Aws sts conn pool (#78)

* moved sts cred provider into TLS slot
* got rid of thread local cache
* stash
* Merge branch 'master' of github.com:solo-io/envoy-gloo into aws-sts-conn-pool
* should not be committed
* fetcher compiles again
* building with slight class refactor
* formatting
* static construtor
* working on cred provider
* credential provider lib working
* it builds
* it's working
* using local dispatcher
* new file watcher compiling
* formatting
* working
* Delete envoy_env.yaml
* fetcher tests passing again
* basic connection pool test
* tests for connection pool passing
* added connection pool factory to mock fetcher
* formatting
* in the middle of getting tests to compile
* credential provider tests passing
* fixed filter test
* compiles, need to debug
* passing
* Merge branch 'master' into aws-sts-conn-pool
* add pprof
* oops
* maybe strict
* no more memory issues
* using function for onFailure
* building with new names
* made private constructor
* added tests for file watcher
* formatting
* only call when STS is used
* fixed lifetime of config
* formatting
* changelog

Author: EItanya

.bazelrc

@@ -113,7 +113,7 @@ build:libc++ --define force_libcpp=enabled
 build:sizeopt -c opt --copt -Os
 
 # Test options
-build --test_env=HEAPCHECK=normal --test_env=PPROF_PATH
+build --test_env=HEAPCHECK=strict --test_env=PPROF_PATH
 
 # Coverage options
 coverage --config=coverage

changelog/v1.16.0-rc2/aws-sts-connection-pool.yaml

@@ -0,0 +1,5 @@
+changelog:
+- type: NEW_FEATURE
+  description: Add connection pooling to AWS STS connections for better performance
+  issueLink: https://github.com/solo-io/envoy-gloo/issues/80
+

ci/do_ci.sh

@@ -30,5 +30,8 @@ export NUM_CPUS=16
 # google cloud build doesn't like ipv6
 export BAZEL_EXTRA_TEST_OPTIONS="--test_env=ENVOY_IP_TEST_VERSIONS=v4only --test_output=errors --jobs=${NUM_CPUS}"
 
+# sudo apt-get install google-perftools -y
+# export PPROF_PATH=$(which google-pprof) 
+
 echo Building
 bash -x $UPSTREAM_ENVOY_SRCDIR/ci/do_ci.sh "$@"

source/extensions/filters/http/aws_lambda/BUILD

@@ -88,9 +88,27 @@ envoy_cc_library(
     srcs = ["sts_credentials_provider.cc"],
     hdrs = ["sts_credentials_provider.h"],
     repository = "@envoy",
+    deps = [
+        ":sts_connection_pool_lib",
+        "@envoy//source/common/common:minimal_logger_lib",
+        "@envoy//source/common/common:linked_object",
+        "@envoy//source/common/config:datasource_lib",
+        "@envoy//source/common/protobuf:utility_lib",
+        "@envoy//source/common/filesystem:watcher_lib",
+        "@envoy//source/extensions/common/aws:credentials_provider_interface",
+        "//api/envoy/config/filter/http/aws_lambda/v2:pkg_cc_proto",
+    ],
+)
+
+envoy_cc_library(
+    name = "sts_connection_pool_lib",
+    srcs = ["sts_connection_pool.cc"],
+    hdrs = ["sts_connection_pool.h"],
+    repository = "@envoy",
     deps = [
         ":sts_fetcher_lib",
         "@envoy//source/common/common:minimal_logger_lib",
+        "@envoy//source/common/common:linked_object",
         "@envoy//source/common/config:datasource_lib",
         "@envoy//source/common/protobuf:utility_lib",
         "@envoy//source/common/filesystem:watcher_lib",

source/extensions/filters/http/aws_lambda/aws_lambda_filter.cc

@@ -124,7 +124,7 @@ void AWSLambdaFilter::onSuccess(
     std::shared_ptr<const Envoy::Extensions::Common::Aws::Credentials>
         credentials) {
   credentials_ = credentials;
-  // Do not null context here; all hell will break loose.
+  context_ = nullptr;
   state_ = State::Complete;
 
   const std::string *access_key{};
@@ -171,6 +171,8 @@ void AWSLambdaFilter::onSuccess(
 
