fix(al2023): dynamic proxy function to bypass default caching by http.ProxyFromEnvironment (#2471)

* fix: dynamic proxy function to bypass default caching by http.ProxyFromEnvironment

Author: shvbsle

nodeadm/internal/aws/imds/imds.go

@@ -4,16 +4,35 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"net/http"
+	"net/url"
 	"path"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws/ratelimit"
 	"github.com/aws/aws-sdk-go-v2/aws/retry"
+	awshttp "github.com/aws/aws-sdk-go-v2/aws/transport/http"
 	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
 )
 
 var _defaultClient *imds.Client
 
+// This function is a wrapper around the default `http.ProxyFromEnvironment` function
+// which cachces the proxy variables in environment when first invoked thus, preventing subsequent
+// configuration attempts of http proxy via derived from user-data. Since, the first outbound
+// API call in nodeadm is to the IMDS for fetching user-data, we bypass caching.
+// Ref: https://github.com/golang/go/blob/master/src/net/http/transport.go#L499
+func dynamicProxyFunc(req *http.Request) (*url.URL, error) {
+	// Link-local addresses for IMDS do not need to be going through a proxy
+	// The IMDS has two endpoints on an instance: IPv4 (169.254.169.254) and IPv6 ([fd00:ec2::254])
+	// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html
+	if req.URL.Host == "169.254.169.254" || req.URL.Host == "[fd00:ec2::254]" {
+		return nil, nil
+	}
+
+	return http.ProxyFromEnvironment(req)
+}
+
 func init() {
 	_defaultClient = New(false /* do not retry 404s with default client */)
 }
@@ -40,7 +59,13 @@ type IMDSClient interface {
 }
 
 func New(retry404s bool, fnOpts ...func(*imds.Options)) *imds.Client {
+	// Create HTTP client with dynamic proxy function
+	httpClient := awshttp.NewBuildableClient().WithTransportOptions(func(tr *http.Transport) {
+		tr.Proxy = dynamicProxyFunc
+	})
+
 	return imds.New(imds.Options{
+		HTTPClient:            httpClient,
 		DisableDefaultTimeout: true,
 		Retryer: retry.NewStandard(func(so *retry.StandardOptions) {
 			so.MaxAttempts = 60

nodeadm/internal/aws/imds/imds_test.go

@@ -0,0 +1,99 @@
+package imds
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+	"os/exec"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDynamicProxyFuncBehavior(t *testing.T) {
+	tests := []struct {
+		name          string
+		envVars       map[string]string
+		testURL       string
+		expectedProxy string
+	}{
+		{
+			name: "external_url_with_proxy",
+			envVars: map[string]string{
+				"HTTPS_PROXY": "http://example-proxy:8080",
+			},
+			testURL:       "https://ec2.amazonaws.com",
+			expectedProxy: "http://example-proxy:8080",
+		},
+		{
+			name: "imds_ipv4_no_proxy",
+			envVars: map[string]string{
+				"HTTPS_PROXY": "http://example-proxy:8080",
+			},
+			testURL:       "http://169.254.169.254/latest/user-data",
+			expectedProxy: "",
+		},
+		{
+			name: "imds_ipv6_no_proxy",
+			envVars: map[string]string{
+				"HTTPS_PROXY": "http://example-proxy:8080",
+			},
+			testURL:       "http://[fd00:ec2::254]/latest/user-data",
+			expectedProxy: "",
+		},
+		{
+			name:          "no_env_vars",
+			envVars:       map[string]string{},
+			testURL:       "https://ec2.amazonaws.com",
+			expectedProxy: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Testing the dynamicProxyFunc can invoke http.ProxyFromEnvironment() function
+			// which freezes the proxy environment variables for the entire process due to sync.Once caching.
+			// Hence, each test-case is run in a separate process to avoid caching.
+			cmd := exec.Command("go", "test", "-run", "TestSingleProxyCase", "./")
+
+			cmd.Env = os.Environ()
+			cmd.Env = append(cmd.Env, fmt.Sprintf("TEST_NAME=%s", tt.name))
+			cmd.Env = append(cmd.Env, fmt.Sprintf("TEST_URL=%s", tt.testURL))
+			cmd.Env = append(cmd.Env, fmt.Sprintf("EXPECTED_PROXY=%s", tt.expectedProxy))
+
+			// add the env variables for the actual proxy test
+			for key, value := range tt.envVars {
+				cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", key, value))
+			}
+			output, err := cmd.CombinedOutput()
+
+			if err != nil {
+				t.Errorf("Test %s failed: %v\nOutput: %s", tt.name, err, string(output))
+			}
+		})
+	}
+}
+
+func TestSingleProxyCase(t *testing.T) {
+	testName := os.Getenv("TEST_NAME")
+	if testName == "" {
+		t.Skip("Not a subprocess test")
+	}
+
+	testURL := os.Getenv("TEST_URL")
+	expectedProxy := os.Getenv("EXPECTED_PROXY")
+
+	req, _ := http.NewRequest("GET", testURL, nil)
+	proxyURL, err := dynamicProxyFunc(req)
+
+	if err != nil {
+		t.Fatalf("dynamicProxyFunc returned error: %v", err)
+	}
+
+	var actualProxy string
+	if proxyURL != nil {
+		actualProxy = proxyURL.String()
+	}
+
+	assert.Equal(t, expectedProxy, actualProxy)
+}