From 204d272b23770d0a3933b805d84aaab318a16eea Mon Sep 17 00:00:00 2001 From: Joel Diaz Date: Thu, 7 Mar 2024 13:01:33 -0500 Subject: [PATCH 1/6] allow s3 commands to work from non commercial environments when running under something like us-gov-east-1, the latest-binaries.sh script fails b/c it tries to access the us-west-2 bucket from the wrong endpoints. this can be avoided by setting AWS_ENDPOINT_URL_S3 to point to us-west-2, but you still end up trying to use the gov-cloud creds in the request which would fail with: $ ./hack/latest-binaries.sh 1.29 An error occurred (InvalidToken) when calling the ListObjectsV2 operation: The provided token is malformed or otherwise invalid. so, specify to perform an unauthenticated s3 api request b/c the govcloud creds wouldn't work against the commercial cloud endpoints. in other places in the install-worker.sh script, there are 'aws s3' commands that would fail if running under something like the us-gov-east-1 environment. similar to the changes to the latest-binaries.sh script, update the 'aws' cli calls to ensure the requests are unsinged (to avoid trying to use us-gov creds against a non-gov endpoint). and plumb through using the user-specified AWS_ENDPOINT_URL_S3 env var into the install-worker.sh script so that the alternative endpoints can be used instead of the us-govcloud ones when running in a govcloud environment. --- hack/latest-binaries.sh | 2 +- templates/al2/provisioners/install-worker.sh | 10 +++++----- templates/al2/template.json | 2 ++ templates/al2/variables-default.json | 1 + 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/hack/latest-binaries.sh b/hack/latest-binaries.sh index 246fc8dd8..e94c551c8 100755 --- a/hack/latest-binaries.sh +++ b/hack/latest-binaries.sh @@ -13,7 +13,7 @@ MINOR_VERSION="${1}" # retrieve the available "VERSION/BUILD_DATE" prefixes (e.g. "1.28.1/2023-09-14") # from the binary object keys, sorted in descending semver order, and pick the first one -LATEST_BINARIES=$(aws s3api list-objects-v2 --bucket amazon-eks --prefix "${MINOR_VERSION}" --query 'Contents[*].[Key]' --output text | cut -d'/' -f-2 | sort -Vru | head -n1) +LATEST_BINARIES=$(aws s3api list-objects-v2 --bucket amazon-eks --prefix "${MINOR_VERSION}" --query 'Contents[*].[Key]' --output text --no-sign-request | cut -d'/' -f-2 | sort -Vru | head -n1) if [ "${LATEST_BINARIES}" == "None" ]; then echo >&2 "No binaries available for minor version: ${MINOR_VERSION}" diff --git a/templates/al2/provisioners/install-worker.sh b/templates/al2/provisioners/install-worker.sh index 680b74e23..48c225b0e 100644 --- a/templates/al2/provisioners/install-worker.sh +++ b/templates/al2/provisioners/install-worker.sh @@ -274,8 +274,8 @@ BINARIES=( for binary in ${BINARIES[*]}; do if [[ -n "$AWS_ACCESS_KEY_ID" ]]; then echo "AWS cli present - using it to copy binaries from s3." - aws s3 cp --region $BINARY_BUCKET_REGION $S3_PATH/$binary . - aws s3 cp --region $BINARY_BUCKET_REGION $S3_PATH/$binary.sha256 . + aws s3 cp --no-sign-request --region $BINARY_BUCKET_REGION $S3_PATH/$binary . + aws s3 cp --no-sign-request --region $BINARY_BUCKET_REGION $S3_PATH/$binary.sha256 . else echo "AWS cli missing - using wget to fetch binaries from s3. Note: This won't work for private bucket." sudo wget $S3_URL_BASE/$binary @@ -308,8 +308,8 @@ if [ "$PULL_CNI_FROM_GITHUB" = "true" ]; then else if [[ -n "$AWS_ACCESS_KEY_ID" ]]; then echo "AWS cli present - using it to copy binaries from s3." - aws s3 cp --region $BINARY_BUCKET_REGION $S3_PATH/${CNI_PLUGIN_FILENAME}.tgz . - aws s3 cp --region $BINARY_BUCKET_REGION $S3_PATH/${CNI_PLUGIN_FILENAME}.tgz.sha256 . + aws s3 cp --no-sign-request --region $BINARY_BUCKET_REGION $S3_PATH/${CNI_PLUGIN_FILENAME}.tgz . + aws s3 cp --no-sign-request --region $BINARY_BUCKET_REGION $S3_PATH/${CNI_PLUGIN_FILENAME}.tgz.sha256 . else echo "AWS cli missing - using wget to fetch cni binaries from s3. Note: This won't work for private bucket." sudo wget "$S3_URL_BASE/${CNI_PLUGIN_FILENAME}.tgz" @@ -369,7 +369,7 @@ sudo chmod +x /etc/eks/max-pods-calculator.sh ECR_CREDENTIAL_PROVIDER_BINARY="ecr-credential-provider" if [[ -n "$AWS_ACCESS_KEY_ID" ]]; then echo "AWS cli present - using it to copy ${ECR_CREDENTIAL_PROVIDER_BINARY} from s3." - aws s3 cp --region $BINARY_BUCKET_REGION $S3_PATH/$ECR_CREDENTIAL_PROVIDER_BINARY . + aws s3 cp --no-sign-request --region $BINARY_BUCKET_REGION $S3_PATH/$ECR_CREDENTIAL_PROVIDER_BINARY . else echo "AWS cli missing - using wget to fetch ${ECR_CREDENTIAL_PROVIDER_BINARY} from s3. Note: This won't work for private bucket." sudo wget "$S3_URL_BASE/$ECR_CREDENTIAL_PROVIDER_BINARY" diff --git a/templates/al2/template.json b/templates/al2/template.json index c79b4fd75..ac0bde11a 100644 --- a/templates/al2/template.json +++ b/templates/al2/template.json @@ -33,6 +33,7 @@ "pull_cni_from_github": null, "remote_folder": null, "runc_version": null, + "aws_endpoint_url_s3": null, "security_group_id": null, "source_ami_filter_name": null, "source_ami_id": null, @@ -191,6 +192,7 @@ "script": "{{template_dir}}/provisioners/install-worker.sh", "environment_vars": [ "AWS_ACCESS_KEY_ID={{user `aws_access_key_id`}}", + "AWS_ENDPOINT_URL_S3={{ user `aws_endpoint_url_s3`}}", "AWS_SECRET_ACCESS_KEY={{user `aws_secret_access_key`}}", "AWS_SESSION_TOKEN={{user `aws_session_token`}}", "BINARY_BUCKET_NAME={{user `binary_bucket_name`}}", diff --git a/templates/al2/variables-default.json b/templates/al2/variables-default.json index 0e6c96a7c..f8403ddf3 100644 --- a/templates/al2/variables-default.json +++ b/templates/al2/variables-default.json @@ -26,6 +26,7 @@ "pull_cni_from_github": "true", "remote_folder": "/tmp", "runc_version": "1.1.*", + "aws_endpoint_url_s3": "{{env `AWS_ENDPOINT_URL_S3`}}", "security_group_id": "", "source_ami_filter_name": "amzn2-ami-minimal-hvm-*", "source_ami_id": "", From af1b71ce345cb26a3554f841e990a513ec175f81 Mon Sep 17 00:00:00 2001 From: Joel Diaz Date: Thu, 21 Mar 2024 20:49:57 -0400 Subject: [PATCH 2/6] update al2023 to also use unsigned s3 requests and re-order the al2 variable for aws_endpoint_url_s3 to be sorted alphabetically with the rest of the variables. --- templates/al2/template.json | 2 +- templates/al2/variables-default.json | 2 +- templates/al2023/provisioners/install-worker.sh | 6 +++--- templates/al2023/template.json | 2 ++ templates/al2023/variables-default.json | 1 + 5 files changed, 8 insertions(+), 5 deletions(-) diff --git a/templates/al2/template.json b/templates/al2/template.json index ac0bde11a..970968553 100644 --- a/templates/al2/template.json +++ b/templates/al2/template.json @@ -10,6 +10,7 @@ "arch": null, "associate_public_ip_address": null, "aws_access_key_id": null, + "aws_endpoint_url_s3": null, "aws_region": null, "aws_secret_access_key": null, "aws_session_token": null, @@ -33,7 +34,6 @@ "pull_cni_from_github": null, "remote_folder": null, "runc_version": null, - "aws_endpoint_url_s3": null, "security_group_id": null, "source_ami_filter_name": null, "source_ami_id": null, diff --git a/templates/al2/variables-default.json b/templates/al2/variables-default.json index f8403ddf3..e21a3f4a7 100644 --- a/templates/al2/variables-default.json +++ b/templates/al2/variables-default.json @@ -6,6 +6,7 @@ "ami_users": "", "associate_public_ip_address": "", "aws_access_key_id": "{{env `AWS_ACCESS_KEY_ID`}}", + "aws_endpoint_url_s3": "{{env `AWS_ENDPOINT_URL_S3`}}", "aws_region": "us-west-2", "aws_secret_access_key": "{{env `AWS_SECRET_ACCESS_KEY`}}", "aws_session_token": "{{env `AWS_SESSION_TOKEN`}}", @@ -26,7 +27,6 @@ "pull_cni_from_github": "true", "remote_folder": "/tmp", "runc_version": "1.1.