Merge branch 'main' into dapr-state-store-clickhouse

Author: middt

.build-tools/builtin-authentication-profiles.yaml

@@ -5,9 +5,18 @@ aws:
     metadata:
       - name: region
         type: string
-        required: true
+        required: false
         description: |
           The AWS Region where the AWS resource is deployed to.
+          This will be marked required in Dapr 1.17.
+        example: '"us-east-1"'
+      - name: awsRegion
+        type: string
+        required: false
+        description: |
+          This maintains backwards compatibility with existing fields. 
+          It will be deprecated as of Dapr 1.17. Use 'region' instead.
+          The AWS Region where the AWS resource is deployed to.
         example: '"us-east-1"'
       - name: accessKey
         description: AWS access key associated with an IAM account
@@ -20,11 +29,13 @@ aws:
         sensitive: true
         example: '"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"'
       - name: sessionToken
+        type: string
         required: false
         sensitive: true
         description: |
           AWS session token to use. A session token is only required if you are using
           temporary security credentials.
+        example: '"TOKEN"'
   - title: "AWS: Assume IAM Role"
     description: |
       Assume a specific IAM role. Note: This is only supported for Kafka and PostgreSQL.

.build-tools/pkg/metadataschema/builtin-authentication-profiles.go

@@ -32,25 +32,17 @@ func ParseBuiltinAuthenticationProfile(bi BuiltinAuthenticationProfile, componen
 	for i, profile := range profiles {
 		res[i] = profile
 
-		// convert slice to a slice of pointers to update in place for required -> non-required fields
-		metadataPtr := make([]*Metadata, len(profile.Metadata))
-		for j := range profile.Metadata {
-			metadataPtr[j] = &profile.Metadata[j]
-		}
+		// deep copy the metadata slice to avoid side effects when manually updating some req -> non-req fields to deprecate some fields for kafka/postgres
+		// TODO: rm all of this manipulation in Dapr 1.17!!
+		originalMetadata := profile.Metadata
+		metadataCopy := make([]Metadata, len(originalMetadata))
+		copy(metadataCopy, originalMetadata)
 
 		if componentTitle == "Apache Kafka" || strings.ToLower(componentTitle) == "postgresql" {
-			removeRequiredOnSomeAWSFields(&metadataPtr)
-		}
-
-		// convert back to value slices for merging
-		updatedMetadata := make([]Metadata, 0, len(metadataPtr))
-		for _, ptr := range metadataPtr {
-			if ptr != nil {
-				updatedMetadata = append(updatedMetadata, *ptr)
-			}
+			removeRequiredOnSomeAWSFields(&metadataCopy)
 		}
 
-		merged := mergedMetadata(bi.Metadata, updatedMetadata...)
+		merged := mergedMetadata(bi.Metadata, metadataCopy...)
 
 		// Note: We must apply the removal of deprecated fields after the merge!!
 
@@ -92,12 +84,14 @@ func mergedMetadata(base []Metadata, add ...Metadata) []Metadata {
 // We normally have accessKey, secretKey, and region fields marked required as it is part of the builtin AWS auth profile fields.
 // However, as we rm the aws prefixed ones, we need to then mark the normally required ones as not required only for postgres and kafka.
 // This way we do not break existing users, and transition them to the standardized fields.
-func removeRequiredOnSomeAWSFields(metadata *[]*Metadata) {
+func removeRequiredOnSomeAWSFields(metadata *[]Metadata) {
 	if metadata == nil {
 		return
 	}
 
-	for _, field := range *metadata {
+	for i := range *metadata {
+		field := &(*metadata)[i]
+
 		if field == nil {
 			continue
 		}
@@ -125,6 +119,10 @@ func removeSomeDeprecatedFieldsOnUnrelatedAuthProfiles(metadata []Metadata) []Me
 	filteredMetadata := []Metadata{}
 
 	for _, field := range metadata {
+		// region is required in Assume Role auth profile, so this is needed for now.
+		if field.Name == "region" {
+			field.Required = true
+		}
 		if field.Name == "awsAccessKey" || field.Name == "awsSecretKey" || field.Name == "awsSessionToken" || field.Name == "awsRegion" {
 			continue
 		} else {

bindings/kafka/metadata.yaml

@@ -29,14 +29,6 @@ builtinAuthenticationProfiles:
         example: '"awsiam"'
         allowedValues:
           - "awsiam"
-      - name: awsRegion
-        type: string
-        required: false
-        description: |
-          This maintains backwards compatibility with existing fields. 
-          It will be deprecated as of Dapr 1.17. Use 'region' instead.
-          The AWS Region where the AWS service is deployed to.
-        example: '"us-east-1"'
       - name: awsAccessKey
         type: string
         required: false

bindings/postgres/metadata.yaml

@@ -73,14 +73,6 @@ builtinAuthenticationProfiles:
           If both fields are set, then 'secretKey' value will be used.
           The secret key associated with the access key.
         example: '"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"'
-      - name: awsRegion
-        type: string
-        required: false
-        description: |
-          This maintains backwards compatibility with existing fields. 
-          It will be deprecated as of Dapr 1.17. Use 'region' instead.
-          The AWS Region where the AWS service is deployed to.
-        example: '"us-east-1"'
 authenticationProfiles:
   - title: "Connection string"
     description: "Authenticate using a Connection String"

common/authentication/aws/static.go

@@ -262,21 +262,8 @@ func (a *StaticAuth) getDatabaseToken(ctx context.Context, poolConfig *pgxpool.C
 	dbEndpoint := poolConfig.ConnConfig.Host + ":" + strconv.Itoa(int(poolConfig.ConnConfig.Port))
 
