aws: use http async client to fetch metadata credentials#30626
Merged
mattklein123 merged 4 commits intoenvoyproxy:mainfrom Nov 4, 2023
Merged
aws: use http async client to fetch metadata credentials#30626mattklein123 merged 4 commits intoenvoyproxy:mainfrom
mattklein123 merged 4 commits intoenvoyproxy:mainfrom
Conversation
Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
Contributor
Author
|
In this PR already addressed the initial set of code review comments given in #29880 (review) |
ravenblackx
previously approved these changes
Nov 2, 2023
Contributor
ravenblackx
left a comment
ravenblackx
left a comment
There was a problem hiding this comment.
Looks good to me, just a couple of nits, thanks!
Contributor
|
To @mattklein123 again for the senior maintainer pass, with the same caveats as last time (that it would have been nice if the CODEOWNERS did a pass first, but they were so conspicuously absent on the previous PR that it doesn't seem worth even inviting them this time.) |
use a method instead of checking for feature flag at multiple locations. Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
mattklein123
approved these changes
Nov 4, 2023
Member
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
Nice! Exciting to see this finally being burned down.
htuch
pushed a commit
that referenced
this pull request
Nov 7, 2023
Following the merge of #29880 and #30626 we can mark the curl usage as deprecated. Meanwhile bazel/repositories.bzl had stale info that OpenCensus tracer was still using libcurl. We can continue to keep the Issue #11816 open until curl is removed entirely after the deprecation time (Probably for v1.31 release). Signed-off-by: Sunil Narasimhamurthy <sunnrs@amazon.com>
6 tasks
Contributor
|
@suniltheta can this flag be flipped true? Otherwise it looks offhand like curl is still being used by default? |
Contributor
Author
|
cc: @nbaws to help with the flip. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message: aws: use http async client to fetch metadata credentials
Additional Description:
This is
part #2of set of changes to update common aws extension utility to make use of http async client to fetch aws credentials metadata instead of using libcurl.Previous PR #29880 introduced a
class MetadataFetcherand a function in utility.cc to add internal static cluster config. In this PR we are adding functionality intoInstanceProfileCredentialsProviderandTaskRoleCredentialsProviderto useMetadataFetcherobject to fetch the credentials instead of using libcurl.Risk Level: Low
Testing: Added unit testing to cover the new code path
Docs Changes: Updated
Release Notes: Updated
Platform Specific Features: NA
Runtime guard:
envoy.reloadable_features.use_libcurl_to_fetch_aws_credentialsDeprecated: libcurl
General Description about the overall effort:
For the effort to remove curl from Envoy #11816. This change will use http async client to make the call towards EC2 instance metadata & ECS task metadata service. To make http async client work it needs cluster manager with statically defined cluster configurations. If clusters with fixed names are not provided it will add the cluster during init.
There are 2 http filters with which this change works without issue
However, with AWS IAM gRPC credentials provider plugin there is a problem⚠️ The http async client will not support AWS IAM gRPC plugin because it needs Envoy server fully initialized before using cluster manager. When gRPC service tries to use the Cluster Manager the static clusters are not available for reasons explained on #27586. So in future changes if curl is removed entirely then we need to update docs to clearly state that AWS IAM gRPC plugin can only support Environment or File based credentials fetching. Other option is to add a curl version of AWS IAM gRPC credentials plugin into the contrib folder.
So far I am not aware if there are any Envoy users other than within AWS that uses AWS IAM gRPC plugin. Please let me know what is the best way to maintain it for everyone's convenience.
I have put a short doc to explain the implementation here https://docs.google.com/document/d/1m1KE_LGDnxrXwnUC1OEKYLmw8szy4r06OX_O3JcM-wM