*", - "aws_endpoint_url_s3": "{{env `AWS_ENDPOINT_URL_S3`}}", "security_group_id": "", "source_ami_filter_name": "amzn2-ami-minimal-hvm-*", "source_ami_id": "", diff --git a/templates/al2023/provisioners/install-worker.sh b/templates/al2023/provisioners/install-worker.sh index f8cf2853e..fb980d21f 100644 --- a/templates/al2023/provisioners/install-worker.sh +++ b/templates/al2023/provisioners/install-worker.sh @@ -169,8 +169,8 @@ BINARIES=( for binary in ${BINARIES[*]}; do if [[ -n "$AWS_ACCESS_KEY_ID" ]]; then echo "AWS cli present - using it to copy binaries from s3." - aws s3 cp --region $BINARY_BUCKET_REGION $S3_PATH/$binary . - aws s3 cp --region $BINARY_BUCKET_REGION $S3_PATH/$binary.sha256 . + aws s3 cp --no-sign-request --region $BINARY_BUCKET_REGION $S3_PATH/$binary . + aws s3 cp --no-sign-request --region $BINARY_BUCKET_REGION $S3_PATH/$binary.sha256 . else echo "AWS cli missing - using wget to fetch binaries from s3. Note: This won't work for private bucket." sudo wget $S3_URL_BASE/$binary @@ -191,7 +191,7 @@ ECR_CREDENTIAL_PROVIDER_BINARY="ecr-credential-provider" if [[ -n "$AWS_ACCESS_KEY_ID" ]]; then echo "AWS cli present - using it to copy ${ECR_CREDENTIAL_PROVIDER_BINARY} from s3." - aws s3 cp --region $BINARY_BUCKET_REGION $S3_PATH/$ECR_CREDENTIAL_PROVIDER_BINARY . + aws s3 cp --no-sign-request --region $BINARY_BUCKET_REGION $S3_PATH/$ECR_CREDENTIAL_PROVIDER_BINARY . else echo "AWS cli missing - using wget to fetch ${ECR_CREDENTIAL_PROVIDER_BINARY} from s3. Note: This won't work for private bucket." sudo wget "$S3_URL_BASE/$ECR_CREDENTIAL_PROVIDER_BINARY" diff --git a/templates/al2023/template.json b/templates/al2023/template.json index 62f720806..eb1f230b3 100644 --- a/templates/al2023/template.json +++ b/templates/al2023/template.json @@ -9,6 +9,7 @@ "arch": null, "associate_public_ip_address": null, "aws_access_key_id": null, + "aws_endpoint_url_s3": null, "aws_region": null, "aws_secret_access_key": null, "aws_session_token": null, @@ -176,6 +177,7 @@ "script": "{{template_dir}}/provisioners/install-worker.sh", "environment_vars": [ "AWS_ACCESS_KEY_ID={{user `aws_access_key_id`}}", + "AWS_ENDPOINT_URL_S3={{user `aws_endpoint_url_s3`}}", "AWS_SECRET_ACCESS_KEY={{user `aws_secret_access_key`}}", "AWS_SESSION_TOKEN={{user `aws_session_token`}}", "BINARY_BUCKET_NAME={{user `binary_bucket_name`}}", diff --git a/templates/al2023/variables-default.json b/templates/al2023/variables-default.json index 581ec0775..fafea4df6 100644 --- a/templates/al2023/variables-default.json +++ b/templates/al2023/variables-default.json @@ -5,6 +5,7 @@ "ami_users": "", "associate_public_ip_address": "", "aws_access_key_id": "{{env `AWS_ACCESS_KEY_ID`}}", + "aws_endpoint_url_s3": "{{env `AWS_ENDPOINT_URL_S3`}}", "aws_region": "us-west-2", "aws_secret_access_key": "{{env `AWS_SECRET_ACCESS_KEY`}}", "aws_session_token": "{{env `AWS_SESSION_TOKEN`}}", From 89c9ba475ae655c03f099b81021bc0f865abb7c4 Mon Sep 17 00:00:00 2001 From: Joel Diaz Date: Thu, 21 Mar 2024 22:14:26 -0400 Subject: [PATCH 3/6] add doc entries for