 // TODO: Use the failure status in the local reply
 void AWSLambdaFilter::onFailure(CredentialsFailureStatus) {
+  // cancel mustn't be called
+  context_ = nullptr;
   state_ = State::Responded;
   decoder_callbacks_->sendLocalReply(
       Http::Code::InternalServerError, RcDetails::get().CredentialsNotFoundBody,

source/extensions/filters/http/aws_lambda/aws_lambda_filter.h

@@ -22,7 +22,7 @@ namespace AwsLambda {
  * it expects retrieveFunction to be called before decodeHeaders.
  */
 class AWSLambdaFilter : public Http::StreamDecoderFilter,
-                        StsCredentialsProvider::Callbacks,
+                        StsConnectionPool::Context::Callbacks,
                         Logger::Loggable<Logger::Id::filter> {
 public:
   AWSLambdaFilter(Upstream::ClusterManager &cluster_manager, Api::Api &api,
@@ -75,7 +75,7 @@ class AWSLambdaFilter : public Http::StreamDecoderFilter,
 
   CredentialsConstSharedPtr credentials_;
 
-  ContextSharedPtr context_;
+  StsConnectionPool::Context *context_;
   // The state of the request
   enum State { Init, Calling, Responded, Complete };
   // The state of the get credentials request.

source/extensions/filters/http/aws_lambda/aws_lambda_filter_config_factory.cc

@@ -18,15 +18,14 @@ AWSLambdaFilterConfigFactory::createFilterFactoryFromProtoTyped(
     const std::string &stats_prefix,
     Server::Configuration::FactoryContext &context) {
 
-  auto sts_factory = StsCredentialsProviderFactoryImpl(
-      context.api(), context.threadLocal(), context.dispatcher());
-  auto config = std::make_shared<AWSLambdaConfigImpl>(
+  auto config = AWSLambdaConfigImpl::create(
       std::make_unique<
           Extensions::Common::Aws::DefaultCredentialsProviderChain>(
           context.api(), Extensions::Common::Aws::Utility::metadataFetcher),
-      context.clusterManager(), sts_factory, context.dispatcher(),
-      context.threadLocal(), stats_prefix, context.scope(), context.api(),
-      proto_config);
+      StsCredentialsProviderFactory::create(context.api(),
+                                            context.clusterManager()),
+      context.dispatcher(), context.api(), context.threadLocal(), stats_prefix,
+      context.scope(), proto_config);
 
   return
       [&context, config](Http::FilterChainFactoryCallbacks &callbacks) -> void {

source/extensions/filters/http/aws_lambda/config.cc

@@ -34,21 +34,24 @@ constexpr std::chrono::milliseconds REFRESH_AWS_CREDS =
 struct ThreadLocalCredentials : public Envoy::ThreadLocal::ThreadLocalObject {
   ThreadLocalCredentials(CredentialsConstSharedPtr credentials)
       : credentials_(credentials) {}
+  ThreadLocalCredentials(StsCredentialsProviderPtr credentials)
+      : sts_credentials_(std::move(credentials)) {}
   CredentialsConstSharedPtr credentials_;
+  StsCredentialsProviderPtr sts_credentials_;
 };
 
 } // namespace
 
 AWSLambdaConfigImpl::AWSLambdaConfigImpl(
     std::unique_ptr<Extensions::Common::Aws::CredentialsProvider> &&provider,
-    Upstream::ClusterManager &cluster_manager,
-    StsCredentialsProviderFactory &sts_factory, Event::Dispatcher &dispatcher,
+    std::unique_ptr<StsCredentialsProviderFactory> &&sts_factory,
+    Event::Dispatcher &dispatcher, Api::Api &api,
     Envoy::ThreadLocal::SlotAllocator &tls, const std::string &stats_prefix,
-    Stats::Scope &scope, Api::Api &api,
+    Stats::Scope &scope,
     const envoy::config::filter::http::aws_lambda::v2::AWSLambdaConfig
         &protoconfig)
-    : context_factory_(cluster_manager, api),
-      stats_(generateStats(stats_prefix, scope)) {
+    : stats_(generateStats(stats_prefix, scope)), api_(api),
+      file_watcher_(dispatcher.createFilesystemWatcher()) {
 
