Add log driver secret to LogConfig and agent capability #1818
Conversation
agent/api/task/task.go
Outdated
| @@ -900,6 +903,27 @@ func (task *Task) ApplyExecutionRoleLogsAuth(hostConfig *dockercontainer.HostCon | |||
| return nil | |||
| } | |||
|
|
|||
| //ApplyLogDriverSecret will add the generated splunk secret into the associated HostConfig | |||
There was a problem hiding this comment.
There's nothing specific to Splunk here.
agent/api/task/task.go
Outdated
| container.MergeEnvironmentVariables(envVars) | ||
| } | ||
|
|
||
| //Check if the "splunk-token" has already been initialized and stored in the LogCofig map |
There was a problem hiding this comment.
We should not include logic specific to Splunk or keys like "splunk-token". If we need logic like this, it should be handled in the ECS backend so we do not need to keep updating the agent.
There was a problem hiding this comment.
I agree - this was discussed during design phase, to not cater implementation to one specific log driver.
There was a problem hiding this comment.
Figured out a way. Will discuss and update this pr shortly.
agent/app/agent_capability.go
Outdated
| @@ -39,6 +39,8 @@ const ( | |||
| capabilityPrivateRegistryAuthASM = "private-registry-authentication.secretsmanager" | |||
| capabilitySecretEnvSSM = "secrets.ssm.environment-variables" | |||
| capabilitySecretEnvASM = "secrets.asm.environment-variables" | |||
| capabilitySecretLogDriverSSM = "secrets.ssm.logging-drivers" | |||
| capabilitySecretLogDriverASM = "secrets.asm.logging-drivers" | |||
There was a problem hiding this comment.
nit: run go fmt to align this with other variables
agent/api/container/container.go
Outdated
| @@ -261,6 +266,7 @@ type Secret struct { | |||
| ContainerPath string `json:"containerPath"` | |||
| Type string `json:"type"` | |||
| Provider string `json:"provider"` | |||
| Target string `json:"target"` | |||
0f10ed1 to
0d21068
Compare
a73b9ea to
5717f08
Compare
agent/api/container/container.go
Outdated
|
|
||
| // MergeLogDrivers appends additional pairs to | ||
| // the the container's Logging Drivers structure | ||
| func (c *Container) HasSecretAsEvnAndLogDriver() bool { |
There was a problem hiding this comment.
Think it should beHasSecretAsEnvOrLogDriver. either way, just calling it HasSecrets or HasSecretsAvailable might be better. also the comment needs to be changed.
There was a problem hiding this comment.
Will change it to HasSecretAsEnvOrLogDriver at this time. It is specifically for checking env and log driver secrets.
agent/api/container/container.go
Outdated
| @@ -807,7 +813,17 @@ func (c *Container) MergeEnvironmentVariables(envVars map[string]string) { | |||
| } | |||
| } | |||
|
|
|||
| func (c *Container) HasSecretAsEnv() bool { | |||
| //Append the logging driver using secret into the container's LogConfig | |||
agent/api/task/task.go
Outdated
| // PopulateSecretsAsEnv appends the container's env var map with secrets | ||
| func (task *Task) PopulateSecretsAsEnv(container *apicontainer.Container) *apierrors.DockerClientConfigError { | ||
| // PopulateSecretsAsEnvAndLogDriver appends the container's env var map with secrets | ||
| func (task *Task) PopulateSecretsAsEnvAndLogDriver(hostConfig *dockercontainer.HostConfig, container *apicontainer.Container) *apierrors.DockerClientConfigError { |
There was a problem hiding this comment.
Can we just call it PopulateSecrets so we that don't have to change the name again when new secret type is added?
| @@ -63,6 +65,9 @@ const ( | |||
|
|
|||
| // SecretTypeEnv is to show secret type being ENVIRONMENT_VARIABLE | |||
| SecretTypeEnv = "ENVIRONMENT_VARIABLE" | |||
|
|
|||
| // TargetLogDriver is to show secret target being "LOG_DRIVER", the default will be "CONTAINER" | |||
There was a problem hiding this comment.
where is the default being set?
There was a problem hiding this comment.
CP will set the target of those env secrets as a default "container" but don't think it will be used somewhere here since they've already had a type field "ENVIRONMENT_VARIABLE"...
|
Since this code is no longer specific to Splunk, can we remove Splunk from the commit message and the PR title? |
4f13abe to
357723a
Compare
agent/api/container/container.go
Outdated
| hostConfig.LogConfig.Config[logDriverSecretName] = logDriverSecretValue | ||
| } | ||
|
|
||
| func (c *Container) HasSecretAsEvnOrLogDriver() bool { |
agent/api/container/container.go
Outdated
| @@ -807,7 +813,15 @@ func (c *Container) MergeEnvironmentVariables(envVars map[string]string) { | |||
| } | |||
| } | |||
|
|
|||
| func (c *Container) HasSecretAsEnv() bool { | |||
| // Append the logging driver using secret into the container's LogConfig | |||
| func (c *Container) ApplyLogDriverSecret(hostConfig *dockercontainer.HostConfig, logDriverSecretName string, logDriverSecretValue string) { | |||
There was a problem hiding this comment.
i don't think this should be a method of container.. the container is not used. i think this can just be a helper function put below its caller
| continue | ||
| } | ||
| if secret.Target == apicontainer.SecretTargetLogDriver { | ||
| logDriverTokenName = secret.Name |
There was a problem hiding this comment.
i think currently you assume there's only one log driver secret, but i don't see why you need to have that assumption.. i think you can call ApplyLogDriverSecret here whenever you find a log driver secret?
agent/app/agent_capability.go
Outdated
| @@ -138,6 +145,9 @@ func (agent *ecsAgent) capabilities() ([]*ecs.Attribute, error) { | |||
| // ecs agent version 1.23.0 supports ecs secrets integrating with aws secrets manager | |||
| capabilities = appendNameOnlyAttribute(capabilities, attributePrefix+capabilitySecretEnvASM) | |||
|
|
|||
| // ecs agent version 1.25.0 supports ecs secrets for logging drivers | |||
d0c39fc to
5f10985
Compare
| @@ -269,6 +272,7 @@ type Secret struct { | |||
| ContainerPath string `json:"containerPath"` | |||
| Type string `json:"type"` | |||
| Provider string `json:"provider"` | |||
| Target string `json:"target"` | |||
There was a problem hiding this comment.
sorry that i forgot.. i think you need to bump state file version for this
5f10985 to
734963a
Compare
734963a to
ce89c7f
Compare
ce89c7f to
f709e9f
Compare
f709e9f to
4e818ef
Compare
|
#1856 |
Summary
Add the secret value of Splunk logging driver into the Container's hostconfig section and add the agent capability for secret that supports Splunk
Implementation details
Testing
make release)go build -out amazon-ecs-agent.exe ./agent)make test) passgo test -timeout=30s ./agent/...) passmake run-integ-tests) pass.\scripts\run-integ-tests.ps1) passmake run-functional-tests) pass.\scripts\run-functional-tests.ps1) passNew tests cover the changes:
Description for the changelog
Licensing
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.