Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate IAM to aws-sdk-go-v2 #16435

Merged
merged 2 commits into from
Mar 30, 2024
Merged

Conversation

rifelpet
Copy link
Member

ref: #16424

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. area/provider/aws Issues or PRs related to aws provider labels Mar 30, 2024
@rifelpet rifelpet force-pushed the aws-sdk-go-v2-iam branch from 3d2f019 to 926bc56 Compare March 30, 2024 15:47
@hakman
Copy link
Member

hakman commented Mar 30, 2024

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 30, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 30, 2024
}

func (m *MockIAM) CreateInstanceProfile(request *iam.CreateInstanceProfileInput) (*iam.CreateInstanceProfileOutput, error) {
func (m *MockIAM) CreateInstanceProfile(ctx context.Context, request *iam.CreateInstanceProfileInput, optFns ...func(*iam.Options)) (*iam.CreateInstanceProfileOutput, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah cool, I like that the context is there by default now :-)

m.mutex.Lock()
defer m.mutex.Unlock()

klog.Infof("CreateInstanceProfile: %v", request)

ip := m.InstanceProfiles[aws.StringValue(request.InstanceProfileName)]
if ip == nil {
ip, ok := m.InstanceProfiles[aws.ToString(request.InstanceProfileName)]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm guessing you were thinking about making this a map of structs, rather than a map of pointers, but then decided not to (?)

@@ -21,8 +21,8 @@ import (
"sort"
"strings"

awsIam "github.com/aws/aws-sdk-go-v2/service/iam"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: we should probably switch awsIam -> awsiam at some stage, it's more go idiomatic I believe

if err != nil {
getRoleErr = fmt.Errorf("calling IAM GetRole on %s: %w", fi.ValueOf(role.RoleName), err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, this is going to be a much more ergonomic API :-)

@@ -500,13 +505,9 @@ func (b *IAMModelBuilder) FindDeletions(context *fi.CloudupModelBuilderContext,
}
}
}
return true
})
}
if getRoleErr != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: this isn't used any more, I believe?

if errors.As(err, &nse) {
klog.Warningf("could not find IAM OIDC Provider %q. Resource may already have been deleted: %v", aws.StringValue(arn), nse)
continue
} else if awserror, ok := err.(smithy.APIError); ok && awserror.ErrorCode() == "403" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels like a more fragile API than we had before. Maybe we should hide if awserror, ok := err.(smithy.APIError); ok && awserror.ErrorCode() == "403" behind a function like IsHTTP403Error(err error) bool ?

if awsErr.Code() == iam.ErrCodeNoSuchEntityException {
response, err := cloud.IAM().GetRolePolicy(ctx, request)
if err != nil {
var nse *iamtypes.NoSuchEntityException
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we could also have a helper for this check, but this one is simpler.

c.iam = iam.New(sess, config)
c.iam.Handlers.Send.PushFront(requestLogger)
c.addHandlers(region, &c.iam.Handlers)
c.iam = iam.NewFromConfig(cfgV2)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we are losing 3 things:

  • SharedConfigState
  • requestlogger
  • addHandlers - which configures the cross-request delay

Do we think any of those are still important?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SharedConfigState is now default: https://aws.github.io/aws-sdk-go-v2/docs/migrating/#client-construction

there is no way to disable or enable SharedConfigState anymore, only specify which shared config file to use (default ~/.aws/config)

@justinsb
Copy link
Member

Thanks for doing this @rifelpet

Generally looks good, but my one "blocker" is whether we've lost things by "just" doing iam.NewFromConfig(cfgV2). I'm fine if the answer is "we may be losing things, and if we are we can add them back, but we don't think we need them" - but I just want to make sure we're doing it consciously.

@rifelpet
Copy link
Member Author

Thanks for doing this @rifelpet

Generally looks good, but my one "blocker" is whether we've lost things by "just" doing iam.NewFromConfig(cfgV2). I'm fine if the answer is "we may be losing things, and if we are we can add them back, but we don't think we need them" - but I just want to make sure we're doing it consciously.

I mention the config changes here. I'm hoping that the SDK's new built-in retryer and retry logger will be sufficient for our needs but we'll find out once we run scale tests (and likely wont find out until the largest AWS service is migrated - EC2)

I'll address your nits in a followup

@k8s-ci-robot k8s-ci-robot merged commit e594c4d into kubernetes:master Mar 30, 2024
21 of 22 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.29 milestone Mar 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/aws Issues or PRs related to aws provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants