Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws: add metadata fetcher utility to use http async client #29880

Merged
merged 15 commits into from
Oct 30, 2023
Merged

aws: add metadata fetcher utility to use http async client #29880

merged 15 commits into from
Oct 30, 2023

Conversation

suniltheta
Copy link
Contributor

@suniltheta suniltheta commented Sep 30, 2023
edited
Loading

Old title: Use http async client to fetch AWS credentials metadata

Commit Message: aws: add metadata fetcher utility to use http async client

Additional Description:
This is part #1 of set of changes to update common aws extension utility to make use of http async client to fetch aws credentials metadata instead of using libcurl. In this PR we are introducing a class MetadataFetcher (similar to JwksFetcher) and a function in utility.cc to add internal static cluster config.

Risk Level: Low
Testing: Added unit testing to cover the new code path
Docs Changes: Updated
Release Notes: Updated
Platform Specific Features: NA
Runtime guard: envoy.reloadable_features.use_libcurl_to_fetch_aws_credentials
Deprecated: libcurl

General Description about the overall effort:
For the effort to remove curl from Envoy #11816. This change will use http async client to make the call towards EC2 instance metadata & ECS task metadata service. To make http async client work it needs cluster manager with statically defined cluster configurations. If clusters with fixed names are not provided it will add the cluster during init.

There are 2 http filters with which this change works without issue

  1. AwsRequestSigning ✅
  2. AwsLambda ✅

However, with AWS IAM gRPC credentials provider plugin there is a problem ⚠️ The http async client will not support AWS IAM gRPC plugin because it needs Envoy server fully initialized before using cluster manager. When gRPC service tries to use the Cluster Manager the static clusters are not available for reasons explained on #27586. So in future changes if curl is removed entirely then we need to update docs to clearly state that AWS IAM gRPC plugin can only support Environment or File based credentials fetching. Other option is to add a curl version of AWS IAM gRPC credentials plugin into the contrib folder.

So far I am not aware if there are any Envoy users other than within AWS that uses AWS IAM gRPC plugin. Please let me know what is the best way to maintain it for everyone's convenience.

I have put a short doc to explain the implementation here https://docs.google.com/document/d/1m1KE_LGDnxrXwnUC1OEKYLmw8szy4r06OX_O3JcM-wM

@suniltheta
use http async client instead of libcurl
e7e29cc 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@suniltheta
docs and release notes update
63b4d18 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@repokitteh-read-only
Copy link

CC @envoyproxy/runtime-guard-changes: FYI only for changes made to (source/common/runtime/runtime_features.cc).

🐱

Caused by: #29880 was opened by suniltheta.

see: more, trace.

@suniltheta
Copy link
Contributor Author

cc: @tonya11en for help reviewing this change

@suniltheta
ignore instance metadata for aws lambda integ test
7ca9a64 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@suniltheta
ignore expected_duration_ when it is not available yet
3ab3360 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@suniltheta
improve code coverage
773c178 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@zuercher
Copy link
Member

zuercher commented Oct 2, 2023

/assign-from @envoyproxy/first-pass-reviewers

@repokitteh-read-only
Copy link

@envoyproxy/first-pass-reviewers assignee is @tyxia

🐱

Caused by: a #29880 (comment) was created by @zuercher.

see: more, trace.

@suniltheta
fix constant expression failure
d3732b6 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
tyxia
tyxia reviewed Oct 2, 2023
View reviewed changes
Copy link
Member

@tyxia tyxia left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/assign @lavignes @tonya11en

This probably should be reviewed by aws extension owner as the code changes in this PR are aws extension specific

@tyxia
Copy link
Member

tyxia commented Oct 2, 2023

/assign @tonya11en @lavignes

@tyxia tyxia removed their assignment Oct 2, 2023
@tonya11en
Copy link
Member

Removing myself from this as I'm on vacation. Opened #29911, since I haven't worked at AWS since 2021.

@tonya11en tonya11en removed their assignment Oct 2, 2023
@suniltheta suniltheta mentioned this pull request Oct 2, 2023
Merged
@suniltheta
fix asan memory leak in test
bbf86e8 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@suniltheta suniltheta mentioned this pull request Oct 11, 2023
Merged
@suniltheta
Honor host value from AWS_CONTAINER_CREDENTIALS_FULL_URI
5ce6bf8 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@suniltheta
Copy link
Contributor Author

/retest

ravenblackx
ravenblackx requested changes Oct 12, 2023
View reviewed changes
Copy link
Contributor

@ravenblackx ravenblackx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be broken into smaller pieces? It looks like metadata_fetcher could be prepared before the whole shebang, for example. If it's not possible that's okay, but this is a big chunk for a single review.

