Correctly deploy the AWS CCM (#1853)

* aws: stop using the imds api for tags * aws: disable tags in imds api * aws: only tag instances with non-lecagy tag * bootstrapper: always let coredns run before cilium * debugd: make debugd less noisy * fixup fix aws imds test * fixup unsued context * move getting instance id to readInstanceTag
2025-05-07 16:55:15 -04:00 · 2023-06-13 09:58:39 +02:00 · 2023-06-13 09:58:39 +02:00 · a2c98eb1d5
commit a2c98eb1d5
parent 4f63481b7d
13 changed files with 687 additions and 163 deletions
--- a/internal/cloud/aws/logger.go
+++ b/internal/cloud/aws/logger.go
@ -18,6 +18,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
 	logs "github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs"
 	"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs/types"
+	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	"github.com/edgelesssys/constellation/v2/internal/cloud"
 	"k8s.io/utils/clock"
 )
@ -27,6 +28,9 @@ import (
 type Logger struct {
 	api logAPI

+	ec2API  ec2API
+	imdsAPI imdsAPI
+
 	groupName  string
 	streamName string

@ -50,13 +54,15 @@ func NewLogger(ctx context.Context) (*Logger, error) {

 	l := &Logger{
 		api:      client,
+		ec2API:   ec2.NewFromConfig(cfg),
+		imdsAPI:  imds.NewFromConfig(cfg),
 		interval: time.Second,
 		clock:    clock.RealClock{},
 		wg:       sync.WaitGroup{},
 		stopCh:   make(chan struct{}, 1),
 	}

-	if err := l.createStream(ctx, imds.New(imds.Options{})); err != nil {
+	if err := l.createStream(ctx); err != nil {
 		return nil, err
 	}

@ -140,18 +146,14 @@ func (l *Logger) flushLoop() {
 }

 // createStream creates a new log stream in AWS Cloudwatch Logs.
-func (l *Logger) createStream(ctx context.Context, imds imdsAPI) error {
-	name, err := readInstanceTag(ctx, imds, tagName)
+func (l *Logger) createStream(ctx context.Context) error {
+	name, uid, err := l.getNameAndUID(ctx)
 	if err != nil {
 		return err
 	}
 	l.streamName = name

 	// find log group with matching Constellation UID
-	uid, err := readInstanceTag(ctx, imds, cloud.TagUID)
-	if err != nil {
-		return err
-	}
 	describeInput := &logs.DescribeLogGroupsInput{}
 	for res, err := l.api.DescribeLogGroups(ctx, describeInput); ; res, err = l.api.DescribeLogGroups(ctx, describeInput) {
 		if err != nil {
@ -193,6 +195,31 @@ func (l *Logger) createStream(ctx context.Context, imds imdsAPI) error {
 	return nil
 }

+func (l *Logger) getNameAndUID(ctx context.Context) (string, string, error) {
+	identity, err := l.imdsAPI.GetInstanceIdentityDocument(ctx, &imds.GetInstanceIdentityDocumentInput{})
+	if err != nil {
+		return "", "", fmt.Errorf("retrieving instance identity: %w", err)
+	}
+
+	out, err := l.ec2API.DescribeInstances(ctx, &ec2.DescribeInstancesInput{
+		InstanceIds: []string{identity.InstanceID},
+	})
+	if err != nil {
+		return "", "", fmt.Errorf("descibing instances: %w", err)
+	}
+
+	if len(out.Reservations) != 1 || len(out.Reservations[0].Instances) != 1 {
+		return "", "", fmt.Errorf("expected 1 instance, got %d", len(out.Reservations[0].Instances))
+	}
+
+	uid, err := findTag(out.Reservations[0].Instances[0].Tags, cloud.TagUID)
+	if err != nil {
+		return "", "", fmt.Errorf("finding tag %s: %w", cloud.TagUID, err)
+	}
+
+	return identity.InstanceID, uid, err
+}
+
 type logAPI interface {
 	CreateLogStream(context.Context, *logs.CreateLogStreamInput, ...func(*logs.Options)) (*logs.CreateLogStreamOutput, error)
 	DescribeLogGroups(context.Context, *logs.DescribeLogGroupsInput, ...func(*logs.Options)) (*logs.DescribeLogGroupsOutput, error)