Closed rimaulana closed 2 years ago
Just to confirm, you are trying to find an alternative to waiting some random amount of time for the sts endpoint to become available?
I'm wondering if it's possible for you to wrap the aws-for-fluent-bit image in a custom image that waits before the entry point is called for the sts endpoint to become available. That way fluent bit will be able to detect the endpoint.
Something like the following could be added before the entry point is called. Just an idea. What do you think?
until $(curl --output /dev/null --silent --head --fail https://sts.us-west-2.amazonaws.com); do
printf '.'
sleep 5
done
@matthewfala Yes, this could be a solution. Normally you are not required to build another image since you could provide command
and args
for the container in the pod.
But what is interesting: There is another container with some Java in it and this container does not have this problem. Maybe it simply needs some more time to come up.
Thanks @guidoffm . I talked to the team and they propose a different solution. The credential provider will retry if credentials fail to be provided, so what we need is for the IMDS endpoint to not be discoverable.
Is it possible for you to turn off IMDS for your service? Not sure if this would mess things up.
Otherwise, you can add IMDS ip to your container's host file and redirect it to some invalid address
# Add to bottom of /etc/hosts file
# IMDS invalidation
169.254.169.254 192.0.2.0
assuming that 192.0.2.0 is guaranteed to not exist.
@guidoffm, closing this issue due to no response. Please reopen this ticket if you have any remaining questions or concerns.
Cluster Details
Solutions running on EKS with AppMesh on EC2 worker nodes and aws-for-fluent-bit as a sidecar
Steps to reproduce issue
Create a pod with aws-for-fluent-bit as sidecar and have it to be part of AppMesh node (being injected with AppMesh envoy container and proxyinit)