add ability to enable/disable specific rekor API endpoints

[bobcallaway]

Signed-off-by: Bob Callaway bcallaway@google.com

[dlorenc]

This seems fine, just curious what the context is.

[bobcallaway]

This seems fine, just curious what the context is.

If we wanted isolation of specific read-only VS write-only paths for scaling, it might be useful to be able to narrow the API surface down.

This also removes a couple incorrect middleware handlers and caching rules that no longer apply.

[codecov-commenter]

Codecov Report

Merging #1080 (994a989) into main (6904cff) will decrease coverage by 0.44%.
The diff coverage is 9.25%.

@@            Coverage Diff             @@
##             main    #1080      +/-   ##
==========================================
- Coverage   64.10%   63.65%   -0.45%     
==========================================
  Files          82       82              
  Lines        7482     7534      +52     
==========================================
  Hits         4796     4796              
- Misses       2065     2116      +51     
- Partials      621      622       +1     

Flag	Coverage Δ
e2etests	48.51% <9.25%> (-0.30%)	⬇️
unittests	40.71% <0.00%> (-0.33%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/api/public_key.go	37.50% <0.00%> (-29.17%)	⬇️
pkg/api/tlog.go	39.02% <0.00%> (-5.02%)	⬇️
pkg/api/entries.go	65.16% <3.44%> (-4.38%)	⬇️
cmd/rekor-server/app/root.go	56.66% <100.00%> (+1.49%)	⬆️
pkg/api/api.go	64.28% <100.00%> (ø)
pkg/types/alpine/v0.0.1/entry.go	72.35% <0.00%> (-1.22%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[lukehinds]

code looks good, don't forget to update https://github.com/sigstore/sigstore-website/tree/docs/content/en/rekor too.

[dlorenc]

If we wanted isolation of specific read-only VS write-only paths for scaling, it might be useful to be able to narrow the API surface down.

Not sure I follow here... Rekor itself is stateless, if we had a bunch only doing reads I'm not sure how that would help with the database scaling. Would we point them at read only replicas of mysql/trillian or something?

[var-sdk]

If we wanted isolation of specific read-only VS write-only paths for scaling, it might be useful to be able to narrow the API surface down.

Not sure I follow here... Rekor itself is stateless, if we had a bunch only doing reads I'm not sure how that would help with the database scaling. Would we point them at read only replicas of mysql/trillian or something?

That's one possibility. We could set up read replicas in other regions so the read path continues to operate even if our write instance goes down. The other goodness here might be splitting read & write paths within a cluster, so a query of death bug in write wouldn't completely take down read.

[asraa]

Thanks, look good! Thanks for adding in the validation/panic in case someone mis-types the endpoint.