   // Initialize Credential fetcher, if none exists do nothing. Filter will
   // implicitly use protocol options data
@@ -73,9 +76,23 @@ AWSLambdaConfigImpl::AWSLambdaConfigImpl(
   case envoy::config::filter::http::aws_lambda::v2::AWSLambdaConfig::
       CredentialsFetcherCase::kServiceAccountCredentials: {
     ENVOY_LOG(debug, "{}: Using STS credentials source", __func__);
+
+    // Load all of the env data for STS credentials
+    loadSTSData();
     // use service account credentials provider
+    tls_slot_ = tls.allocateSlot();
+    // transfer ptr ownership to sts_factor isn't cleaned up before we get into
+    // tls set
+    sts_factory_ = std::move(sts_factory);
     auto service_account_creds = protoconfig.service_account_credentials();
-    sts_credentials_provider_ = sts_factory.create(service_account_creds);
+    tls_slot_->set([this, web_token = web_token_, role_arn = role_arn_,
+                    service_account_creds](Event::Dispatcher &dispatcher) {
+      StsCredentialsProviderPtr sts_cred_provider = sts_factory_->build(
+          service_account_creds, dispatcher, web_token, role_arn);
+      return std::make_shared<ThreadLocalCredentials>(
+          std::move(sts_cred_provider));
+    });
+    sts_enabled_ = true;
     break;
   }
   case envoy::config::filter::http::aws_lambda::v2::AWSLambdaConfig::
@@ -85,15 +102,75 @@ AWSLambdaConfigImpl::AWSLambdaConfigImpl(
   }
 }
 
+void AWSLambdaConfigImpl::loadSTSData() {
+  // AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN must be set for STS
+  // credentials to be enabled
+  token_file_ =
+      absl::NullSafeStringView(std::getenv(AWS_WEB_IDENTITY_TOKEN_FILE));
+  if (token_file_ == "") {
+    throw EnvoyException(fmt::format("Env var {} must be present, and set",
+                                     AWS_WEB_IDENTITY_TOKEN_FILE));
+  }
+  role_arn_ = absl::NullSafeStringView(std::getenv(AWS_ROLE_ARN));
+  if (role_arn_ == "") {
+    throw EnvoyException(
+        fmt::format("Env var {} must be present, and set", AWS_ROLE_ARN));
+  }
+  // File must exist on system
+  if (!api_.fileSystem().fileExists(token_file_)) {
+    throw EnvoyException(
+        fmt::format("Web token file {} does not exist", token_file_));
+  }
+
+  web_token_ = api_.fileSystem().fileReadToEnd(token_file_);
+  // File should not be empty
+  if (web_token_ == "") {
+    throw EnvoyException(
+        fmt::format("Web token file {} exists but is empty", token_file_));
+  }
+}
+
+void AWSLambdaConfigImpl::init() {
+  if (sts_enabled_) {
+    // Add file watcher for token file
+    auto shared_this = shared_from_this();
+    file_watcher_->addWatch(
+        token_file_, Filesystem::Watcher::Events::Modified,
+        [shared_this](uint32_t) {
+          try {
+            const auto web_token = shared_this->api_.fileSystem().fileReadToEnd(
+                shared_this->token_file_);
+            // Set the web token on all sts credentials providers
+            shared_this->tls_slot_->runOnAllThreads(
+                [web_token](ThreadLocal::ThreadLocalObjectSharedPtr previous)
+                    -> ThreadLocal::ThreadLocalObjectSharedPtr {
+                  auto prev_config =
+                      std::dynamic_pointer_cast<ThreadLocalCredentials>(
+                          previous);
+                  prev_config->sts_credentials_->setWebToken(web_token);
+                  return previous;
+                });
+            // TODO: check if web_token is valid
+            // TODO: stats here
+          } catch (const EnvoyException &e) {
+            ENVOY_LOG_TO_LOGGER(
+                Envoy::Logger::Registry::getLog(Logger::Id::aws), warn,
+                "{}: Exception while reading file during watch ({}): {}",
+                __func__, shared_this->token_file_, e.what());
+          }
+        });
+  }
+}
+
 /*
  * Three options, in order of precedence
  *   1. Protocol Options
  *   2. Default Provider
  *   3. STS
  */
-ContextSharedPtr AWSLambdaConfigImpl::getCredentials(
+StsConnectionPool::Context *AWSLambdaConfigImpl::getCredentials(
     SharedAWSLambdaProtocolExtensionConfig ext_cfg,
-    StsCredentialsProvider::Callbacks *callbacks) const {
+    StsConnectionPool::Context::Callbacks *callbacks) const {
   // Always check extension config first, as it overrides
   if (ext_cfg->accessKey().has_value() && ext_cfg->secretKey().has_value()) {
     ENVOY_LOG(trace, "{}: Credentials found from protocol options", __func__);
@@ -111,22 +188,20 @@ ContextSharedPtr AWSLambdaConfigImpl::getCredentials(
     return nullptr;
   }
 
+  auto &thread_local_credentials =
+      tls_slot_->getTyped<ThreadLocalCredentials>();
   if (provider_) {
     ENVOY_LOG(trace, "{}: Credentials found from default source", __func__);
-    callbacks->onSuccess(
-        tls_slot_->getTyped<ThreadLocalCredentials>().credentials_);
+    callbacks->onSuccess(thread_local_credentials.credentials_);
     // no context necessary as these credentials are available immediately
     return nullptr;
   }
 
-  if (sts_credentials_provider_) {
+  if (sts_enabled_) {
     ENVOY_LOG(trace, "{}: Credentials being retrieved from STS provider",
               __func__);
-    // return the context directly to the filter, as no direct credentials can
-    // be sent
-    auto context = context_factory_.create(callbacks);
-    sts_credentials_provider_->find(ext_cfg->roleArn(), context);
-    return context;
+    return thread_local_credentials.sts_credentials_->find(ext_cfg->roleArn(),
+                                                           callbacks);
   }
 
   ENVOY_LOG(debug, "{}: No valid credentials source found", __func__);
@@ -164,6 +239,24 @@ void AWSLambdaConfigImpl::timerCallback() {
   }
 }
 
+std::shared_ptr<AWSLambdaConfigImpl> AWSLambdaConfigImpl::create(
+    std::unique_ptr<Envoy::Extensions::Common::Aws::CredentialsProvider>
+        &&provider,
+    std::unique_ptr<StsCredentialsProviderFactory> &&sts_factory,
+    Event::Dispatcher &dispatcher, Api::Api &api,
+    Envoy::ThreadLocal::SlotAllocator &tls, const std::string &stats_prefix,
+    Stats::Scope &scope,
+    const envoy::config::filter::http::aws_lambda::v2::AWSLambdaConfig
+        &protoconfig) {
+  // We can't use make_shared here because the constructor of this class is
+  // private.
+  std::shared_ptr<AWSLambdaConfigImpl> ptr(new AWSLambdaConfigImpl(
+      std::move(provider), std::move(sts_factory), dispatcher, api, tls,
+      stats_prefix, scope, protoconfig));
+  ptr->init();
+  return ptr;
+}
+
 AwsLambdaFilterStats
 AWSLambdaConfigImpl::generateStats(const std::string &prefix,
                                    Stats::Scope &scope) {

