aws: fix assertion failure in debug due to timer access outside of main thread#34138

Merged

mattklein123 merged 31 commits intoenvoyproxy:mainfrom

nbaws:metadata_async

May 29, 2024

Contributor

nbaws commented May 14, 2024 •

edited

Loading

Commit Message: aws: fix assertion failure in debug due to timer access outside of main thread

Additional Description:

Patch to ensure async credential providers do not access main thread timers when credentials are requested. This was a larger fix than originally expected, due to substantial test case rewrites, changes to refresh logic and changes to the cluster initialisation sequence.

This patch performs the following:

Changes async providers to kick off credential refresh process via onClusterAddOrUpdate, replacing the init handler
Changes async providers to be truly async. They now perform credential refresh based on a timer, set to the expiration time returned in the credential payload, or to the default cache duration of 1 hour. Async providers will no longer trigger credential refresh via the data plane (which was actually the cause of the original bug). Async providers will start refreshing with a 2 second timer and doubling to 32 seconds (or until they succeed) avoiding load on STS or IMDS.
Fixes the cache duration calculation to be actually 1 hour, rather than 1 hour * 60 * 60 :)
Fixes a reported bug that also caused assertion failure in route specific configuration
Async providers now honour any expiration provided from their credential source
Async providers now have statistics to capture number of success/failed refreshes, used in test cases
Webidentity credential provider now handles the (unlikely) case where more than one region is present in the configuration, such as multiple route specific configs. Webidentity sts clusters will have the region name appended.

Risk Level: Low
Testing: Unit
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue] #33962
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]


          async fixes

8277a74

Signed-off-by: Nigel Brittain <nbaws@amazon.com>

nbaws requested a review from mattklein123 as a code owner

May 14, 2024 12:18

ravenblackx assigned mattklein123

nbaws added 3 commits

May 15, 2024 01:27


          reorder tls

b0ce7a5

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          integration test coverage

a988e54

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          more test coverage

9f55167

Signed-off-by: Nigel Brittain <nbaws@amazon.com>

suniltheta mentioned this pull request

misuse envoy.reloadable_features in aws credential fetching #31119

Closed

nbaws added 2 commits

May 16, 2024 01:21


          asan fix

08fb0a1

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          missed a runtime guard check

7ce38b0

Signed-off-by: Nigel Brittain <nbaws@amazon.com>

nbaws closed this

nbaws added 4 commits

May 17, 2024 07:51


          threading fixes

11d4bbe

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          started test cases

e535ef0

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          fixed test cases

540d556

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          fixed test cases

0fa0c3a

Signed-off-by: Nigel Brittain <nbaws@amazon.com>

nbaws reopened this

Contributor Author

nbaws commented May 18, 2024

nbaws closed this


          fix thread ordering

5f9ec67

Signed-off-by: Nigel Brittain <nbaws@amazon.com>

nbaws reopened this


          utility test case fix

2d284ea

Signed-off-by: Nigel Brittain <nbaws@amazon.com>

Contributor Author

nbaws commented May 19, 2024 •

edited

Loading

A note on this PR - the majority of the change is to implement a handler for onClusterAddOrDelete, and that handler literally calls refresh() once the cluster is ready to handle requests and is never used again. If there is a shorter and/or cleaner way to do this, please let me know. I've used code from dynamic forward proxy to do most of the onClusterAddOrDelete handling.

nbaws added 7 commits

May 19, 2024 11:23


          more test case fixes

d1d3c0b

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          stats and improve test cases

b300e73

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          more accurately check cluster existence

8f4a2b1

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          stats initialization fix

3a4cb46

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          fips endpoint in test case

58a4ca6

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          remove fips endpoint in test case

0d22c46

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          double webidentity fix

7d13810

Signed-off-by: Nigel Brittain <nbaws@amazon.com>

mattklein123 assigned suniltheta

Member

mattklein123 commented May 20, 2024

@suniltheta for first pass, thanks.

/wait

repokitteh-read-only Bot added the waiting label

suniltheta reviewed

View reviewed changes

Contributor

suniltheta left a comment

thanks for making this change. I am still in process of reviewing tests. Though I would leave f/b as I have them.

source/extensions/common/aws/credentials_provider_impl.h Outdated

source/extensions/common/aws/credentials_provider_impl.cc Outdated

source/extensions/common/aws/credentials_provider_impl.cc Outdated

source/extensions/common/aws/credentials_provider_impl.cc

source/extensions/common/aws/credentials_provider_impl.cc

source/extensions/common/aws/credentials_provider_impl.cc

source/extensions/common/aws/credentials_provider_impl.cc Outdated

source/extensions/common/aws/credentials_provider_impl.cc Outdated


          address feedback and add stats docs

392473d

Signed-off-by: Nigel Brittain <nbaws@amazon.com>

repokitteh-read-only Bot removed the waiting label


          spelling

afcc987

Signed-off-by: Nigel Brittain <nbaws@amazon.com>

Contributor Author

nbaws commented May 21, 2024

/retest

mattklein123 added the waiting:any label

repokitteh-read-only Bot removed the waiting:any label

mattklein123 added the waiting:any label

suniltheta approved these changes

View reviewed changes

repokitteh-read-only Bot removed the waiting:any label

nbaws and others added 9 commits

May 25, 2024 11:21


          test case for nullptr crash in upstream

07408af

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          Merge branch 'envoyproxy:main' into metadata_async

39a8cf0


          dual info stats handling

370b7d8

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          Merge branch 'metadata_async' of https://github.com/nbaws/envoy into …

ec49873

…metadata_async

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          dual info stats handling

2b5ee25

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          test case update

a475a8f

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          refactor to use init timer and use root stats

eb9668a

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          fix test cases

cddd645

Signed-off-by: Nigel Brittain <nbaws@amazon.com>


          revert lambda change

63b7eda

Signed-off-by: Nigel Brittain <nbaws@amazon.com>

Contributor Author

nbaws commented May 27, 2024

@suniltheta some minor refactoring - there was an initialization issue I found with upstream filter that I've now addressed.


          init test case fix

46ba3ed

Signed-off-by: Nigel Brittain <nbaws@amazon.com>

mattklein123 approved these changes

View reviewed changes

mattklein123 merged commit 49b6c99 into envoyproxy:main

This was referenced May 30, 2024

AWS STS API - Expiration field misunderstood - Timestamps are formatted according to the ISO 8601 not unix timestamp #33806

Closed

aws: fix usage of reloadable_features.use_http_client_to_fetch_aws_credentials #31135

Merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet