Add ECR creds provider #157
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Hi @ayberk. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
/assign @andrewsykim |
ayberk
force-pushed
the
ecr_creds_provider
branch
from
8fb78ed to
e59fdb7
Compare
k8s-ci-robot
added
release-note
cmd/ecr-credential-provider/main.go
Outdated
| // kubelet does not cache it in-memory | ||
| cacheDuration = &metav1.Duration{Duration: 0} | ||
| } else { | ||
| duration := expiresAt.Sub(time.Now()) |
There was a problem hiding this comment.
Let me know if I'm missing something here, but if we are extracting the expiration from the ECR authorization token, converting that to a cache duration, then sending it back to kubelet, then I think we should shave some time off the duration here to account for transit back to kubelet, right?
There was a problem hiding this comment.
Good callout. Actually since token comes from an makes an API call, we need to consider that latency as well, which would more random. Is it too late to change the CredentialProviderResponse to pass the CacheExpiresAt directly instead of CacheDuration?
There was a problem hiding this comment.
For compatibility, we can add it as an optional parameter and it'd take precedence over CacheDuration.
There was a problem hiding this comment.
I've substracted 1 second for now, which I think should be good for most cases. We can increase it if we want to be safer.
There was a problem hiding this comment.
Even 1 second seems pretty aggressive, can we subtract maybe an hour? That gives plenty of headroom in case there are errors retrieving new tokens but not too short of a duration where we're unnecessarily fetching tokens.
Even half the expiration from ECR seems reasonable to me but I'll defer to @nckturner on what is appropriate.
ayberk
force-pushed
the
ecr_creds_provider
branch
2 times, most recently
from
0bbe3aa to
2987c1e
Compare
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/hold until we update to 1.20 (#151) |
k8s-ci-robot
added
the
do-not-merge/hold
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
ayberk
force-pushed
the
ecr_creds_provider
branch
from
2987c1e to
fbb1194
Compare
|
/test pull-cloud-provider-aws-check |
ayberk
force-pushed
the
ecr_creds_provider
branch
from
fbb1194 to
f4da31f
Compare
|
/unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
ayberk
force-pushed
the
ecr_creds_provider
branch
from
f4da31f to
f4d000b
Compare
ayberk
force-pushed
the
ecr_creds_provider
branch
from
f4d000b to
ec091a5
Compare
| GO111MODULE=on CGO_ENABLED=0 GOOS=$(GOOS) GOPROXY=$(GOPROXY) go build \ | ||
| -ldflags="-w -s -X 'main.version=$(VERSION)'" \ | ||
| -o=ecr-credential-provider \ | ||
| cmd/ecr-credential-provider/*.go |
There was a problem hiding this comment.
I don't think the *.go is necessary, can just be cmd/ecr-credential-provider or cmd/ecr-credential-provider/main.go
There was a problem hiding this comment.
Unfortunately that doesn't work. I either need to build all go files together or move the framework into /pkg. Otherwise it complains about undefined NewCredentialProvider.
It's completely counter-intuitive to me, but based on my research go doesn't like having it in the main package.
There was a problem hiding this comment.
Hmm, I haven't seen the need to use *.go, what do you mean by 'doesn't work'?
There was a problem hiding this comment.
ip-172-31-62-224 cloud-provider-aws git:(ecr_creds_provider) ✗ 12/15 17:25 make ecr-credential-provider
GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOPROXY=https://proxy.golang.org,direct go build \
-ldflags="-w -s -X 'main.version=ec091a51-dirty'" \
-o=ecr-credential-provider \
cmd/ecr-credential-provider/main.go
# command-line-arguments
cmd/ecr-credential-provider/main.go:154:7: undefined: NewCredentialProvider
Makefile:30: recipe for target 'ecr-credential-provider' failed
make: *** [ecr-credential-provider] Error 2
Which is interesting because vscode can correctly locate it.
There was a problem hiding this comment.
Ok I think we can just fix this in a follow up PR if necessary, not a big deal
|
I'm going to merge this as I don't think there's anything that can't be addressed in a follow-up. |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ayberk, nckturner The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind feature
What this PR does / why we need it:
Adds the credentials provider for ECR as part of the extraction effort.
Special notes for your reviewer:
frameworkfolder has been copied without any modifications.Does this PR introduce a user-facing change?: