Http async client is required to fetch credentials from Metadata credentials provider by Envoy. This is to replace deprecated libcurl option in Envoy.
Implementation details
For AppMesh users
This change introduced local relay envoy process that run within the AppMesh envoy container process. No additional configuration is required by AppMesh users to upgrade their image with local relay Envoy process. The Envoy reloadable feature use_http_client_to_fetch_aws_credentials is flipped to default true.
Change summary:
The health check field from /status call to AppNet Agent will include the /ready status from local relay agent if it is running.
By default the relay admin port is not exposed outside the container, but can be overridden by setting APPNET_LOCAL_RELAY_ADMIN_HOST as "0.0.0.0" for testing purpose.
The local relay envoy process and actual envoy process are started by setting distinct --use-dynamic-base-id so that they won't conflict while running on the same host.
Local relay Envoy will be run at default concurrency of 1 and will 20-30MB memory in addition to existing Envoy process. the CPU increase is insignificant.
The logs from Local relay envoy will go to '/tmp' folder but can be override by setting APPNET_LOCAL_RELAY_LOG_DESTINATION & APPNET_LOCAL_RELAY_LOG_FILE_NAME env variables.
The stats from local relay envoy can be collected on cloudwatch sidecar by setting the existing env variable ENABLE_ENVOY_DOG_STATSD to "1".
By default the local relay envoy will be listening on port 9004 for envoy admin interface and port 15003 for forwarding xDS traffic to control plane.
Introduced local_relay_bootstrap.yaml to populate the static configuration for local relay envoy. In contract to relay_bootstrap.yaml this will be listening on TCP ports instead of UDS file path.
For Service Connect users
For Service Connect users this change will enable usage of http async client via reloadable feature use_http_client_to_fetch_aws_credentials in Relay Container. For Envoy sidecar this change will not affect.
Testing
New unit tests cover the changes: yes
Manual testing:
Tested EKS walkthrough, ECS Service Connect usecase and ECS validation tests
Description for the changelog
Deprecate usage of libcurl
Licensing
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
To be released with v1.29.0+ Envoy release which deprecated libcurl and introduces http async client https://docs.google.com/document/d/1m1KE_LGDnxrXwnUC1OEKYLmw8szy4r06OX_O3JcM-wM
Summary
Http async client is required to fetch credentials from Metadata credentials provider by Envoy. This is to replace deprecated libcurl option in Envoy.
Implementation details
For AppMesh users
This change introduced local relay envoy process that run within the AppMesh envoy container process. No additional configuration is required by AppMesh users to upgrade their image with local relay Envoy process. The Envoy reloadable feature
use_http_client_to_fetch_aws_credentialsis flipped to default true.Change summary:
/statuscall to AppNet Agent will include the/readystatus from local relay agent if it is running.APPNET_LOCAL_RELAY_ADMIN_HOSTas "0.0.0.0" for testing purpose.--use-dynamic-base-idso that they won't conflict while running on the same host.APPNET_LOCAL_RELAY_LOG_DESTINATION&APPNET_LOCAL_RELAY_LOG_FILE_NAMEenv variables.ENABLE_ENVOY_DOG_STATSDto "1".local_relay_bootstrap.yamlto populate the static configuration for local relay envoy. In contract torelay_bootstrap.yamlthis will be listening on TCP ports instead of UDS file path.For Service Connect users
For Service Connect users this change will enable usage of http async client via reloadable feature
use_http_client_to_fetch_aws_credentialsin Relay Container. For Envoy sidecar this change will not affect.Testing
New unit tests cover the changes: yes
Manual testing: Tested EKS walkthrough, ECS Service Connect usecase and ECS validation tests
Description for the changelog
Deprecate usage of libcurl
Licensing
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.