password", "", "password to decrypt the signing key")
@@ -234,7 +240,7 @@ func init() {
 	serveCmd.Flags().Duration("tlog-timeout", 30*time.Second, "timeout for terminating the tiles log queue")
 
 	// antispam configs
-	serveCmd.Flags().Bool("persistent-antispam", false, "whether to enable persistent antispam measures; only available for GCP storage backend and not supported by the Spanner storage emulator")
+	serveCmd.Flags().Bool("persistent-antispam", false, "whether to enable persistent antispam measures; available for GCP (Spanner) and AWS (MySQL) storage backends; not supported by the Spanner storage emulator")
 	serveCmd.Flags().Uint("antispam-max-batch-size", 0, "maximum batch size for deduplication operations; will default to Tessera recommendation if unset; for Spanner, recommend around 1500 with 300 or more PU, or around 64 for smaller (e.g. 100 PU) instances")
 	serveCmd.Flags().Uint("antispam-pushback-threshold", 0, "maximum number of 'in-flight' add requests the antispam operator will allow before pushing back; will default to Tessera recommendation if unset")