Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use AWS SDK to retrieve ec2 instance identity doc #1369

Merged
merged 1 commit into from
Feb 13, 2020
Merged

Use AWS SDK to retrieve ec2 instance identity doc #1369

merged 1 commit into from
Feb 13, 2020

Conversation

mcpherrinm
Copy link
Contributor

This is an alternative design to #1360
Rather than trying to always use the SDK, the fallback path here uses the old code.
This is thus more compatible, at the expense of being a bit branchier.

Which issue this PR fixes
fixes #1359

@mcpherrinm mcpherrinm mentioned this pull request Feb 8, 2020
Closed
2 tasks
azdagron
azdagron reviewed Feb 11, 2020
View reviewed changes
Copy link
Member

@azdagron azdagron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, yeah, I don't mind this....

pkg/agent/plugin/nodeattestor/aws/iid.go Outdated
IdentityDocumentURL string `hcl:"identity_document_url"`
IdentitySignatureURL string `hcl:"identity_signature_url"`
EC2MetadataEndpoint string `hcl:"ec2_metadata_endpoint"`
IdentityDocumentURL string `hcl:"identity_document_url"` // Deprecated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: prefix vars with Deprecated (but keep hcl tag as-is) as a visual indicator that new code shouldn't rely on them

pkg/agent/plugin/nodeattestor/aws/iid.go Outdated
config.IdentityDocumentURL = defaultIdentityDocumentURL
}
// If we have a legacy config, ensure both have a value
if config.EC2MetadataEndpoint == "" && (config.IdentitySignatureURL != "" || config.IdentityDocumentURL != "") {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should log here if deprecated configurables are set and the new endpoint configurable is:

  1. set (e.g. "deprecated configurable foo is ignored because...")
  2. not set (.e.g. "deprecated configurable foo will be deprecated in a future release. please use ec2_metadata_endpoint instead")

@mcpherrinm
Copy link
Contributor Author

mcpherrinm commented Feb 13, 2020
edited
Loading

Addressed feedback (warning logs, use Deprecated prefix on variable names)

I rebased on master and force-pushed the updated commit since there was some merge conflicts with my other cleanup PR in #1368

azdagron
azdagron reviewed Feb 13, 2020
View reviewed changes
Copy link
Member

@azdagron azdagron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great! I had a few nitpicks that are also causing lint failures. I'll be ready to approve and merge once those are fixed.

pkg/agent/plugin/nodeattestor/aws/iid.go Outdated
"fmt"
"github.com/hashicorp/go-hclog"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this import belongs down with the other group...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed. Blame my IDE upgrading losing my save-actions auto-goimports :)

pkg/agent/plugin/nodeattestor/aws/iid.go Outdated
"io/ioutil"
"net/http"
"sync"

awsSdk "github.com/aws/aws-sdk-go/aws"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we aren't consistent in the codebase but named imports should follow package naming conventions (i.e. awssdk)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to awssdk

@mcpherrinm
Use AWS SDK to retrieve ec2 instance identity doc
25ebf95 
This keeps the old code, and if either the doc or sig URL is set, it uses the
old codepath.  After a deprecation period, we can delete it.

Signed-off-by: Matthew McPherrin <mmc@squareup.com>
@azdagron azdagron merged commit dd37263 into spiffe:master Feb 13, 2020
@mcpherrinm mcpherrinm deleted the use-aws-sdk-metadata branch February 13, 2020 18:28
This was referenced Feb 13, 2020
Closed
Merged
This was referenced Feb 28, 2020
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azdagron azdagron azdagron approved these changes

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo

@APTy APTy Awaiting requested review from APTy

@evan2645 evan2645 Awaiting requested review from evan2645

@marcosy marcosy Awaiting requested review from marcosy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

spire-agent's aws_iid node attestor doesn't use IMDSv2
2 participants
@mcpherrinm @azdagron