Refactor AWS credential provider #75587
Conversation
k8s-ci-robot
added
the
release-note
|
@tiffanyfay: You must be a member of the kubernetes/kubernetes-milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your and have them propose you as an additional delegate for this responsibility. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
kind/cleanup
k8s-ci-robot
added
the
priority/important-soon
k8s-ci-robot
added
the
cncf-cla: yes
|
@tiffanyfay: GitHub didn't allow me to request PR reviews from the following users: jonjohnsonjr. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @tiffanyfay. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
area/kubelet
sig/node
|
/assign random-liu |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
Thanks for the PR @tiffanyfay! This is also needed as part of #69585 |
| return nil, err | ||
| } | ||
| splitURL := strings.Split(parsed.Host, ".") | ||
| if len(splitURL) < 4 || splitURL[2] != "ecr" || splitURL[4] != "amazonaws" { |
There was a problem hiding this comment.
splitURL[2] can also (validly) be ecr-fips. If it's ecr-fips, you should also override the ECR API endpoint. You can construct the correct endpoint with something like this:
resolver := endpoints.DefaultResolver()
endpoint, err := resolver.EndpointFor("ecr-fips", region, func(opts *endpoints.Options) {
opts.ResolveUnknownService = true
})and then you can pass the endpoint in when creating the API client.
There was a problem hiding this comment.
Will make this as a separate PR, thanks!
|
/retest |
|
structure lgtm will defer to sig-aws reviews on AWS specifics and sufficient test coverage (does this actually get exercised in CI?) |
|
/approve I don't think there's e2e coverage for this. Some follow-up items before v1.15 goes out:
@justinsb PTAL :) |
k8s-ci-robot
added
the
lgtm
|
/lgtm Also approved as a member of @kubernetes/sig-aws-misc |
|
Given the parsed /cc @derekwaynecarr @smarterclayton @mrunalp @Random-Liu @feiskyer From my reading of this, the credential provider interface is oriented around docker image specs (DockerConfigProvider, DockerKeyring), so it's appropriate to assume docker image spec format here. |
k8s-ci-robot
requested review from
derekwaynecarr,
feiskyer,
mrunalp,
Random-Liu and
smarterclayton
|
I am ok with passing repoName to credential provider, because credential provider assumes docker pull specs as supported by all standard CRI implementations. One question - does this has performance implications since we're now having to load more providers? |
It shouldn't, it's one additional provider, which does fast detection (in the Enabled() check), equivalent to the existing providers. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andrewsykim, liggitt, mcrute, tiffanyfay The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
| if len(splitURL) == 0 { | ||
| return nil, fmt.Errorf("%s is not a valid ECR repository URL", parsed.Hostname()) | ||
| } | ||
| return &parsedURL{ |
There was a problem hiding this comment.
Should there be a check on the number of parts in splitURL before accessing ?
| f.mutex.Lock() | ||
| defer f.mutex.Unlock() | ||
|
|
||
| if getter, ok := f.cache[region]; ok { |
There was a problem hiding this comment.
It seems we can introduce RWLock and use read lock here, write lock for line 253.
|
@tiffanyfay - thanks for this change, it's super helpful to us to have this! Are there any docs or example use cases on where/how to pass the AWS credentials (assuming access key/secret) into a non-AWS-based Kubelet? Should they be environment variables? |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #37962
Fixes google/go-containerregistry#355
Needed for #69585
Special notes for your reviewer:
The Provide interface change to add repoToPull is needed for ECR to be able to get the registryID and region without using Cloud Provider. There are then used with the ECR API to get credentials. LazyProvide was added for AWS and no other provider uses it, nor are we using it anymore, so it will be removed in a future PR. This PR requires #75585 to be merged.
Does this PR introduce a user-facing change?:
/sig aws
/sig cloud-provider
/cc @yastij @andrewsykim @mcrute @nckturner @cheftako @jonjohnsonjr
/assign @liggitt @justinsb
/milestone v1.15
/priority important-soon