source/extensions/common/aws/credentials_provider_impl.h Outdated Show resolved Hide resolved
source/extensions/common/aws/credentials_provider_impl.h Outdated Show resolved Hide resolved
source/extensions/common/aws/credentials_provider_impl.h Outdated Show resolved Hide resolved
source/extensions/common/aws/credentials_provider_impl.h Outdated Show resolved Hide resolved
source/extensions/common/aws/credentials_provider_impl.h Outdated Show resolved Hide resolved
source/extensions/common/aws/utility.cc Outdated Show resolved Hide resolved
source/extensions/grpc_credentials/aws_iam/config.cc Outdated Show resolved Hide resolved
test/extensions/common/aws/credentials_provider_impl_test.cc Outdated Show resolved Hide resolved
.gitignore Outdated Show resolved Hide resolved
test/extensions/common/aws/mocks.h Outdated Show resolved Hide resolved
@suniltheta
Copy link
Contributor Author

suniltheta commented Oct 12, 2023
edited
Loading

@ravenblackx thank you so much for your review

Could this be broken into smaller pieces?

I am open for this suggestion. I will try to extract out metadata_fetcher and other associated changes into this PR. And follow up with introducing the changes in credentials_provider_impl.* in the next PR. This should give me enough time to move out too many implementations inside header file out to .cc file. I will make sure all your review comments are addressed in this or next PRs.

Update: Reduced the PR size

@suniltheta
address review comments
0284a53 
* move implementation from header to cc file
* Don't create duplicate MockUpstream
* Use named args - less error prone
* Don't restrict runtime value read to be in just constructor

Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@suniltheta
update access modifier
be5eced 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@suniltheta
reduce PR 29880 to include metadata fetcher changes
08dc2ed 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@suniltheta
Add Metadatafetcher failureToString conversion coverage
1e5f1bf 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@suniltheta suniltheta changed the title Use http async client to fetch AWS credentials metadata aws: add metadata fetcher utility to use http async client Oct 13, 2023
ravenblackx
ravenblackx requested changes Oct 16, 2023
View reviewed changes
source/extensions/common/aws/metadata_fetcher.cc Show resolved Hide resolved
source/extensions/common/aws/metadata_fetcher.cc Outdated Show resolved Hide resolved
source/extensions/common/aws/metadata_fetcher.cc Show resolved Hide resolved
source/extensions/common/aws/metadata_fetcher.cc Outdated Show resolved Hide resolved
source/extensions/common/aws/utility.cc Outdated Show resolved Hide resolved
test/extensions/common/aws/metadata_fetcher_test.cc Outdated Show resolved Hide resolved
test/extensions/common/aws/metadata_fetcher_test.cc Outdated Show resolved Hide resolved
source/extensions/common/aws/utility.h Show resolved Hide resolved
test/extensions/common/aws/utility_test.cc Outdated Show resolved Hide resolved
source/extensions/common/aws/utility.h Outdated Show resolved Hide resolved
@suniltheta
code review f/b
da3a2bb 
don't use loadFromYaml

Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@suniltheta suniltheta mentioned this pull request Oct 19, 2023
Open
@suniltheta
Use MATCHER_P helpers for checking options
56ec673 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@suniltheta
Avoid Invoke by using Matcher
5433e87 
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
@ravenblackx
Copy link
Contributor

@lavignes could probably still do with having an opinion as CODEOWNER, but it's been a month since that was originally requested so I don't know how likely that is.

@mattklein123 is the remaining owner of the area and also a senior maintainer so could perhaps combine final-pass and area knowledge.

@mattklein123 mattklein123 enabled auto-merge (squash) October 30, 2023 19:23
@suniltheta
Copy link
Contributor Author

/retest

@mattklein123 mattklein123 merged commit 60b2867 into envoyproxy:main Oct 30, 2023
104 checks passed
This was referenced Oct 31, 2023
Merged
Merged
htuch pushed a commit that referenced this pull request Nov 7, 2023
@suniltheta
deps: update the deprecation status of libcurl (#30731)
dd05ef6 
Following the merge of #29880 and #30626 we can mark the curl usage as deprecated. Meanwhile bazel/repositories.bzl had stale info that OpenCensus tracer was still using libcurl.

We can continue to keep the Issue #11816 open until curl is removed entirely after the deprecation time (Probably for v1.31 release).

Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tyxia tyxia tyxia left review comments

@ravenblackx ravenblackx ravenblackx approved these changes

@mattklein123 mattklein123 mattklein123 approved these changes

Assignees

@lavignes lavignes

@mattklein123 mattklein123

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@suniltheta @zuercher @tyxia @tonya11en @ravenblackx @mattklein123 @lavignes