Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access ECS OpenAPI using the VPC endpoint on ECS #1179

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Access ECS OpenAPI using the VPC endpoint on ECS #1179

wants to merge 2 commits into from

Conversation

huww98
Copy link
Contributor

@huww98 huww98 commented Oct 9, 2024
edited
Loading

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

#449 seems to want to enable VPC endpoint for the listed 19 regions, but ended up using public endpoint for them and use VPC endpoint for other regions. Now we are sure the listed 19 (actually 18) regions support VPC endpoint, and we have been using VPC endpoint for other regions for years without problem. So this change should be safe.

For the listed regions:

Now VPC endpoint is available for all regions, we should use them by default so that we don't rely on Internet access.

We enable VPC endpoint with a new envvar ALIBABA_CLOUD_NETWORK_TYPE, to try to not breaking the users who deploy CSI on non-ECS env.

If ALIBABA_CLOUD_NETWORK_TYPE is set to:

  • vpc: always use ecs-vpc.<region-id>.aliyuncs.com
  • public: always use ecs.<region-id>.aliyuncs.com
  • unset: use SDK built-in logic: basically, looking up a hard-coded map and fallback to ecs.<region-id>.aliyuncs.com

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

For internal mode, we always use localAPI endpoint, like ecs-openapi-share.cn-beijing.aliyuncs.com, queried from location-readonly.aliyuncs.com

Some regions also can resolve public endpoint to VPC VIP. But this is not documented, not supported in all regions, and can be affected by the custom DNS config. So we should not rely on this.

Does this PR introduce a user-facing change?

We now access ECS OpenAPI using the VPC endpoint on ECS. Please ensure any custom network policy allows such access.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 9, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: huww98
Once this PR has been reviewed and has the lgtm label, please assign mowangdk for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Oct 9, 2024
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 1, 2024
@huww98
disk: set OpenAPI network type from env
ba8b25c 
env ALIBABA_CLOUD_NETWORK_TYPE should be set to "vpc" when deployed on ECS, or unset otherwise.
@huww98
deploy: enable ECS vpc openAPI endpoint by default
e5321e8
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mowangdk mowangdk Awaiting requested review from mowangdk

@tydra-wang tydra-wang Awaiting requested review from tydra-wang

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@huww98 @k8s-ci-robot