Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS STS - STS cluster is destroyed on CDS update #35022

Open
michaelfinch opened this issue Jul 2, 2024 · 2 comments
Open

AWS STS - STS cluster is destroyed on CDS update #35022

michaelfinch opened this issue Jul 2, 2024 · 2 comments
Assignees
@nbaws
Labels
area/aws_request_signing bug

Comments

@michaelfinch
Copy link
Contributor

michaelfinch commented Jul 2, 2024
edited
Loading

When attempting to follow method 3 here https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/aws_request_signing_filter#credentials, the STS cluster created by the filter is created as a dynamic cluster. If delta xDS is not being used, this dynamic cluster will be deleted on the next CDS update the envoy receives, which will cause AWS request signing to fail.

Repro steps:

  1. Set envoy.reloadable_features.use_http_client_to_fetch_aws_credentials to true.
  2. Confirm that AWS request signing works as expected.
  3. Without using delta xDS, deliver a CDS update to the envoy.
  4. Confirm that AWS request signing is now broken.

Here are the debug logs seen when a CDS update is received

[2024-07-02 17:38:06.614][15][debug][init] [external/envoy/source/common/init/watcher_impl.cc:31] init manager Cluster sts_token_service_internal destroyed
[2024-07-02 17:38:06.614][15][debug][upstream] [external/envoy/source/common/upstream/cluster_manager_impl.cc:859] removing cluster sts_token_service_internal
[2024-07-02 17:38:06.614][15][debug][upstream] [external/envoy/source/common/upstream/cluster_manager_impl.cc:863] removing TLS cluster sts_token_service_internal
[2024-07-02 17:38:06.614][15][debug][upstream] [external/envoy/source/common/upstream/cds_api_helper.cc:66] cds: remove cluster 'sts_token_service_internal'

Here is where the STS cluster is created https://github.com/envoyproxy/envoy/blob/main/source/extensions/common/aws/credentials_provider_impl.cc#L150. The function is named createInternalClusterStatic, but I confirmed in config dump that the cluster is actually created as a dynamic cluster. Is there a way to create a static cluster that won't get wiped out by CDS updates?
@michaelfinch michaelfinch added bug triage Issue requires triage labels Jul 2, 2024
@htuch
Copy link
Member

htuch commented Jul 2, 2024

@derekargueta @suniltheta @mattklein123 @marcomagdy @nbaws

@htuch htuch added area/aws_request_signing and removed triage Issue requires triage labels Jul 2, 2024
@nbaws
Copy link
Contributor

nbaws commented Jul 2, 2024

will grab this one

This was referenced Jul 4, 2024
Draft
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nbaws nbaws

Labels
area/aws_request_signing bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@michaelfinch @htuch @nbaws