Bump KMS and Metadata Clients to AWS SDK Go V2

[gargipanatula]

What type of PR is this?

Uncomment only one, leave it on its own line:

/kind api-change
/kind bug

/kind cleanup

/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
Continues work on upgrading repo to AWS SDK Go V2. (PR 1: #1146, PR 2: #1157)

Notable Changes:
The IMDS client's signing name and signing region can no longer be overridden. This is because IMDS, unlike other SDK clients, doesn't support signing. (Standard SDK clients use SigV4 while IMDS uses a different protocol).

Trivial Changes:

1. Upgrades usage of the AWS SDK for Go KMS and IMDS packages to V2.
2. Combines Ec2V2 client with the EC2 client returned by Compute()
3. Removed assumeRoleProvider since this was only used by SDK Go V1 clients
4. Added to e2e SDK client testing in aws_sdk_test.go. Now checks that the signing region & name, not only the URL, were properly overridden.
5. Removed lots of unused code that was used for SDK V1 implementations, and updated naming for methods/fields that were distinguished as "V2".

Testing:
Ran unit tests with make test and e2e tests with the following commands:

export AWS_REGION=us-west-2
export TEST_PATH=./tests/e2e/...
export GINKGO_NODES=4
export GINKGO_FOCUS=[cloud-provider-aws-e2e]
export GINGKO_SKIP=[Disruptive]
go install github.com/onsi/ginkgo/[email protected]
export PATH=$PATH:$HOME/go/bin

pushd ./tests/e2e
ginkgo . -v -p --nodes=$GINKGO_NODES --focus=$GINKGO_FOCUS --skip=$GINKGO_SKIP

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

The Metadata client's signing name and signing region can no longer be overridden. 

[k8s-ci-robot]

Hi @gargipanatula. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[gargipanatula]

Note: This test used to test both ValidateOverride and the endpoint/signingname/signingregion overriding functionality. Now, it only tests ValidateOverride, and checking the overrides themselves has been moved to aws_sdk_test.go since override logic is configured directly with the clients.

[kmala]

/ok-to-test

[kmala]

nit: i see that the aws is only use for converting pointer to values and vice versa, can we remove that usage and such that we need not use awsv2

[gargipanatula]

Totally agree, but I think I'll punt this to my final PR in this migration, which will be solely focused on upgrading the remaining packages (just github.com/aws/aws-sdk-go/aws and github.com/aws/aws-sdk-go/aws/awserr). Wanted to keep this PR as simple as possible for ease of review.

[kmala]

I see we are moving the functionality of the https://github.com/kubernetes/cloud-provider-aws/blob/master/pkg/services/aws_ec2.go to here, can we deprecate that file or is it used somewhere else?

[gargipanatula]

Thanks for the catch - these have indeed been moved over so we can deprecate these files.

[kmala]

why panic here?

[gargipanatula]

Ah yeah, this should probably be an error to match the rest of the code. Will change this in the next commit.

[kmala]

will getInstanceIdentityDocumentOutput have any value if there is error ?

[gargipanatula]

Thanks for the catch - we should check if err != nil here and return an error, because we get an error if the request fails/is unable to be parsed.

[haoranleo]

Yeah this line identity := getInstanceIdentityDocumentOutput.InstanceIdentityDocument should be moved under err==nil

[kmala]

This should be migrated right?

[gargipanatula]

Thanks for the catch - migrated endpoint resolution. IMDS doesn't support signing, so its resolver will only override the URL. Standard SDK clients use SigV4 while IMDS uses a different protocol.

[haoranleo]

nit: use the default mode whenever possible

[haoranleo]

Yeah this line identity := getInstanceIdentityDocumentOutput.InstanceIdentityDocument should be moved under err==nil

[gargipanatula]

Note: Instead of checking the ServiceID and region here, like we do for other clients, we only check ServiceID. This does not result in a behavioral change - the resolver for the SDK V1 ec2metadata package always had an empty value for the region at the time of the request, so only the serviceID field was used for determining whether to override.

Also, we are not overriding the signing name and region here since IMDS does not support signing.

[kmala]

i don't think we should panic here?

[kmala]

for my understanding what is the difference between default enabled and enabled https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.16.32/feature/ec2/imds/api_client.go#L37 as that is the default value ?

[gargipanatula]

If we do not configure this variable, it is set to defaultEnable and falls back to whatever the AWS_EC2_METADATA_DISABLED env var is set to.

If we do configure it, then this overrides the value of AWS_EC2_METADATA_DISABLED and acts as if AWS_EC2_METADATA_DISABLED = false.

However, I dug into the old ec2metadata code and it essentially behaves the same way (it needs the same env var to be set to make successful requests). So, I'm going to remove this line so we don't override AWS_EC2_METADATA_DISABLED with o.ClientEnableState = imds.ClientEnabled and we can maintain parity with the old code. Thanks for the callout!

Info about AWS_EC2_METADATA_DISABLED from the docs:

AWS_EC2_METADATA_DISABLED - environment variable
Whether or not to attempt to use Amazon EC2 Instance Metadata Service (IMDS) to obtain credentials.

Default value: false.

Valid values:

true – Do not use IMDS to obtain credentials.

false – Use IMDS to obtain credentials.

[kmala]

there shouldn't be panic here right?

[kmala]

why is this removed? can't we test some if not all?

[gargipanatula]

This part of the test was checking that the signing fields and URL were properly overridden using the generic resolver from V1. Since we now have resolvers on a per client basis, we are now testing the resolvers on a more e2e scale, creating a client and making mock requests (all in aws_sdk_test.go). We're still testing the override functionality, just in a different place.

This test used to test both ValidateOverride() and overriding, now it just tests ValidateOverride().

Let me know if I'm missing something here, though.

[kmala]

i was thinking if we can keep the check len(cfg.ServiceOverride) != len(test.servicesOverridden) but i think it should be okay as this should be tested indirectly in the other function.

[gargipanatula]

/retest

[kmala]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kmala

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [kmala]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment