New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor AWS credential provider #75587
Conversation
@tiffanyfay: You must be a member of the kubernetes/kubernetes-milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your and have them propose you as an additional delegate for this responsibility. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@tiffanyfay: GitHub didn't allow me to request PR reviews from the following users: jonjohnsonjr. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @tiffanyfay. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign random-liu |
/ok-to-test |
Thanks for the PR @tiffanyfay! This is also needed as part of #69585 |
return nil, err | ||
} | ||
splitURL := strings.Split(parsed.Host, ".") | ||
if len(splitURL) < 4 || splitURL[2] != "ecr" || splitURL[4] != "amazonaws" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
splitURL[2]
can also (validly) be ecr-fips
. If it's ecr-fips
, you should also override the ECR API endpoint. You can construct the correct endpoint with something like this:
resolver := endpoints.DefaultResolver()
endpoint, err := resolver.EndpointFor("ecr-fips", region, func(opts *endpoints.Options) {
opts.ResolveUnknownService = true
})
and then you can pass the endpoint in when creating the API client.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will make this as a separate PR, thanks!
/retest |
structure lgtm will defer to sig-aws reviews on AWS specifics and sufficient test coverage (does this actually get exercised in CI?) |
/approve I don't think there's e2e coverage for this. Some follow-up items before v1.15 goes out:
@justinsb PTAL :) |
/lgtm Also approved as a member of @kubernetes/sig-aws-misc |
Given the parsed /cc @derekwaynecarr @smarterclayton @mrunalp @Random-Liu @feiskyer From my reading of this, the credential provider interface is oriented around docker image specs (DockerConfigProvider, DockerKeyring), so it's appropriate to assume docker image spec format here. |
I am ok with passing repoName to credential provider, because credential provider assumes docker pull specs as supported by all standard CRI implementations. One question - does this has performance implications since we're now having to load more providers? |
It shouldn't, it's one additional provider, which does fast detection (in the Enabled() check), equivalent to the existing providers. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andrewsykim, liggitt, mcrute, tiffanyfay The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
if len(splitURL) == 0 { | ||
return nil, fmt.Errorf("%s is not a valid ECR repository URL", parsed.Hostname()) | ||
} | ||
return &parsedURL{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should there be a check on the number of parts in splitURL before accessing ?
f.mutex.Lock() | ||
defer f.mutex.Unlock() | ||
|
||
if getter, ok := f.cache[region]; ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems we can introduce RWLock and use read lock here, write lock for line 253.
@tiffanyfay - thanks for this change, it's super helpful to us to have this! Are there any docs or example use cases on where/how to pass the AWS credentials (assuming access key/secret) into a non-AWS-based Kubelet? Should they be environment variables? |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #37962
Fixes google/go-containerregistry#355
Needed for #69585
Special notes for your reviewer:
The Provide interface change to add repoToPull is needed for ECR to be able to get the registryID and region without using Cloud Provider. There are then used with the ECR API to get credentials. LazyProvide was added for AWS and no other provider uses it, nor are we using it anymore, so it will be removed in a future PR. This PR requires #75585 to be merged.
Does this PR introduce a user-facing change?:
/sig aws
/sig cloud-provider
/cc @yastij @andrewsykim @mcrute @nckturner @cheftako @jonjohnsonjr
/assign @liggitt @justinsb
/milestone v1.15
/priority important-soon