Aws sts (#73)

* using fork for now
* putting away for now :(
* fetcher should be basically working?
* compiling, need to clean up regex logic big time
* finished version using callbacks
* factory is working
* change in factory
* removed unused config code
* split?
* pulled out status enum, added failure callback
* passing in protocol_options
* filter
* switched to shared_ptr
* it built baby
* latest
* move it
* more move
* compiles
* merge with master
* added exception
* changes
* Merge branch 'aws-sts' of github.com:solo-io/envoy-gloo into aws-sts
* switched tls over to credentials provider
* added filewatcher
* checking for expired
* more comments
* compiles
* almost compiling
* run all
* shared_from_this
* all building
* copy in callbacks
* init to false

oops

oops again
* filter tests are passing again
* test  compile and fail
* added a bunch of logging
* merge with master
* test crashing
* temp
* Merge branch 'aws-sts' of github.com:solo-io/envoy-gloo into aws-sts
* broken shared ptr tls_cache
* seg faults fixed
* seg faults fixed
* added content-type + length
* test regex works
* Merge branch 'aws-sts' of github.com:solo-io/envoy-gloo into aws-sts
* added version param
* Merge branch 'aws-sts' of github.com:solo-io/envoy-gloo into aws-sts
* changed logic flow
* so close
* percent encoding
* web token works
* different heap
* latest
* fixes
* it works
* yuval comment
* e2es working, added credentials provider failure tests
* fixed tests and expiration string
* sts_fetcher_tests
* compiles, need to debug
* print correct status codes, call lambdafy
* oops
* git is hard
* add test for expiry grace period
* Merge branch 'aws-sts' of github.com:solo-io/envoy-gloo into aws-sts
* don't lambafy on local response
* fix test mocks order
* some comment fixes
* filter cleanp
* clean up
* weird deadline
* Merge branch 'aws-sts' of github.com:solo-io/envoy-gloo into aws-sts
* minor fixes + changelog
* Merge remote-tracking branch 'origin/master' into aws-sts
* unused var clean up
* format fix
* make condition more explicit

Author: EItanya

.gitignore

@@ -1,4 +1,5 @@
 bazel-*
+ci/envoy.stripped
 generated
 .vscode/
 compile_commands.json

api/envoy/config/filter/http/aws_lambda/v2/aws_lambda.proto

@@ -6,6 +6,7 @@ option java_package = "io.envoyproxy.envoy.config.filter.http.aws_lambda.v2";
 option java_outer_classname = "AwsLambdaProto";
 option java_multiple_files = true;
 import "google/protobuf/wrappers.proto";
+import "google/protobuf/duration.proto";
 import "validate/validate.proto";
 
 // [#protodoc-title: AWS Lambda]
@@ -38,15 +39,48 @@ message AWSLambdaProtocolExtension {
   string secret_key = 4;
   // The session_token for AWS this cluster
   string session_token = 5;
+  // The role_arn to use when generating credentials for the mounted projected SA token
+  string role_arn = 6;
 }
 
 message AWSLambdaConfig {
-  // Use AWS default credentials chain to get credentials.
-  // This will search environment variables, ECS metadata and instance metadata
-  // to get the credentials. credentials will be rotated automatically.
-  //
-  // If credentials are provided on the cluster (using the
-  // AWSLambdaProtocolExtension), it will override these credentials. This
-  // defaults to false, but may change in the future to true.
-  google.protobuf.BoolValue use_default_credentials = 1;
+
+  oneof credentials_fetcher {
+    // Use AWS default credentials chain to get credentials.
+    // This will search environment variables, ECS metadata and instance metadata
+    // to get the credentials. credentials will be rotated automatically.
+    //
+    // If credentials are provided on the cluster (using the
+    // AWSLambdaProtocolExtension), it will override these credentials. This
+    // defaults to false, but may change in the future to true.
+    google.protobuf.BoolValue use_default_credentials = 1;
+
+    // Use projected service account token, and role arn to create reate temporary
+    // credentials with which to authenticate lambda requests.
+    // This functionality is meant to work along side EKS service account to IAM
+    // binding functionality as outlined here:
+    // https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.htmll
+    //
+    // If the following environment values are not present, this option cannot be used.
+    //   1. AWS_WEB_IDENTITY_TOKEN_FILE
+    //   2. AWS_ROLE_ARN
+    //
+    // The role arn may also be specified in the `AWSLambdaProtocolExtension` on the cluster level,
+    // to override the environment variable.
+    ServiceAccountCredentials service_account_credentials = 2;
+  }
+
+
+  // In order to specify the aws sts endpoint, both the cluster and uri must be set.
+  // This is due to an envoy limitation which cannot infer the host or path from the cluster,
+  // and therefore must be explicitly specified via the uri
+  message ServiceAccountCredentials {
+    // The name of the envoy cluster which represents the desired aws sts endpoint
+    string cluster = 1 [ (validate.rules).string.min_bytes = 1 ];
+    // The full uri of the aws sts endpoint
+    string uri = 2 [ (validate.rules).string.min_bytes = 1 ];
+    // timeout for the request
+    google.protobuf.Duration timeout = 3;
+  }
+
 }

