add AWS SQS event source

[rootfs]

Fixes #

Proposed Changes

[rootfs]

/assign @scothis

[evankanderson]

/assign @n3wscott

[n3wscott]

Will look again when not WIP

[n3wscott]

Note we have been moving away from glog. We are moving to either zap for controller logging and log for jobs logging.

[n3wscott]

%s should be %v

[n3wscott]

magic keys should be moved to a string const block at top.

[n3wscott]

I would assign awsToken directly and then ...; !ok || len(awsToken) == 0 {

I have a few examples of pulling params out of contexts and objects here: https://github.com/knative/eventing/pull/276/files#diff-15c4ba004c85a3abc13efbe47a731b58R391

[n3wscott]

again, I updated: https://github.com/knative/eventing/pull/276/files#diff-15c4ba004c85a3abc13efbe47a731b58R391

[n3wscott]

uuid is a very large number. Paul had a better method by using k8s generate name. @pmorie can you link to that api to get the short random name?

[n3wscott]

I moved from panic to os.Exit(0) with a log above

[whynowy]

Should consider the case that cluster is running on AWS, and use KIAM to do IAM role delegation. This is how people access AWS resources from a k8s cluster running on EC2 instances without using any credentials.

The implementation can support both cases, with credential, or KIAM delegated Role. For the latter case, the IAM role configuration would be like:

1. Kubernetes cluster master nodes IAM role (This should already be existing after the cluster is created), this role should have the policy to assume-role

2. An IAM role which is assigned to a namespace (and will be used by the POD), this role is set to trust cluster master node IAM role, with KIAM, your pod can get temp credential to this IAM role by calling AWS metadata API, without using any credential. This Role also needs the policy to assume-role.

3. A third role to be able to operate SQS, and it trusts the 2nd IAM role.

4. In flow configuration, the 2nd and 3rd IAM role ARNs are needed, so that in your receive_adaptor you can use the 2nd role credential to assume 3rd role, and then read messages.

[whynowy]

I didn't see this PR until this afternoon. Before that, I implemented a SQS event source about 1 week ago, which was very similar to this. The major difference is, my k8s cluster is running on EC2 instances, and I use KIAM, so I don't use any explicit credentials to access AWS SQS. So I gave above comments, it would be better if this case can be considered in the PR.

[rootfs]

@whynowy thanks, i ran my tests locally, IAM is a good idea, I'll get this here after eventing core is settled.

[knative-prow-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rootfs
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: scothis

If they are not already assigned, you can assign the PR to them by writing /assign @scothis in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[knative-prow-robot]

@rootfs: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-knative-eventing-unit-tests	099adfc	link	/test pull-knative-eventing-unit-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[matzew]

@rootfs @n3wscott @scothis IMO we could close this... since this should be PR'd on the new repo (eventing-sources), following the new model