source/extensions/filters/http/aws_lambda/config.h

@@ -70,50 +70,74 @@ using SharedAWSLambdaProtocolExtensionConfig =
 
 class AWSLambdaConfig {
 public:
-  virtual ContextSharedPtr
+  virtual StsConnectionPool::Context *
   getCredentials(SharedAWSLambdaProtocolExtensionConfig ext_cfg,
-                 StsCredentialsProvider::Callbacks *callbacks) const PURE;
+                 StsConnectionPool::Context::Callbacks *callbacks) const PURE;
   virtual ~AWSLambdaConfig() = default;
 };
 
 class AWSLambdaConfigImpl
     : public AWSLambdaConfig,
-      public Envoy::Logger::Loggable<Envoy::Logger::Id::filter> {
+      public Envoy::Logger::Loggable<Envoy::Logger::Id::filter>,
+      public std::enable_shared_from_this<AWSLambdaConfigImpl> {
 public:
+  ~AWSLambdaConfigImpl() = default;
+
+  static std::shared_ptr<AWSLambdaConfigImpl>
+  create(std::unique_ptr<Envoy::Extensions::Common::Aws::CredentialsProvider>
+             &&provider,
+         std::unique_ptr<StsCredentialsProviderFactory> &&sts_factory,
+         Event::Dispatcher &dispatcher, Api::Api &api,
+         Envoy::ThreadLocal::SlotAllocator &tls,
+         const std::string &stats_prefix, Stats::Scope &scope,
+         const envoy::config::filter::http::aws_lambda::v2::AWSLambdaConfig
+             &protoconfig);
+
+  StsConnectionPool::Context *getCredentials(
+      SharedAWSLambdaProtocolExtensionConfig ext_cfg,
+      StsConnectionPool::Context::Callbacks *callbacks) const override;
+
+private:
   AWSLambdaConfigImpl(
       std::unique_ptr<Envoy::Extensions::Common::Aws::CredentialsProvider>
           &&provider,
-      Upstream::ClusterManager &cluster_manager,
-      StsCredentialsProviderFactory &sts_factory, Event::Dispatcher &dispatcher,
+      std::unique_ptr<StsCredentialsProviderFactory> &&sts_factory,
+      Event::Dispatcher &dispatcher, Api::Api &api,
       Envoy::ThreadLocal::SlotAllocator &tls, const std::string &stats_prefix,
-      Stats::Scope &scope, Api::Api &api,
+      Stats::Scope &scope,
       const envoy::config::filter::http::aws_lambda::v2::AWSLambdaConfig
           &protoconfig);
-  ~AWSLambdaConfigImpl() = default;
-
-  ContextSharedPtr
-  getCredentials(SharedAWSLambdaProtocolExtensionConfig ext_cfg,
-                 StsCredentialsProvider::Callbacks *callbacks) const override;
 
-private:
   CredentialsConstSharedPtr getProviderCredentials() const;
+
   static AwsLambdaFilterStats generateStats(const std::string &prefix,
                                             Stats::Scope &scope);
 
   void timerCallback();
 
-  ContextFactory context_factory_;
+  void init();
+
+  void loadSTSData();
+
+  AwsLambdaFilterStats stats_;
+
+  Api::Api &api_;
+
+  Envoy::Filesystem::WatcherPtr file_watcher_;
 
   std::unique_ptr<Envoy::Extensions::Common::Aws::CredentialsProvider>
       provider_;
 
-  ThreadLocal::SlotPtr tls_slot_;
+  bool sts_enabled_ = false;
+  std::string token_file_;
+  std::string web_token_;
+  std::string role_arn_;
 
-  StsCredentialsProviderPtr sts_credentials_provider_;
+  ThreadLocal::SlotPtr tls_slot_;
 
   Event::TimerPtr timer_;
 
-  AwsLambdaFilterStats stats_;
+  std::unique_ptr<StsCredentialsProviderFactory> sts_factory_;
 };
 
 typedef std::shared_ptr<const AWSLambdaConfig> AWSLambdaConfigConstSharedPtr;