Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pluto: add proxy support for FIPS #213

Merged
merged 1 commit into from
Oct 28, 2024
Merged

pluto: add proxy support for FIPS #213

merged 1 commit into from
Oct 28, 2024

Conversation

jpculp
Copy link
Member

@jpculp jpculp commented Oct 23, 2024
edited
Loading

Issue number:
Related: bottlerocket-os/bottlerocket#1667

Description of changes:

Replaces hyper-proxy with hyper-http-proxy.

Adds support for hyper client creation using a custom HTTP connector in aws-smithy-experimental.

Testing done:

Launched two instances (one built fips and one not) with the following network configuration:

[settings.network]
https-proxy = "<my-proxy>:8888"

Checked proxy server logs and found all traffic from my private IP being tunneled, including the EKS API calls for DescribeCluster.

In CloudTrail, I could see that the DescribeCluster API call source IP was my proxy server:

    "eventTime": "2024-10-23T23:15:56Z",
    "eventSource": "eks.amazonaws.com",
    "eventName": "DescribeCluster",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "<my-proxy>",
    "userAgent": "aws-sdk-rust/1.3.3 os/linux lang/rust/1.81.0",

Testing notes:

If you want to test this on your own, here are a couple of hints:

  • I used tinyproxy for this PR, but squidproxy will also work as I used it for testing pluto: Add hyper-proxy as a module bottlerocket#3439.
  • In the tinyproxy config, uncomment the LogFile line and add your EKS cluster's IP range to Allow.
  • It makes things a little easier to put the proxy in the same VPC/securitygroups as your EKS nodegroups. Then you can set settings.network.https-proxy to your EC2 host's private IP DNS name and proxy port.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@jpculp
Copy link
Member Author

jpculp commented Oct 24, 2024

Based on #173.

@jpculp
Copy link
Member Author

jpculp commented Oct 24, 2024

Rebased and ready for review.

@jpculp jpculp marked this pull request as ready for review October 24, 2024 00:14
ginglis13
ginglis13 approved these changes Oct 24, 2024
View reviewed changes
sources/api/apiclient/Cargo.toml Show resolved Hide resolved
@jpculp
Copy link
Member Author

jpculp commented Oct 26, 2024

Moved proxy logic from pluto::proxy to aws-smithy-experimental::hyper_1_0.

arnaldo2792
arnaldo2792 reviewed Oct 28, 2024
View reviewed changes
COPYRIGHT Outdated Show resolved Hide resolved
@jpculp
pluto: add proxy support for FIPS
2e36d5a 
Replaces `hyper-proxy` with `hyper-http-proxy`.

Adds support for hyper client creation using a proxy connector in
`aws-smithy-experimental`.

Signed-off-by: Patrick J.P. Culp <jpculp@amazon.com>
@jpculp
Copy link
Member Author

jpculp commented Oct 28, 2024

  • Added list of modified .rs files to COPYRIGHT.
  • Rebased.

@jpculp jpculp merged commit b609232 into bottlerocket-os:develop Oct 28, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ginglis13 ginglis13 ginglis13 approved these changes

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

@bcressey bcressey bcressey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jpculp @bcressey @arnaldo2792 @ginglis13