Ian UID2-3703 retrieve configs from identity service

Makefile.eks

@@ -73,7 +73,7 @@ build/syslog-ng-ose-pub.asc: build_artifacts ./scripts/aws/syslog-ng/client/sysl
 	cp ./scripts/aws/syslog-ng/client/syslog-ng-ose-pub.asc ./build/
 
 build/entrypoint.sh: build_artifacts
-	cp ./scripts/aws/entrypoint.sh ./build/
+	cp ./scripts/aws/eks/enclave/entrypoint.sh ./build/
 
 ##################################################################################################################################################################
 

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-operator</artifactId>
-    <version>5.37.168</version>
+    <version>5.37.180-alpha-62-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

scripts/aws/eks/enclave/Dockerfile

@@ -31,7 +31,6 @@ COPY ./target/${JAR_NAME}-${JAR_VERSION}-jar-with-dependencies.jar /app/${JAR_NA
 COPY ./static             /app/static
 COPY ./libjnsm.so         /app/lib/
 COPY ./vsockpx            /app/
-COPY ./load_config.py     /app/
 COPY ./make_config.py     /app/
 COPY ./entrypoint.sh      /app/
 COPY ./proxies.nitro.yaml /app/

scripts/aws/eks/enclave/entrypoint.sh

@@ -15,44 +15,22 @@ echo "Starting vsock proxy..."
 echo "Starting syslog-ng..."
 /usr/sbin/syslog-ng --verbose
 
-# -- load env vars via proxy
-echo "Loading env vars via proxy..."
-
-TOKEN=$(curl -x socks5h://127.0.0.1:3305 --request PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 3600")
-USER_DATA=$(curl -s -x socks5h://127.0.0.1:3305 http://169.254.169.254/latest/user-data --header "X-aws-ec2-metadata-token: $TOKEN")
-if [ "${IDENTITY_SCOPE}" = "UID2" ]; then
-  UID2_CONFIG_SECRET_KEY=$([[ "$(echo "${USER_DATA}" | grep UID2_CONFIG_SECRET_KEY=)" =~ ^export\ UID2_CONFIG_SECRET_KEY=\"(.*)\"$ ]] && echo "${BASH_REMATCH[1]}" || echo "uid2-operator-config-key")
-elif [ "${IDENTITY_SCOPE}" = "EUID" ]; then
-  UID2_CONFIG_SECRET_KEY=$([[ "$(echo "${USER_DATA}" | grep EUID_CONFIG_SECRET_KEY=)" =~ ^export\ EUID_CONFIG_SECRET_KEY=\"(.*)\"$ ]] && echo "${BASH_REMATCH[1]}" || echo "euid-operator-config-key")
+# -- load config from identity service
+echo "Loading config from identity service via proxy..."
+IDENTITY_SERVICE_CONFIG=$(curl -s -x socks5h://127.0.0.1:3305 http://127.0.0.1:27015/getConfig)
+if jq -e . >/dev/null 2>&1 <<<"${IDENTITY_SERVICE_CONFIG}"; then
+    echo "Identity service returned valid config"
 else
-  echo "Unrecognized IDENTITY_SCOPE ${IDENTITY_SCOPE}"
-  exit 1
+    echo "Failed to get a valid config from identity service"
+    exit 1
 fi
-CORE_BASE_URL=$([[ "$(echo "${USER_DATA}" | grep CORE_BASE_URL=)" =~ ^export\ CORE_BASE_URL=\"(.*)\"$ ]] && echo "${BASH_REMATCH[1]}" || echo "")
-OPTOUT_BASE_URL=$([[ "$(echo "${USER_DATA}" | grep OPTOUT_BASE_URL=)" =~ ^export\ OPTOUT_BASE_URL=\"(.*)\"$ ]] && echo "${BASH_REMATCH[1]}" || echo "")
-
-echo "UID2_CONFIG_SECRET_KEY=${UID2_CONFIG_SECRET_KEY}"
-echo "CORE_BASE_URL=${CORE_BASE_URL}"
-echo "OPTOUT_BASE_URL=${OPTOUT_BASE_URL}"
 
-export AWS_REGION_NAME=$(curl -s -x socks5h://127.0.0.1:3305 http://169.254.169.254/latest/dynamic/instance-identity/document/ --header "X-aws-ec2-metadata-token: $TOKEN" | jq -r ".region")
-echo "AWS_REGION_NAME=${AWS_REGION_NAME}"
-echo "127.0.0.1 secretsmanager.${AWS_REGION_NAME}.amazonaws.com" >> /etc/hosts
-
-IAM_ROLE=$(curl -s -x socks5h://127.0.0.1:3305 http://169.254.169.254/latest/meta-data/iam/security-credentials/ --header "X-aws-ec2-metadata-token: $TOKEN")
-echo "IAM_ROLE=${IAM_ROLE}"
-
-SECURITY_CREDS=$(curl -s -x socks5h://127.0.0.1:3305 "http://169.254.169.254/latest/meta-data/iam/security-credentials/${IAM_ROLE}" --header "X-aws-ec2-metadata-token: $TOKEN")
-export AWS_ACCESS_KEY_ID=$(echo $SECURITY_CREDS | jq -r ".AccessKeyId")
-export AWS_SECRET_KEY=$(echo $SECURITY_CREDS | jq -r ".SecretAccessKey")
-export AWS_SESSION_TOKEN=$(echo $SECURITY_CREDS | jq -r ".Token")
-
-# -- load configs via proxy
-echo "Loading config overrides..."
 export OVERRIDES_CONFIG="/app/conf/config-overrides.json"
-python3 /app/load_config.py > "${OVERRIDES_CONFIG}"
+echo "${IDENTITY_SERVICE_CONFIG}" > "${OVERRIDES_CONFIG}"
 
