Added AWS region provider#7172
Conversation
|
/retest |
|
🔨 rebuilding |
|
This filter could benefit from some documentation. |
Documented the interface class. |
Thanks. I was thinking of something more substantial along the lines of https://github.com/envoyproxy/envoy/pull/6470/files#diff-f17684fc3d777b8c62225f6c3c7694cf which was done recently for CSRF filter. |
I see. Let me add some clarification. This is first in a series of PRs breaking #5546 into smaller pieces and moving it to libcurl. It is implementation of #5215. As such, this will not be an HTTP filter, but a gRPC credentials factory implementation. This PR specifically only adds a helper class to discover the AWS region of the current execution environment. Discovered region be used in later PRs to sign HTTP requests. The reason for including this in the Regarding the documentation concern. Interface classes and proto API will be documented. I am not sure if any other documentation is needed for a new gRPC credentials implementation. |
|
/retest |
|
🐴 hold your horses - no failures detected, yet. |
|
I have a higher level question: even though this is being written as an extension, I feel like having a whole bunch of AWS-specific stuff in the common default build might not be a scalable strategy for Envoy. Would it be possible to achieve the goals of this PR with pure config, or by making fairly generic configuration hooks to existing filters, rather than adding a new set of custom filters per-cloud-provider? @mattklein123 would love to hear your thoughts on this. |
|
@jmarantz with the introduction of the OpenCensus there is now Google Cloud Platform Stackdriver specific code too. It is in an extension but with all extensions on by default it is an opt-out process. |
|
Yeah I thought we had talked about having extensions off-by-default at some point. Anyone know what the status of that is? |
|
I think a lot of what we see in this PR, and will see in the following PRs, is mostly fetching data from the AWS execution environment (environment variables + HTTP metadata endpoints), which is then fed as input to the signing algorithm 040acac. I don't know if there is currently a generic solution for this "environment fetching" problem in Envoy. However, I think generic fetcher could be done. It would consume protobuf message with a configuration telling it what variables to fetch and their sources (env, metadata, etc), and would produce a protobuf.Struct with the fetched values output. The result would be consumed by extensions such as AWS SigV4. What worries me is the set of conditionals [1] we have in our case, that would require relatively rich configuration language for this hypothetical environment fetcher. Not sure if we currently have enough use cases to justify that complexity. |
IMO it's fine to have vendor specific code in extensions as long as it can be compiled out. I view extensions no differently than Linux drivers, in which there is lots of vendor specific code. With that said, I agree that there will come a time in which we probably need to provide a "standard" Envoy public image and a "kitchen sink" image. This is something we probably need to chat about separately though. |
jmarantz
left a comment
jmarantz
left a comment
There was a problem hiding this comment.
RE vendor code in extensions: makes sense, SGTM; we can sort out bare-bones vs kitchen sink later.
source/common/common/logger.h
Outdated
There was a problem hiding this comment.
can you add a TODO to figure out some way for extensions to register new logger IDs?
There was a problem hiding this comment.
I haven't been looking at these PRs but just wanted to note that in #5580 we decided to not add aws: #5580 (comment)
So I'm surprised this got back in. @ivitjuk It would make sense to have the sigv4 signer use it again since the logging the signer does it very AWS-specific.
There was a problem hiding this comment.
Makes sense to me. I'll make a PR to switch signer to the AWS logger.
|
Ping |
|
/retest |
|
🤷♀️ nothing to rebuild. |
|
@dio any ETA for the review of this PR? |
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
There was a problem hiding this comment.
Should this be absl::nullopt instead? Unless we want this getRegion to always return std::string
There was a problem hiding this comment.
Switched to absl::nullopt.
test/test_common/environment.cc
Outdated
There was a problem hiding this comment.
nit: let's be consistent with others? ASSERT_EQ(0, rc);
There was a problem hiding this comment.
It's consistent with TestEnvironment::setEnvVar implementation. I can fix that one too in the same time?
There was a problem hiding this comment.
Sorry, use-case wise, can you explain more about the difference or the need of this Static vs Environment RegionProvider?
There was a problem hiding this comment.
Yes, please check the closed PR we are trying to break into smaller pieces here:
There was a problem hiding this comment.
I mean, I think to provide inline comments here probably helpful?
There was a problem hiding this comment.
Added documentation at the class level.
This will be used by the AWS SigV4 signing Task 3 as described in: https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html Signed-off-by: Ivan Vitjuk <ivan@vitjuk.com>
|
@lizan do you want to take a senior reviewer pass for this PR? |
|
@ivitjuk from next PRs, please do not squash and force-push changes unless fixing DCO, it messes up review history on GH. |
ack, sorry about that. |
8 participants
Description: Added AWS region provider
This will be used by the AWS SigV4 signing Task 3 as described in:
https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
Risk Level: Low
Testing: Added new unit tests
Docs Changes: N/A
Release Notes: N/A