changelog/v1.15.0-patch3/aws-sts.yaml

@@ -0,0 +1,5 @@
+changelog:
+- type: FIX
+  description: Support assuming IAM Role using STS for AWS injected pods using AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables.
+  issueLink: https://github.com/solo-io/gloo/issues/3309
+  resolvesIssue: false

ci/Dockerfile

@@ -14,4 +14,4 @@ RUN mkdir -p /etc/envoy
 ADD envoy.stripped /usr/local/bin/envoy
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/envoy"]
-CMD ["--v2-config-only", "-c", "/etc/envoy/envoy.yaml"]
+CMD ["-c", "/etc/envoy/envoy.yaml"]

cloudbuild.yaml

@@ -6,7 +6,6 @@ steps:
     path: '/build'
   env:
   - 'COMMIT_SHA=$COMMIT_SHA'
-  timeout: 1800s
 
 - name: 'gcr.io/cloud-builders/docker'
   entrypoint: 'bash'

e2e/extensions/filters/http/aws_lambda/BUILD

@@ -18,5 +18,6 @@ sh_test(
         "//e2e/extensions/filters/http/aws_lambda:create_config.sh",
         "//e2e/extensions/filters/http/aws_lambda:create_config_env.sh",
         "//e2e/extensions/filters/http/aws_lambda:create_config_env_token.sh",
+        "//e2e/extensions/filters/http/aws_lambda:create_config_web_token.sh",
     ],
 )

e2e/extensions/filters/http/aws_lambda/create_config_env.sh

@@ -17,7 +17,7 @@ admin:
   address:
     socket_address:
       address: 127.0.0.1
-      port_value: 19001
+      port_value: 19000
 static_resources:
   listeners:
   - name: listener_0

e2e/extensions/filters/http/aws_lambda/create_config_env_token.sh

@@ -17,7 +17,7 @@ admin:
   address:
     socket_address:
       address: 127.0.0.1
-      port_value: 19001
+      port_value: 19000
 static_resources:
   listeners:
   - name: listener_0

