Add code for acquiring region from env; Refactor code to reduce EC2 c… #2217
Conversation
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @Shreya027. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
cncf-cla: yes
Codecov Report
@@ Coverage Diff @@
## main #2217 +/- ##
=======================================
Coverage 52.39% 52.39%
=======================================
Files 133 133
Lines 7257 7257
=======================================
Hits 3802 3802
Misses 3158 3158
Partials 297 297 Continue to review full report at Codecov.
|
| vpcId, err := metadata.VpcID() | ||
| if err != nil { | ||
| return nil, errors.Wrap(err, "failed to introspect vpcID from EC2Metadata, specify --aws-vpc-id instead if EC2Metadata is unavailable") | ||
| } | ||
| cfg.VpcID = vpcId | ||
| } | ||
|
|
||
| if len(cfg.Region) == 0 { | ||
| region := os.Getenv("AWS_DEFAULT_REGION") |
There was a problem hiding this comment.
These env variables are set only if the IRSA is configured. We still need metadata introspection for the region configuration as a fallback.
k8s-ci-robot
added
size/M
pkg/aws/cloud.go
Outdated
| if len(cfg.VpcID) == 0 { | ||
| metadataSess := session.Must(session.NewSession(aws.NewConfig())) |
There was a problem hiding this comment.
This code path is very likely, so I don't see any benefit of moving these two variables inside the if condition.
| @@ -42,24 +43,37 @@ type Cloud interface { | |||
|
|
|||
| // NewCloud constructs new Cloud implementation. | |||
| func NewCloud(cfg CloudConfig, metricsRegisterer prometheus.Registerer) (Cloud, error) { | |||
| metadataSess := session.Must(session.NewSession(aws.NewConfig())) | |||
| metadata := services.NewEC2Metadata(metadataSess) | |||
| if len(cfg.Region) == 0 { | |||
There was a problem hiding this comment.
why not modify this block instead?
There was a problem hiding this comment.
I actually added the IMDS call inside the if to reduce the number of IMDS calls per instance. So I am making the call only if it is required.
k8s-ci-robot
added
size/S
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/approve |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kishorj, Shreya027 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Issue
#2139
Description
When deploying the ALB controller to EC2 nodes, we end up getting Region and Vpc Id from EC2 metadata service (IMDS). In case of Fargate however, we need to specify --set region=region-code and --set vpcId=vpc-xxxxxxxx flags during the deployment. The controller code currently makes an IMDS call irrespective of the scenario without checking the cloud configuration set through flags. The code has two main changes listed below:
The code is refactored to only make an IMDS call if required, thus reducing the number of EC2 calls per instance. It makes sure to check flags set in cloud configurations or environment variables before making the call.
The region value is acquired from the environment variable "AWS_DEFAULT_REGION" or "AWS_REGION" if it is not obtained through the configuration flags.
Research
My initial attempt involved trying to eliminate IMDS calls completely and also retrieve cluster name through node data instead of in the deployment parameters. Currently for non Fargate case, both Vpc Id and Region are acquired from configuration flags and if not specified in flags, it is got through EC2 metadata. For Fargate case, Vpc Id and Region are acquired only from the configuration flags. Cluster name is retrieved from the parameters specified during deployment of the controller for both cases. I was able to eliminate the need for IMDS call for region by retrieving it through the environment variables set by IAM roles for service accounts tooling. However, I wasn't able to find a solution to eliminate the need for IMDS call for Vpc Id in case it is not specified in the flags. Also, I wasn't able to find a way to eliminate the need for specifying cluster name in the deployment parameters.
In case of Vpc Id, it can be found as a field in the Instance struct, whereas Cluster Name can be found as a field in the Node struct. The following line of code in main.go
podInfoRepo := k8s.NewDefaultPodInfoRepo(clientSet.CoreV1().RESTClient(), rtOpts.Namespace, ctrl.Log)returns podInfoRepo which in turn can be used to get podInfo using Get() and ListKeys() handlers. The podInfo retrieved can be used to get NodeName which is present as a field in the struct. The NodeName fetched can be used to retrieve the node using the k8s client. The cluster name then can be got straight forward from the node struct retrieved. As far as fetching the Vpc Id is concerned, it too can be retrieved using the FetchNodeInstances() function which in turn consequently retrieves instances that have Vpc Id present in the struct.
However, for a lot of the above functions, a context need to be passed which is initialized as follows
ctx := ctrl.SetupSignalHandler()and is only done once ingGroupReconciler, svcReconciler and tgbReconciler are initialized using Vpc Id, cluster name and region bringing us back to our original problem. This seems to me like a case of chicken and egg problem.
Checklist
README.md, or thedocsdirectory)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