 	// First, check if there are credentials set explicitly with accesskey and secretkey
-	var creds credentials.Value
-	if a.session != nil {
-		var err error
-		creds, err = a.session.Config.Credentials.Get()
-		if err != nil {
-			a.logger.Infof("failed to get access key and secret key, will fallback to reading the default AWS credentials file: %w", err)
-		}
-	}
-
-	if creds.AccessKeyID != "" && creds.SecretAccessKey != "" {
-		creds, err := a.session.Config.Credentials.Get()
-		if err != nil {
-			return "", fmt.Errorf("failed to retrieve session credentials: %w", err)
-		}
-		awsCfg := v2creds.NewStaticCredentialsProvider(creds.AccessKeyID, creds.SecretAccessKey, creds.SessionToken)
+	if a.accessKey != nil && a.secretKey != nil {
+		awsCfg := v2creds.NewStaticCredentialsProvider(*a.accessKey, *a.secretKey, a.sessionToken)
 		authenticationToken, err := auth.BuildAuthToken(
 			ctx, dbEndpoint, *a.region, poolConfig.ConnConfig.User, awsCfg)
 		if err != nil {

common/authentication/aws/x509.go

@@ -312,7 +312,9 @@ func (a *x509) Ses() *SesClients {
 func (a *x509) getDatabaseToken(ctx context.Context, poolConfig *pgxpool.Config) (string, error) {
 	dbEndpoint := poolConfig.ConnConfig.Host + ":" + strconv.Itoa(int(poolConfig.ConnConfig.Port))
 
-	// First, check if there are credentials set explicitly with accesskey and secretkey
+	// First, check session credentials.
+	// This should always be what we use to generate the x509 auth credentials for postgres.
+	// However, we can leave the Second and Lastly checks as backup for now.
 	var creds credentials.Value
 	if a.session != nil {
 		var err error

configuration/postgres/metadata.yaml

@@ -63,14 +63,6 @@ builtinAuthenticationProfiles:
           If both fields are set, then 'secretKey' value will be used.
           The secret key associated with the access key.
         example: '"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"'
-      - name: awsRegion
-        type: string
-        required: false
-        description: |
-          This maintains backwards compatibility with existing fields. 
-          It will be deprecated as of Dapr 1.17. Use 'region' instead.
-          The AWS Region where the AWS service is deployed to.
-        example: '"us-east-1"'
 authenticationProfiles:
   - title: "Connection string"
     description: "Authenticate using a Connection String."

pubsub/kafka/metadata.yaml

@@ -23,14 +23,6 @@ builtinAuthenticationProfiles:
         example: '"awsiam"'
         allowedValues:
           - "awsiam"
-      - name: awsRegion
-        type: string
-        required: false
-        description: |
-          This maintains backwards compatibility with existing fields. 
-          It will be deprecated as of Dapr 1.17. Use 'region' instead.
-          The AWS Region where the AWS service is deployed to.
-        example: '"us-east-1"'
       - name: awsAccessKey
         type: string
         required: false

state/postgresql/v1/metadata.yaml

@@ -70,14 +70,6 @@ builtinAuthenticationProfiles:
           If both fields are set, then 'secretKey' value will be used.
           The secret key associated with the access key.
         example: '"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"'
-      - name: awsRegion
-        type: string
-        required: false
-        description: |
-          This maintains backwards compatibility with existing fields. 
-          It will be deprecated as of Dapr 1.17. Use 'region' instead.
-          The AWS Region where the AWS service is deployed to.
-        example: '"us-east-1"'
 authenticationProfiles:
   - title: "Connection string"
     description: "Authenticate using a Connection String"

state/postgresql/v2/metadata.yaml

@@ -69,14 +69,6 @@ builtinAuthenticationProfiles:
           If both fields are set, then 'secretKey' value will be used.
           The secret key associated with the access key.
         example: '"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"'
-      - name: awsRegion
-        type: string
-        required: false
-        description: |
-          This maintains backwards compatibility with existing fields. 
-          It will be deprecated as of Dapr 1.17. Use 'region' instead.
-          The AWS Region where the AWS service is deployed to.
-        example: '"us-east-1"'
 authenticationProfiles:
   - title: "Connection string"
     description: "Authenticate using a Connection String"