 export DEPLOYMENT_ENVIRONMENT=$(jq -r ".environment" < "${OVERRIDES_CONFIG}")
+export CORE_BASE_URL=$(jq -r ".core_base_url" < "${OVERRIDES_CONFIG}")
+export OPTOUT_BASE_URL=$(jq -r ".optout_base_url" < "${OVERRIDES_CONFIG}")
 echo "DEPLOYMENT_ENVIRONMENT=${DEPLOYMENT_ENVIRONMENT}"
 if [ -z "${DEPLOYMENT_ENVIRONMENT}" ]; then
   echo "DEPLOYMENT_ENVIRONMENT cannot be empty"
@@ -74,13 +52,9 @@ else
   exit 1
 fi
 
-get_config_value() {
-  jq -r ".\"$1\"" ${FINAL_CONFIG}
-}
-
 # -- replace base URLs if both CORE_BASE_URL and OPTOUT_BASE_URL are provided
 # -- using hardcoded domains is fine because they should not be changed frequently
-if [ -n "${CORE_BASE_URL}" ] && [ -n "${OPTOUT_BASE_URL}" ] && [ "${DEPLOYMENT_ENVIRONMENT}" != "prod" ]; then
+if [ -n "${CORE_BASE_URL}" ] && [ "${CORE_BASE_URL}" != "null" ] && [ -n "${OPTOUT_BASE_URL}" ] && [ "${OPTOUT_BASE_URL}" != "null" ] && [ "${DEPLOYMENT_ENVIRONMENT}" != "prod" ]; then
     echo "Replacing core and optout URLs by ${CORE_BASE_URL} and ${OPTOUT_BASE_URL}..."
 
     sed -i "s#https://core-integ.uidapi.com#${CORE_BASE_URL}#g" "${FINAL_CONFIG}"
@@ -96,9 +70,6 @@ fi
 
 cat "${FINAL_CONFIG}"
 
-HOSTNAME=$(curl -s -x socks5h://127.0.0.1:3305 http://169.254.169.254/latest/meta-data/local-hostname --header "X-aws-ec2-metadata-token: $TOKEN")
-echo "HOSTNAME=${HOSTNAME}"
-
 # -- set pwd to /app so we can find default configs
 cd /app
 

scripts/aws/eks/pod/entrypoint.sh

@@ -40,7 +40,7 @@ function setup_dante() {
 function run_config_server() {
     echo "run_config_server"
     cd /home/config-server/
-    /config-server/bin/flask run --host 127.0.0.1 --port 27015
+    /config-server/bin/flask run --host 127.0.0.1 --port 27015 &
 }
 
 function run_enclave() {

scripts/aws/eks/pod/proxies.host.yaml

@@ -8,12 +8,12 @@ socks5h-proxy:
 operator-service:
   service: direct
   listen: tcp://0.0.0.0:80
-  connect: vsock://42:8080
+  connect: vsock://16:8080
 
 operator-prometheus:
   service: direct
   listen: tcp://0.0.0.0:9080
-  connect: vsock://42:9080
+  connect: vsock://16:9080
 
 syslogng:
   service: direct

scripts/aws/make_config.py

@@ -36,10 +36,14 @@ def apply_override(config, overrides, key, type):
 # environment
 if overrides.get('environment') == 'integ':
   integ_config = load_json(integ_config_path)
+  apply_override(config, integ_config, 'sites_metadata_path', str)
   apply_override(config, integ_config, 'clients_metadata_path', str)
   apply_override(config, integ_config, 'keysets_metadata_path', str)
   apply_override(config, integ_config, 'keyset_keys_metadata_path', str)
+  apply_override(config, integ_config, 'client_side_keypairs_metadata_path', str)
   apply_override(config, integ_config, 'salts_metadata_path', str)
+  apply_override(config, integ_config, 'services_metadata_path', str)
+  apply_override(config, integ_config, 'service_links_metadata_path', str)
   apply_override(config, integ_config, 'optout_metadata_path', str)
   apply_override(config, integ_config, 'core_attest_url', str)
   apply_override(config, integ_config, 'optout_api_uri', str)