Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sundog, pluto: run settings generators with network proxy environment vars #2227

Merged
merged 2 commits into from
Jul 25, 2022
Merged

sundog, pluto: run settings generators with network proxy environment vars #2227

merged 2 commits into from
Jul 25, 2022

Conversation

etungsten
Copy link
Contributor

@etungsten etungsten commented Jun 21, 2022
edited
Loading

Issue number:
Fixes #2197

Description of changes:

    sundog: run settings generators with network proxy environment vars
    
    We make sure settings generators are kicked-off with user-specified
    network proxy environment variables.

Author: Erikson Tung <etung@amazon.com>
Date:   Tue Jun 21 18:16:38 2022 -0700

    pluto: respect `https_proxy` and `no_proxy` when making EKS API reqs
    
    Both `rusoto` and `aws-sdk-rust` do not respect `https_proxy` and
    `no_proxy` env vars. We have to handle it ourselves by creating a custom
    hyper http 'connector' that's configured with the right proxying
    configuration.

Testing done:
Builds and runs fine.
Launched instance with aws-k8s-1.23 AMI with user-data that includes the following:

[settings.network]
https-proxy = "my-proxy:9898"

Checked proxy server logs and found all traffic being tunneled including the EKS API calls for DescribeCluster

CONNECT   Jun 22 08:00:00 [3794]: Connect (file descriptor 7): ec2-35-88-231-112.us-west-2.compute.amazonaws.com [35.88.231.112]   
CONNECT   Jun 22 08:00:00 [3794]: Request (file descriptor 7): CONNECT eks.us-west-2.amazonaws.com:443 HTTP/1.1                    
INFO      Jun 22 08:00:00 [3794]: No upstream proxy for eks.us-west-2.amazonaws.com                                                
INFO      Jun 22 08:00:00 [3794]: opensock: opening connection to eks.us-west-2.amazonaws.com:443                                  
INFO      Jun 22 08:00:00 [3794]: opensock: getaddrinfo returned for eks.us-west-2.amazonaws.com:443                               
CONNECT   Jun 22 08:00:00 [3794]: Established connection to host "eks.us-west-2.amazonaws.com" using file descriptor 8.            
INFO      Jun 22 08:00:00 [3794]: Not sending client headers to remote machine                                                     
INFO      Jun 22 08:00:00 [3794]: Closed connection between local client (fd:7) and remote client (fd:8)

Checking CloudTrail, I can see that the DescribeCluster API call source IP is my proxy server

...
    "eventTime": "2022-06-22T08:00:00Z",
    "eventSource": "eks.amazonaws.com",
    "eventName": "DescribeCluster",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "my-proxy-IP",
    "userAgent": "rusoto/0.48.0 rust/1.61.0 linux",
...

If I set no-proxy for the EKS API endpoint for a new instance launch like so:

[settings.network]
https-proxy = "my-proxy:9898"
no-proxy = ["eks.us-west-2.amazonaws.com"]

Then I can see that EKS API calls do not get proxied and the source IP is my actual instance:

...
    "eventTime": "2022-06-22T08:10:04Z",
    "eventSource": "eks.amazonaws.com",
    "eventName": "DescribeCluster",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "34.211.227.47",
    "userAgent": "rusoto/0.48.0 rust/1.61.0 linux",
...

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@etungsten etungsten force-pushed the sundog-proxy branch 2 times, most recently from b22c5eb to 9665120 Compare June 21, 2022 21:59
@etungsten
Copy link
Contributor Author

So turns out there's a bit of complication with rusoto not respecting proxy environment variables automatically. The gist of it is that I'll have to create a custom rusoto_core::HttpClient with the right proxy config in pluto for the EksClient. See rusoto/rusoto#1172

Once we've switch over to aws-rust-sdk wholesale, we can just remove the custom http client from pluto.
See #1968

@etungsten
Copy link
Contributor Author

Apparently this is still an issue for aws-rust-sdk as well, so switching over won't help pluto either. See awslabs/aws-sdk-rust#169

@etungsten etungsten force-pushed the sundog-proxy branch 3 times, most recently from 0c9aa09 to 642666e Compare June 22, 2022 15:46
@etungsten etungsten changed the title sundog: run settings generators with network proxy environment vars sundog, pluto: run settings generators with network proxy environment vars Jun 22, 2022
@etungsten etungsten marked this pull request as ready for review June 22, 2022 15:48
@etungsten etungsten requested review from bcressey, webern and rpkelly and removed request for bcressey June 22, 2022 15:48
webern
webern reviewed Jun 22, 2022
View reviewed changes
Copy link
Contributor

@webern webern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, I'm disappointed that the AWS Rust SDK does not support proxy env vars. Rusoto I could understand because it may be using an old version of hyper, but I would have expected the AWS Rust SDK to be using the latest hyper under-the-hood.

@etungsten etungsten requested review from jpculp and zmrow July 20, 2022 15:57
zmrow
zmrow approved these changes Jul 20, 2022
View reviewed changes
Copy link
Contributor

@zmrow zmrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢

Nice work!

jpculp
jpculp approved these changes Jul 20, 2022
View reviewed changes
Copy link
Member

@jpculp jpculp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we're getting multiple versions of a couple crates due to things depending of hyper-rustls, but since aws-rust-sdk also uses 0.22.1, it will get sorted out when we transition.

bcressey
bcressey reviewed Jul 22, 2022
View reviewed changes
etungsten added 2 commits July 22, 2022 11:27
@etungsten
sundog: run settings generators with network proxy environment vars
40803c0 
We make sure settings generators are kicked-off with user-specified
network proxy environment variables.
@etungsten
pluto: respect https_proxy and no_proxy when making EKS API reqs
538de7a 
Both `rusoto` and `aws-sdk-rust` do not respect `https_proxy` and
`no_proxy` env vars. We have to handle it ourselves by creating a custom
hyper http 'connector' that's configured with the right proxying
configuration.
@etungsten
Copy link
Contributor Author

etungsten commented Jul 22, 2022
edited
Loading

Push above addresses @bcressey 's comments.

Tested changes they still work as described in the PR description

@etungsten etungsten requested a review from bcressey July 22, 2022 18:37
@etungsten etungsten merged commit 3ab47ed into bottlerocket-os:develop Jul 25, 2022
@etungsten etungsten deleted the sundog-proxy branch July 25, 2022 17:41
@etungsten etungsten mentioned this pull request Jul 26, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webern webern webern left review comments

@bcressey bcressey bcressey approved these changes

@rpkelly rpkelly rpkelly approved these changes

@zmrow zmrow zmrow approved these changes

@jpculp jpculp jpculp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

sundog does not respect proxy settings
6 participants
@etungsten @bcressey @rpkelly @zmrow @jpculp @webern