aws / amazon-ecs-service-connect-agent

Amazon ECS Service Connect Agent
Apache License 2.0
29 stars 11 forks source link

Use local relay Envoy in AppMesh to support http async client #68

Open suniltheta opened 10 months ago

suniltheta commented 10 months ago

To be released with v1.29.0+ Envoy release which deprecated libcurl and introduces http async client https://docs.google.com/document/d/1m1KE_LGDnxrXwnUC1OEKYLmw8szy4r06OX_O3JcM-wM

Summary

Http async client is required to fetch credentials from Metadata credentials provider by Envoy. This is to replace deprecated libcurl option in Envoy.

Implementation details

For AppMesh users

This change introduced local relay envoy process that run within the AppMesh envoy container process. No additional configuration is required by AppMesh users to upgrade their image with local relay Envoy process. The Envoy reloadable feature use_http_client_to_fetch_aws_credentials is flipped to default true.

Change summary:

  1. The health check field from /status call to AppNet Agent will include the /ready status from local relay agent if it is running.
  2. By default the relay admin port is not exposed outside the container, but can be overridden by setting APPNET_LOCAL_RELAY_ADMIN_HOST as "0.0.0.0" for testing purpose.
  3. The local relay envoy process and actual envoy process are started by setting distinct --use-dynamic-base-id so that they won't conflict while running on the same host.
  4. Local relay Envoy will be run at default concurrency of 1 and will 20-30MB memory in addition to existing Envoy process. the CPU increase is insignificant.
  5. The logs from Local relay envoy will go to '/tmp' folder but can be override by setting APPNET_LOCAL_RELAY_LOG_DESTINATION & APPNET_LOCAL_RELAY_LOG_FILE_NAME env variables.
  6. The stats from local relay envoy can be collected on cloudwatch sidecar by setting the existing env variable ENABLE_ENVOY_DOG_STATSD to "1".
  7. By default the local relay envoy will be listening on port 9004 for envoy admin interface and port 15003 for forwarding xDS traffic to control plane.
  8. Introduced local_relay_bootstrap.yaml to populate the static configuration for local relay envoy. In contract to relay_bootstrap.yaml this will be listening on TCP ports instead of UDS file path.

For Service Connect users

For Service Connect users this change will enable usage of http async client via reloadable feature use_http_client_to_fetch_aws_credentials in Relay Container. For Envoy sidecar this change will not affect.

Testing

New unit tests cover the changes: yes

Manual testing: Tested EKS walkthrough, ECS Service Connect usecase and ECS validation tests

Description for the changelog

Deprecate usage of libcurl

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.