Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws: add support for EKS Pod Identities #9206

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

aws: add support for EKS Pod Identities #9206

wants to merge 3 commits into from
+934 −78

Conversation

PettitWesley
Copy link
Contributor

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change
  • Debug log output from testing the change
  • Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@PettitWesley
utils: add flb_utils_url_split_sds
2ff35bd 
Signed-off-by: Wesley Pettit <[email protected]>
@PettitWesley
aws: http_credentials: support EKS Pod Identity
1159929 
    This change brings the http credential provider
    in line with the latest spec and adds support for:
    - EKS Pod Identity
      - validate/support EKS credential link local IP 169.254.170.23
    - Latest HTTP Provider spec:
      - AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
      - AWS_CONTAINER_CREDENTIALS_FULL_URI
      - AWS_CONTAINER_AUTHORIZATION_TOKEN
      - AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE

Signed-off-by: Wesley Pettit <[email protected]>
@PettitWesley
tests: internal: aws: EKS Pod identity tests
fa7f66e 
Signed-off-by: Wesley Pettit <[email protected]>
@PettitWesley
Copy link
Contributor Author

@edsiper I tested these changes thoroughly on a new EKS cluster back in May. My change has unit tests which pass. It should be safe to merge after I just now performed a simple rebase with no conflicts. Unfortunately I am unable test this again right now.

Please see my comments on the alternate (mostly the same) implementation: #9013 (review)

@iandrewt iandrewt mentioned this pull request Aug 14, 2024
Open
3 tasks
@edsiper
Copy link
Member

edsiper commented Aug 27, 2024

@PettitWesley there are some memory leaks detected in the unit test:

https://github.com/fluent/fluent-bit/actions/runs/10381178881/job/28776004954?pr=9206#step:5:3421

@edsiper
Copy link
Member

edsiper commented Aug 27, 2024

@PettitWesley @iandrewt

In the branch eks-pod-identity3.0 I pushed some commits on top of this branch/PR to fix the leaks found. The patch in order are:

Remaining issues found with Valgrind:

valgrind --leak-check=full bin/flb-it-aws_credentials_http

Test test_http_validator_invalid_host...        [ FAILED ]
  aws_credentials_http.c:728: Check provider == NULL... failed
==964174== Warning: invalid file descriptor -1 in syscall close()
Test test_http_validator_invalid_port...        [ FAILED ]
  aws_credentials_http.c:757: Check provider == NULL... failed
==964174== Warning: invalid file descriptor -1 in syscall close()
FAILED: 2 of 11 unit tests have failed.
==964174==
==964174== HEAP SUMMARY:
==964174==     in use at exit: 19,024 bytes in 9 blocks
==964174==   total heap usage: 17,168 allocs, 17,159 frees, 1,808,409 bytes allocated
==964174==
==964174== 212 (96 direct, 116 indirect) bytes in 1 blocks are definitely lost in loss record 7 of 9
==964174==    at 0x484D953: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==964174==    by 0x16D064: flb_calloc (include/fluent-bit/flb_mem.h:95)
==964174==    by 0x16D47F: flb_endpoint_provider_create (src/aws/flb_aws_credentials_http.c:265)
==964174==    by 0x16DA26: flb_http_provider_create (src/aws/flb_aws_credentials_http.c:394)
==964174==    by 0x162EDD: test_http_validator_invalid_host (tests/internal/aws_credentials_http.c:727)
==964174==    by 0x1609B7: acutest_do_run_ (tests/internal/../lib/acutest/acutest.h:1034)
==964174==    by 0x15F68D: acutest_run_ (tests/internal/../lib/acutest/acutest.h:1205)
==964174==    by 0x15E329: main (tests/internal/../lib/acutest/acutest.h:1769)
==964174==
==964174== 212 (96 direct, 116 indirect) bytes in 1 blocks are definitely lost in loss record 8 of 9
==964174==    at 0x484D953: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==964174==    by 0x16D064: flb_calloc (include/fluent-bit/flb_mem.h:95)
==964174==    by 0x16D47F: flb_endpoint_provider_create (src/aws/flb_aws_credentials_http.c:265)
==964174==    by 0x16DA26: flb_http_provider_create (src/aws/flb_aws_credentials_http.c:394)
==964174==    by 0x163053: test_http_validator_invalid_port (tests/internal/aws_credentials_http.c:756)
==964174==    by 0x1609B7: acutest_do_run_ (tests/internal/../lib/acutest/acutest.h:1034)
==964174==    by 0x15F68D: acutest_run_ (tests/internal/../lib/acutest/acutest.h:1205)
==964174==    by 0x15E329: main (tests/internal/../lib/acutest/acutest.h:1769)
==964174==
==964174== 18,600 bytes in 1 blocks are definitely lost in loss record 9 of 9
==964174==    at 0x484D953: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==964174==    by 0x15F8C4: flb_calloc (include/fluent-bit/flb_mem.h:95)
==964174==    by 0x162E6F: test_http_validator_invalid_host (tests/internal/aws_credentials_http.c:722)
==964174==    by 0x1609B7: acutest_do_run_ (tests/internal/../lib/acutest/acutest.h:1034)
==964174==    by 0x15F68D: acutest_run_ (tests/internal/../lib/acutest/acutest.h:1205)
==964174==    by 0x15E329: main (tests/internal/../lib/acutest/acutest.h:1769)
==964174==
==964174== LEAK SUMMARY:
==964174==    definitely lost: 18,792 bytes in 3 blocks
==964174==    indirectly lost: 232 bytes in 6 blocks
==964174==      possibly lost: 0 bytes in 0 blocks
==964174==    still reachable: 0 bytes in 0 blocks
==964174==         suppressed: 0 bytes in 0 blocks
==964174==

just trying to speed up things, can you pls review the commits and cherry-pick them ?

@edsiper
Copy link
Member

edsiper commented Sep 2, 2024

moving this for 3.2. we need someone to incorporate the changes

@voidlily voidlily mentioned this pull request Sep 5, 2024
Open
@voidlily voidlily mentioned this pull request Oct 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

@leonardo-albertovich leonardo-albertovich Awaiting requested review from leonardo-albertovich leonardo-albertovich is a code owner

@fujimotos fujimotos Awaiting requested review from fujimotos fujimotos is a code owner

@koleini koleini Awaiting requested review from koleini koleini is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs-required
Projects
None yet
Milestone
Fluent Bit v3.2.0
Development

Successfully merging this pull request may close these issues.
2 participants
@PettitWesley @edsiper