Closed michaelfinch closed 2 months ago
@derekargueta @suniltheta @mattklein123 @marcomagdy @nbaws
will grab this one
@michaelfinch #35062 will address this issue. Thank you for reporting it :)
Thank you for the quick turnaround!
Addressed by https://github.com/envoyproxy/envoy/pull/35062
When attempting to follow method 3 here https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/aws_request_signing_filter#credentials, the STS cluster created by the filter is created as a dynamic cluster. If delta xDS is not being used, this dynamic cluster will be deleted on the next CDS update the envoy receives, which will cause AWS request signing to fail.
Repro steps:
envoy.reloadable_features.use_http_client_to_fetch_aws_credentials
totrue
.Here are the debug logs seen when a CDS update is received
Here is where the STS cluster is created https://github.com/envoyproxy/envoy/blob/main/source/extensions/common/aws/credentials_provider_impl.cc#L150. The function is named
createInternalClusterStatic
, but I confirmed in config dump that the cluster is actually created as a dynamic cluster. Is there a way to create a static cluster that won't get wiped out by CDS updates?