aws_endpoint_url_s3 --- doc/usage/al2.md | 1 + doc/usage/al2023.md | 1 + 2 files changed, 2 insertions(+) diff --git a/doc/usage/al2.md b/doc/usage/al2.md index e98d87c7a..507e8fa6c 100644 --- a/doc/usage/al2.md +++ b/doc/usage/al2.md @@ -14,6 +14,7 @@ | `arch` | | | `associate_public_ip_address` | | | `aws_access_key_id` | | +| `aws_endpoint_url_s3` | Use specified S3 endpoint for S3 calls (useful when running in non-commercial AWS environments). | | `aws_region` | | | `aws_secret_access_key` | | | `aws_session_token` | | diff --git a/doc/usage/al2023.md b/doc/usage/al2023.md index 48a6b85e4..de1ebc7bd 100644 --- a/doc/usage/al2023.md +++ b/doc/usage/al2023.md @@ -13,6 +13,7 @@ | `arch` | | | `associate_public_ip_address` | | | `aws_access_key_id` | | +| `aws_endpoint_url_s3` | Use specified S3 endpoint for S3 calls (useful when running in non-commercial AWS environments). | | `aws_region` | | | `aws_secret_access_key` | | | `aws_session_token` | | From 92aacc98d8a0dc96a3c36f66896f7d4752453a2e Mon Sep 17 00:00:00 2001 From: Joel Diaz Date: Fri, 22 Mar 2024 14:28:18 -0400 Subject: [PATCH 4/6] add explicit region for s3 commands --- hack/latest-binaries.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/latest-binaries.sh b/hack/latest-binaries.sh index e94c551c8..3a822bb3e 100755 --- a/hack/latest-binaries.sh +++ b/hack/latest-binaries.sh @@ -13,7 +13,7 @@ MINOR_VERSION="${1}" # retrieve the available "VERSION/BUILD_DATE" prefixes (e.g. "1.28.1/2023-09-14") # from the binary object keys, sorted in descending semver order, and pick the first one -LATEST_BINARIES=$(aws s3api list-objects-v2 --bucket amazon-eks --prefix "${MINOR_VERSION}" --query 'Contents[*].[Key]' --output text --no-sign-request | cut -d'/' -f-2 | sort -Vru | head -n1) +LATEST_BINARIES=$(aws s3api list-objects-v2 --bucket amazon-eks --prefix "${MINOR_VERSION}" --query 'Contents[*].[Key]' --output text --region us-west-2 --no-sign-request | cut -d'/' -f-2 | sort -Vru | head -n1) if [ "${LATEST_BINARIES}" == "None" ]; then echo >&2 "No binaries available for minor version: ${MINOR_VERSION}" From a73364434a0fdfd7a4649d65fa5991da8dd72d4c Mon Sep 17 00:00:00 2001 From: Joel Diaz Date: Mon, 1 Apr 2024 18:26:05 -0400 Subject: [PATCH 5/6] remove aws_endpoint_url_s3 it isn't necessary now that we are providing the region for the s3 bucket --- doc/usage/al2.md | 1 - doc/usage/al2023.md | 1 - templates/al2/template.json | 2 -- templates/al2/variables-default.json | 1 - templates/al2023/template.json | 2 -- templates/al2023/variables-default.json | 1 - 6 files changed, 8 deletions(-) diff --git a/doc/usage/al2.md b/doc/usage/al2.md index 507e8fa6c..e98d87c7a 100644 --- a/doc/usage/al2.md +++ b/doc/usage/al2.md @@ -14,7 +14,6 @@ | `arch` | | | `associate_public_ip_address` | | | `aws_access_key_id` | | -| `aws_endpoint_url_s3` | Use specified S3 endpoint for S3 calls (useful when running in non-commercial AWS environments). | | `aws_region` | | | `aws_secret_access_key` | | | `aws_session_token` | | diff --git a/doc/usage/al2023.md b/doc/usage/al2023.md index de1ebc7bd..48a6b85e4 100644 --- a/doc/usage/al2023.md +++ b/doc/usage/al2023.md @@ -13,7 +13,6 @@ | `arch` | | | `associate_public_ip_address` | | | `aws_access_key_id` | | -| `aws_endpoint_url_s3` | Use specified S3 endpoint for S3 calls (useful when running in non-commercial AWS environments). | | `aws_region` | | | `aws_secret_access_key` | | | `aws_session_token` | | diff --git a/templates/al2/template.json b/templates/al2/template.json index 970968553..c79b4fd75 100644 --- a/templates/al2/template.json +++ b/templates/al2/template.json @@ -10,7 +10,6 @@ "arch": null, "associate_public_ip_address": null, "aws_access_key_id": null, - "aws_endpoint_url_s3": null, "aws_region": null, "aws_secret_access_key": null, "aws_session_token": null, @@ -192,7 +191,6 @@ "script": "{{template_dir}}/provisioners/install-worker.sh", "environment_vars": [ "AWS_ACCESS_KEY_ID={{user `aws_access_key_id`}}", - "AWS_ENDPOINT_URL_S3={{ user `aws_endpoint_url_s3`}}", "AWS_SECRET_ACCESS_KEY={{user `aws_secret_access_key`}}", "AWS_SESSION_TOKEN={{user `aws_session_token`}}", "BINARY_BUCKET_NAME={{user `binary_bucket_name`}}", diff --git a/templates/al2/variables-default.json b/templates/al2/variables-default.json index e21a3f4a7..0e6c96a7c 100644 --- a/templates/al2/variables-default.json +++ b/templates/al2/variables-default.json @@ -6,7 +6,6 @@ "ami_users": "", "associate_public_ip_address": "", "aws_access_key_id": "{{env `AWS_ACCESS_KEY_ID`}}", - "aws_endpoint_url_s3": "{{env `AWS_ENDPOINT_URL_S3`}}", "aws_region": "us-west-2", "aws_secret_access_key": "{{env `AWS_SECRET_ACCESS_KEY`}}", "aws_session_token": "{{env `AWS_SESSION_TOKEN`}}", diff --git a/templates/al2023/template.json b/templates/al2023/template.json index eb1f230b3..62f720806 100644 --- a/templates/al2023/template.json +++ b/templates/al2023/template.json @@ -9,7 +9,6 @@ "arch": null, "associate_public_ip_address": null, "aws_access_key_id": null, - "aws_endpoint_url_s3": null, "aws_region": null, "aws_secret_access_key": null, "aws_session_token": null, @@ -177,7 +176,6 @@ "script": "{{template_dir}}/provisioners/install-worker.sh", "environment_vars": [ "AWS_ACCESS_KEY_ID={{user `aws_access_key_id`}}", - "AWS_ENDPOINT_URL_S3={{user `aws_endpoint_url_s3`}}", "AWS_SECRET_ACCESS_KEY={{user `aws_secret_access_key`}}", "AWS_SESSION_TOKEN={{user `aws_session_token`}}", "BINARY_BUCKET_NAME={{user `binary_bucket_name`}}", diff --git a/templates/al2023/variables-default.json b/templates/al2023/variables-default.json index fafea4df6..581ec0775 100644 --- a/templates/al2023/variables-default.json +++ b/templates/al2023/variables-default.json @@ -5,7 +5,6 @@ "ami_users": "", "associate_public_ip_address": "", "aws_access_key_id": "{{env `AWS_ACCESS_KEY_ID`}}", - "aws_endpoint_url_s3": "{{env `AWS_ENDPOINT_URL_S3`}}", "aws_region": "us-west-2", "aws_secret_access_key": "{{env `AWS_SECRET_ACCESS_KEY`}}", "aws_session_token": "{{env `AWS_SESSION_TOKEN`}}", From 9466e72dc0ee44f0efd1602124171de14a7080bb Mon Sep 17 00:00:00 2001 From: Joel Diaz Date: Mon, 1 Apr 2024 19:12:44 -0400 Subject: [PATCH 6/6] add comment about wishing to use $binary_bucket_region instead of hardcoding us-west-2 --- hack/latest-binaries.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hack/latest-binaries.sh b/hack/latest-binaries.sh index 3a822bb3e..eaa707586 100755 --- a/hack/latest-binaries.sh +++ b/hack/latest-binaries.sh @@ -13,6 +13,8 @@ MINOR_VERSION="${1}" # retrieve the available "VERSION/BUILD_DATE" prefixes (e.g. "1.28.1/2023-09-14") # from the binary object keys, sorted in descending semver order, and pick the first one +# TODO: ideally we want to use the value of $binary_bucket_region instead of hard-coding us-west-2 +# since setting the binary_bucket_region value really is the indication of where the binaries are located. LATEST_BINARIES=$(aws s3api list-objects-v2 --bucket amazon-eks --prefix "${MINOR_VERSION}" --query 'Contents[*].[Key]' --output text --region us-west-2 --no-sign-request | cut -d'/' -f-2 | sort -Vru | head -n1) if [ "${LATEST_BINARIES}" == "None" ]; then