Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(aws-lambda): let plugin level proxy take effect on EKS IRSA credential provider #11551

Merged
merged 3 commits into from
Sep 13, 2023
Merged

fix(aws-lambda): let plugin level proxy take effect on EKS IRSA credential provider #11551

merged 3 commits into from
Sep 13, 2023

Conversation

windmgc
Copy link
Member

@windmgc windmgc commented Sep 12, 2023
edited
Loading

Summary

This PR contains a fix to let aws-lambda plugin-level proxy configuration take effect when fetching IAM credentials in an EKS environment. The EKS IRSA credential provider(aka TokenFileWebIdentityCredentials) will fire a request to AWS STS service when fetching the credential, and the request itself may need to go through the plugin-level proxy configuration. Here we check if a proxy is configured and whether the plugin is running inside the EKS environment with IRSA related configuration provided, then we replace the provider with a new TokenFileWebIdentityCredentials that supports proxy.

Checklist

  • [na] The Pull Request has tests
  • A changelog file has been added to CHANGELOG/unreleased/kong or adding skip-changelog label on PR if unnecessary. README.md
  • There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE

Full changelog

  • let plugin level proxy take effect on EKS IRSA credential provider

Issue reference

FTI-5242, this is currently an urgent blocker

@windmgc windmgc force-pushed the fix-aws-eks-irsa-cred-proxy branch 2 times, most recently from 808be20 to 9c1c58a Compare September 12, 2023 08:43
@windmgc windmgc mentioned this pull request Sep 13, 2023
Merged
windmgc added a commit to Kong/lua-resty-aws that referenced this pull request Sep 13, 2023
@windmgc
fix(signature): none-signature(unsigned) should support network relat…
23db77b 
…ed config options as well (#79)

Prerequisite for Kong/kong#11551

FTI-5242
@windmgc windmgc force-pushed the fix-aws-eks-irsa-cred-proxy branch from 9c1c58a to d6786d4 Compare September 13, 2023 03:43
@pull-request-size pull-request-size bot added size/M and removed size/S labels Sep 13, 2023
@windmgc windmgc marked this pull request as ready for review September 13, 2023 03:46
oowl
oowl approved these changes Sep 13, 2023
View reviewed changes
Copy link
Member

@oowl oowl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@windmgc windmgc merged commit c2c8c24 into master Sep 13, 2023
36 checks passed
@windmgc windmgc deleted the fix-aws-eks-irsa-cred-proxy branch September 13, 2023 04:35
windmgc added a commit that referenced this pull request Sep 15, 2023
@windmgc
fix(aws-lambda): let plugin level proxy take effect on EKS IRSA crede…
78f806f 
…ntial provider (#11551)

This PR contains a fix to let aws-lambda plugin-level proxy configuration take effect when fetching IAM credentials in an EKS environment. The EKS IRSA credential provider(aka TokenFileWebIdentityCredentials) will fire a request to AWS STS service when fetching the credential, and the request itself may need to go through the plugin-level proxy configuration. Here we check if a proxy is configured and whether the plugin is running inside the EKS environment with IRSA related configuration provided, then we replace the provider with a new TokenFileWebIdentityCredentials that supports proxy.

FTI-5242
@bungle bungle mentioned this pull request Sep 20, 2023
Merged
3 tasks
windmgc added a commit that referenced this pull request Nov 2, 2023
@windmgc
fix(aws-lambda): let plugin level proxy take effect on EKS IRSA crede…
2329085 
…ntial provider (#11551)

This PR contains a fix to let aws-lambda plugin-level proxy configuration take effect when fetching IAM credentials in an EKS environment. The EKS IRSA credential provider(aka TokenFileWebIdentityCredentials) will fire a request to AWS STS service when fetching the credential, and the request itself may need to go through the plugin-level proxy configuration. Here we check if a proxy is configured and whether the plugin is running inside the EKS environment with IRSA related configuration provided, then we replace the provider with a new TokenFileWebIdentityCredentials that supports proxy.

FTI-5242
@windmgc windmgc mentioned this pull request Nov 3, 2023
Merged
3 tasks
windmgc added a commit that referenced this pull request Nov 3, 2023
@windmgc
fix(aws-lambda): let plugin level proxy take effect on EKS IRSA crede…
12bd44c 
…ntial provider (#11551)

This PR contains a fix to let aws-lambda plugin-level proxy configuration take effect when fetching IAM credentials in an EKS environment. The EKS IRSA credential provider(aka TokenFileWebIdentityCredentials) will fire a request to AWS STS service when fetching the credential, and the request itself may need to go through the plugin-level proxy configuration. Here we check if a proxy is configured and whether the plugin is running inside the EKS environment with IRSA related configuration provided, then we replace the provider with a new TokenFileWebIdentityCredentials that supports proxy.

FTI-5242
@kikito kikito mentioned this pull request Jan 24, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oowl oowl oowl approved these changes

Assignees

@windmgc windmgc

Labels
plugins/aws-lambda size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@windmgc @oowl