filter_aws: Adds resource entity to PLE calls in cloudwatch logs plugin for dataplane and host logs #7
Conversation
nathalapooja
changed the title
nathalapooja
changed the title
|
In the entity, Type should be |
| #define AWS_AUTH_CONFIG_MAP "aws-auth" | ||
|
|
||
| /* Kubernetes API server info */ | ||
| #define FLB_API_HOST "kubernetes.default.svc" |
There was a problem hiding this comment.
nit: These constants are already defined in kube_conf.h, would it be cleaner to re-use them instead?
| } | ||
|
|
||
| /* Create an Upstream context */ | ||
| ctx->kubernetes_upstream = flb_upstream_create(config, |
There was a problem hiding this comment.
Is there any scenario where we don't need TLS to communicate with Kubernetes API server? I see the original code uses TCP instead of TLS connection as default so just curious:
There was a problem hiding this comment.
Though the default is TCP, in the code, we have the below definitions for k8s API server info
/* Kubernetes API server info */
#define FLB_API_HOST "kubernetes.default.svc"
#define FLB_API_PORT 443
#define FLB_API_TLS FLB_TRUE
FLB_API_TLS is true in this case, for which we used the FLB_IO_TLS flag in creating the upstream
plugins/filter_aws/aws.c
Outdated
| if(ctx->cluster == NULL) { | ||
| char* cluster_name = getenv("CLUSTER_NAME"); | ||
| if(cluster_name) { | ||
| ctx->cluster = strdup(cluster_name); |
There was a problem hiding this comment.
nit:
| ctx->cluster = strdup(cluster_name); | |
| ctx->cluster = flb_strdup(cluster_name); |
Both code are doing same thing, just trivial code schematics suggestions to follow FluentBit patterns.
plugins/filter_aws/aws.c
Outdated
| if (ret == -1) { | ||
| flb_plg_warn(ctx->ins, "cannot open %s", FLB_KUBE_TOKEN); | ||
| } | ||
| flb_plg_info(ctx->ins, " token updated"); |
There was a problem hiding this comment.
nit: this log line is vague. Could just follow the original log line pasted from kube_meta.c
| flb_plg_info(ctx->ins, " token updated"); | |
| flb_plg_info(ctx->ins, " token updated", FLB_KUBE_TOKEN); |
plugins/filter_aws/aws.c
Outdated
| } | ||
|
|
||
| /* Gather metadata from HTTP Request, | ||
| * this could send out HTTP Request either to KUBE Server API or Kubelet |
There was a problem hiding this comment.
Correct me if I'm wrong: based on the code so far, I think we are only making call to Kubernetes Server API not Kubelet right?
There was a problem hiding this comment.
Yes just the k8s server API, updated the comment to reflect
| static void get_platform(struct flb_filter_aws *ctx) | ||
| { | ||
| if (ctx->platform == NULL) { | ||
| char *config_buf = NULL; |
There was a problem hiding this comment.
Should this be freed at the end of function?
There was a problem hiding this comment.
Good catch. updated in revision
| } | ||
| ctx->cluster = NULL; | ||
| ctx->platform = NULL; | ||
| if (strncmp(ctx->entity_type , FLB_FILTER_ENTITY_TYPE_RESOURCE, FLB_FILTER_ENTITY_TYPE_RESOURCE_LEN) == 0) { |
There was a problem hiding this comment.
Thinking of edge case here: If IMDS retrieval was unsuccessful, this function exits early so we never end up making calls for the below functions. Is this understanding correct? if so we may have to move these Kubernetes specific logics to its own function and make a single call in the init function so it's not dependent on IMDS
There was a problem hiding this comment.
IMDS retrieval only happens when the enable entity is true and entity type is service. the logic remains the same as before.
There was a problem hiding this comment.
Discussed with @nathalapooja that this is fine because we need IMDS to retrieve account ID which is required for sending entity anyway.
plugins/filter_aws/aws.c
Outdated
| @@ -673,6 +969,26 @@ static int cb_aws_filter(const void *data, size_t bytes, | |||
| msgpack_pack_str_body(&tmp_pck, | |||
| ctx->account_id, ctx->account_id_len); | |||
| } | |||
|
|
|||
| if (ctx->enable_entity && ctx->cluster != NULL && ctx->platform != NULL && strncmp(ctx->entity_type , FLB_FILTER_ENTITY_TYPE_RESOURCE, FLB_FILTER_ENTITY_TYPE_RESOURCE_LEN) == 0 ) { | |||
There was a problem hiding this comment.
What this is doing now is we only attach account ID when entity type is service, but we want to send account ID when entity type is resource as well.
| goto error; | ||
| } | ||
| if (!try_to_write(buf->out_buf, offset, buf->out_buf_size, | ||
| "\"Type\":\"Resource\"",0)) { |
There was a problem hiding this comment.
Discussed with @nathalapooja but we need to distinguish between AWS::Resource and Resource
| ret = entity_add_key_attributes(ctx,buf,stream,offset); | ||
| if (ret < 0) { | ||
| flb_plg_error(ctx->ins, "Failed to initialize Entity KeyAttributes"); | ||
| "\"entity\":{", 10)) { |
There was a problem hiding this comment.
I think adding entity to the HTTP payload here can cause an issue when entity type is service and service name or account ID is not present. Because the HTTP payload would just end up being "entity:{" but with nothing filled inside therefore the entire PLE call would be corrupted.
| stream->entity->attributes = flb_malloc(sizeof(entity_attributes)); | ||
| if (stream->entity->attributes == NULL) { | ||
| return; | ||
| if (strncmp(ctx->entity_type , FLB_FILTER_ENTITY_TYPE_SERVICE, FLB_FILTER_ENTITY_TYPE_SERVICE_LEN) == 0) { |
There was a problem hiding this comment.
oh nice, this is saving some memory in case entity type is resource? since resource entity don't have attributes.
…luent-bit into cloudwatch-dp
Enter
[N/A]in the box, if an item is not applicable to your change.Testing
Before we can approve your change; please submit the following in a comment:
For Dataplane logs on EKS cluster
For Host logs in EKS cluster
For cloudwatch logs output plugin: flb-rt-out_cloudwatch
If this is a change to packaging of containers or native binaries then please confirm it works for all targets.
ok-package-testlabel to test for all targets (requires maintainer to do).Documentation
Backporting
Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.