Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_credentials_http: Add support for EKS Pod Identities #9013

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Commits on Jun 26, 2024

  1. aws_credentials_http: add support for EKS pod identities

    This patch rewrites how the HTTP credentials provider works to allow
    both ECS and EKS identities to work. It is based on the aws-sdk-go-v2
    implementation.
    
    It validates that the endpoint is correct if the transport is HTTP, but
    does not support DNS resolution, however based on how the pod identity
    agent works today, DNS should not be needed. If the transport is HTTPS,
    which will not be the case when using EKS Pod Identities, any endpoint
    is allowed. This is in line with how the AWS SDK works.
    
    Similarly to the SDK, it also reads the authentication token environment
    variables, with the file taking precedence over the raw token variable.
    
    This has been tested against an EKS 1.30 cluster with AL2023 nodes.
    
    Signed-off-by: Andrew Titmuss <[email protected]>
    iandrewt committed Jun 26, 2024
    Configuration menu
    Copy the full SHA
    2842b36 View commit details
    Browse the repository at this point in the history
  2. utils: fix parsing of urls with IPv6 literals

    This patch fixes the handling of IPv6 literals, which would fail to
    parse after not finding balanced `[]` characters.
    
    This happened because it searched for the first `:` before copying the
    host portion, so (assuming it didn't return NULL), the endpoint
    `[fd00:ec2::23]` would become `fd00`.
    
    I've added some tests around this case, but I wouldn't describe the
    tests as in-depth.
    
    This patch is needed for EKS Pod Identities to work on IPv6 clusters.
    
    Signed-off-by: Andrew Titmuss <[email protected]>
    iandrewt committed Jun 26, 2024
    Configuration menu
    Copy the full SHA
    1b809e2 View commit details
    Browse the repository at this point in the history

Commits on Jun 29, 2024

  1. aws_util: add error handler for code and message

    This error handler is for JSON APIs that respond with a Code and Message
    field in their error responses.
    
    It is originally from PettitWesley/fluent-bit@7a2c1a8
    
    Signed-off-by: Andrew Titmuss <[email protected]>
    iandrewt committed Jun 29, 2024
    Configuration menu
    Copy the full SHA
    2e36b05 View commit details
    Browse the repository at this point in the history
  2. aws_credentials_http: improved error cases, rewrite tests

    This patch fixes the following:
    1. ensures malformed tokens (containing `\r\n`) are treated as invalid
    2. fixes allowing any https host, which previously went through the same
       checks as http hosts
    3. fixes a memory leak when provider initialisation fails
    4. logs errors from the HTTP agent
    5. rewrites the tests using the cases from PettitWesley/fluent-bit@195db30
    
    Signed-off-by: Andrew Titmuss <[email protected]>
    iandrewt committed Jun 29, 2024
    Configuration menu
    Copy the full SHA
    041c314 View commit details
    Browse the repository at this point in the history