facilitator: remove OpenSSL dependency

We now configure `kube` to use `rustls`, removing our dependency on any
native TLS implementation which ends up pulling in OpenSSL. This means
we no longer need to install `openssl-dev` when building the
`facilitator` Docker image, nor do we need to play special games to
statically link it on Alpine.

We still end up depending on
[`openssl-probe`](https://crates.io/crates/openssl-probe), but that
crate doesn't actually link OpenSSL and so is harmless.

This commit also separates the `prio-facilitator` Dockerfile so that we
copy just the compiled binary from the builder container into the image
we run, which cuts down image size by ~500 MB.

Closes #451

facilitator/Cargo.toml

@@ -21,7 +21,7 @@ hyper = "^0.14"
 hyper-rustls = "^0.22"
 jsonwebtoken = "7"
 k8s-openapi = { version = "0.11.0", default-features = false, features = ["v1_20"] }
-kube = "0.56.0"
+kube = { version = "0.56.0", default-features = false, features = ["client", "rustls-tls"] }
 kube-runtime = "0.56.0"
 p256 = "0.8.1"
 pem = "0.8"

facilitator/Dockerfile

@@ -1,11 +1,6 @@
 FROM rust:1.52.1-alpine as builder
 
-RUN apk add libc-dev openssl-dev && apk update
-
-# This is required so OpenSSL links properly. OpenSSL is required by reqwest, as used by
-# prometheus with the `push` option.
-# https://users.rust-lang.org/t/sigsegv-with-program-linked-against-openssl-in-an-alpine-container/52172
-ENV RUSTFLAGS='-C target-feature=-crt-static'
+RUN apk add libc-dev && apk update
 
 # Attempt to install a nonexistent package. This triggers
 # updating the crates.io index separately from building the
@@ -35,13 +30,15 @@ COPY ./avro-schema ./avro-schema
 COPY ./facilitator ./facilitator
 
 ARG BUILD_INFO=unspecified
-ENV OPENSSL_STATIC=true
 
 # This cargo build command must match the one above, or the build cache will not be reused.
 RUN cargo build --manifest-path ./facilitator/Cargo.toml
 # We build in debug mode so the build runs quickly, then strip the binary for size.
 RUN strip facilitator/target/debug/facilitator
 
-# Build a minimal container containing only the binary, the one .so it needs, and root certs.
-RUN cp /usr/src/prio-server/facilitator/target/debug/facilitator /facilitator
+# Build a minimal container from Alpine containing only the stripped binary and
+# no intermediate build artifacts
+FROM rust:1.52.1-alpine
+
+COPY --from=builder /usr/src/prio-server/facilitator/target/debug/facilitator facilitator
 ENTRYPOINT ["/facilitator"]

facilitator/README.md

@@ -112,6 +112,12 @@ Had you generated and intaken multiple batches with `generate-ingestion-sample`
 
 To build a Docker image, run `./build.sh`. To run that image locally, `docker run letsencrypt/prio-facilitator -- --help`.
 
+### Be careful to avoid depending on OpenSSL!
+
+We take great care to use [`rustls`](https://github.com/ctz/rustls) instead of any native TLS implementation, to avoid depending on OpenSSL. Besides `rustls`'s sterling reputation for quality, using a pure Rust TLS implementation means we don't [have to use special tricks to statically link OpenSSL](https://users.rust-lang.org/t/sigsegv-with-program-linked-against-openssl-in-an-alpine-container/52172).
+
+When adding a dependency to `Cargo.toml`, check if it depends on [`native-tls`](https://crates.io/crates/native-tls) or otherwise winds up pulling in the [`openssl`](https://crates.io/crates/openssl) crate. See if it can be configured to use `rustls`. For example, [Rusoto's crates all have a `rustls` feature](https://crates.io/crates/rusoto_core).
+
 ## Linting manifest files
 
 The `facilitator lint-manifest` subcommand can validate the various manifest files used in the system. See that subcommand's help text for more information on usage.