e2e/extensions/filters/http/aws_lambda/create_config_web_token.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+#
+
+set -e
+
+# # create function if doesnt exist
+# aws lambda create-function --function-name captialize --runtime nodejs 
+# invoke
+# aws lambda invoke --function-name uppercase --payload '"abc"' /dev/stdout
+
+
+# prepare envoy config file.
+
+cat > envoy_env.yaml << EOF
+admin:
+  access_log_path: /dev/stdout
+  address:
+    socket_address:
+      address: 127.0.0.1
+      port_value: 19000
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address: { address: 127.0.0.1, port_value: 10001 }
+    filter_chains:
+    - filters:
+      - name: envoy.http_connection_manager
+        config:
+          stat_prefix: http
+          codec_type: AUTO
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains: ["*"]
+              routes:
+              - match:
+                  prefix: /echo
+                route:
+                  cluster: postman-echo
+                  prefix_rewrite: /post
+              - match:
+                  prefix: /lambda
+                route:
+                  cluster: aws-us-east-1-lambda
+                per_filter_config:
+                  io.solo.aws_lambda:
+                    name: uppercase
+                    qualifier: "1"
+              - match:
+                  prefix: /latestlambda
+                route:
+                  cluster: aws-us-east-1-lambda
+                per_filter_config:
+                  io.solo.aws_lambda:
+                    name: uppercase
+                    qualifier: "%24LATEST"
+              - match:
+                  prefix: /contact-empty-default
+                route:
+                  cluster: aws-us-east-1-lambda
+                per_filter_config:
+                  io.solo.aws_lambda:
+                    name: uppercase
+                    qualifier: "1"
+                    empty_body_override: "\"default-body\""
+              - match:
+                  prefix: /contact
+                route:
+                  cluster: aws-us-east-1-lambda
+                per_filter_config:
+                  io.solo.aws_lambda:
+                    name: contact-form
+                    qualifier: "3"
+          http_filters:
+          - name: io.solo.aws_lambda
+            config:
+              service_account_credentials:
+                cluster: aws-sts
+                uri: sts.amazonaws.com
+          - name: envoy.router
+  clusters:
+  - connect_timeout: 5.000s
+    hosts:
+    - socket_address:
+        address: postman-echo.com
+        port_value: 443
+    name: postman-echo
+    type: LOGICAL_DNS
+    tls_context: {}
+  - connect_timeout: 5.000s
+    hosts:
+    - socket_address:
+        address: sts.amazonaws.com
+        port_value: 443
+    name: aws-sts
+    type: LOGICAL_DNS
+    tls_context:
+      sni: sts.amazonaws.com
+  - connect_timeout: 5.000s
+    hosts:
+    - socket_address:
+        address: lambda.us-east-1.amazonaws.com
+        port_value: 443
+    name: aws-us-east-1-lambda
+    type: LOGICAL_DNS
+    dns_lookup_family: V4_ONLY
+    tls_context: {}
+    extension_protocol_options:
+      io.solo.aws_lambda:
+        host: lambda.us-east-1.amazonaws.com
+        region: us-east-1
+EOF
+
+TEMP_FILE=$(mktemp)
+
+echo $AWS_WEB_TOKEN > $TEMP_FILE
+
+
+export AWS_WEB_IDENTITY_TOKEN_FILE=$TEMP_FILE
+export AWS_ROLE_ARN=$AWS_ROLE_ARN

e2e/extensions/filters/http/aws_lambda/e2e2e_test.sh

@@ -12,7 +12,10 @@ set -e
 
 ENVOY=${ENVOY:-envoy}
 
-$ENVOY --disable-hot-restart -c ./envoy.yaml --log-level debug & 
+echo $ENVOY
+pwd
+
+$ENVOY --concurrency 2 --disable-hot-restart -c ./envoy.yaml --log-level trace & 
 sleep 5
 
 
@@ -38,11 +41,13 @@ echo testing with env credentials
 echo
 
 . ./e2e/extensions/filters/http/aws_lambda/create_config_env.sh
-$ENVOY --disable-hot-restart -c ./envoy_env.yaml --log-level debug & 
+$ENVOY --concurrency 2 --disable-hot-restart -c ./envoy_env.yaml --log-level trace & 
 sleep 5
 
 curl localhost:10001/lambda --data '"abc"' --request POST -H"content-type: application/json"|grep ABC
 
+curl localhost:19000/quitquitquit -XPOST
+
 
 ####################### part 3 with env + token
 
@@ -52,9 +57,30 @@ echo testing with env credentials + token
 echo
 
 . ./e2e/extensions/filters/http/aws_lambda/create_config_env_token.sh
-$ENVOY --disable-hot-restart -c ./envoy_env.yaml --log-level debug & 
+$ENVOY --concurrency 2 --disable-hot-restart -c ./envoy_env.yaml --log-level trace & 
 sleep 5
 
 curl localhost:10001/lambda --data '"abc"' --request POST -H"content-type: application/json"|grep ABC
 
+curl localhost:19000/quitquitquit -XPOST
+
+echo PASS
+
+
+####################### part 4 with STS
+
+# Sanity with web token:
+echo
+echo testing with STS credentials
+echo
+
+. ./e2e/extensions/filters/http/aws_lambda/create_config_web_token.sh
+$ENVOY --concurrency 2 --disable-hot-restart -c ./envoy_env.yaml --log-level trace & 
+sleep 10
+
+curl localhost:10001/lambda --data '"abc"' --request POST -H"content-type: application/json"|grep ABC
+
+curl localhost:19000/quitquitquit -XPOST
+
 echo PASS
+