aws_credentials_http: add support for EKS pod identities

This patch rewrites how the HTTP credentials provider works to allow both ECS and EKS identities to work. It is based on the aws-sdk-go-v2 implementation. It validates that the endpoint is correct if the transport is HTTP, but does not support DNS resolution, however based on how the pod identity agent works today, DNS should not be needed. If the transport is HTTPS, which will not be the case when using EKS Pod Identities, any endpoint is allowed. This is in line with how the AWS SDK works. Similarly to the SDK, it also reads the authentication token environment variables, with the file taking precedence over the raw token variable. This has been tested against an EKS 1.30 cluster with AL2023 nodes. Signed-off-by: Andrew Titmuss <[email protected]>
fluent · Jun 26, 2024 · 2842b36 · 2842b36
1 parent fe988b1
commit 2842b36
Show file tree

Hide file tree

Showing 6 changed files with 496 additions and 52 deletions.
diff --git a/include/fluent-bit/flb_aws_credentials.h b/include/fluent-bit/flb_aws_credentials.h
@@ -257,18 +257,28 @@ struct flb_aws_provider *flb_aws_env_provider_create();
  * used by host and path.
  */
 struct flb_aws_provider *flb_http_provider_create(struct flb_config *config,
-                                                  flb_sds_t host,
+                                                  flb_sds_t endpoint,
                                                   flb_sds_t path,
+                                                  flb_sds_t auth_token,
                                                   struct
                                                   flb_aws_client_generator
                                                   *generator);
 
+struct flb_aws_provider *flb_local_http_provider_create(struct flb_config *config,
+                                                        flb_sds_t endpoint,
+                                                        flb_sds_t auth_token,
+                                                        struct
+                                                        flb_aws_client_generator
+                                                        *generator);
+
+
+
 /*
- * ECS Provider
- * The ECS Provider is just a wrapper around the HTTP Provider
- * with the ECS credentials endpoint.
+ * Container Provider
+ * The Container Provider is just a wrapper around the HTTP Provider
+ * with the ECS/EKS credentials endpoint.
  */
-struct flb_aws_provider *flb_ecs_provider_create(struct flb_config *config,
+struct flb_aws_provider *flb_container_provider_create(struct flb_config *config,
                                                  struct
                                                  flb_aws_client_generator
                                                  *generator);

diff --git a/src/aws/flb_aws_credentials.c b/src/aws/flb_aws_credentials.c
@@ -581,11 +581,11 @@ static struct flb_aws_provider *standard_chain_create(struct flb_config
         }
     }
 
-    sub_provider = flb_ecs_provider_create(config, generator);
+    sub_provider = flb_container_provider_create(config, generator);
     if (sub_provider) {
-        /* ECS Provider will fail creation if we are not running in ECS */
+        /* HTTP Provider will fail creation if we are not running in ECS/EKS */
         mk_list_add(&sub_provider->_head, &implementation->sub_providers);
-        flb_debug("[aws_credentials] Initialized ECS Provider in standard chain");
+        flb_debug("[aws_credentials] Initialized HTTP Provider in standard chain");
     }
 
     sub_provider = flb_ec2_provider_create(config, generator);