Support a separate URL base for pre-signed URLs

ncdc · ncdc · commit b80f29a60fb2 · 2018-10-26T10:15:19.000-04:00
This allows the Ark server to use one URL for the majority of
communications with S3 (or compatible) object storage, and a different
URL base for pre-signed URLs (for streaming logs, etc. to clients).

Signed-off-by: Andy Goldstein &lt;andy.goldstein@gmail.com&gt;
diff --git a/pkg/cloudprovider/aws/object_store.go b/pkg/cloudprovider/aws/object_store.go
@@ -33,6 +33,7 @@ import (
 
 const (
 	s3URLKey            = "s3Url"
+	publicURLKey        = "publicUrl"
 	kmsKeyIDKey         = "kmsKeyId"
 	s3ForcePathStyleKey = "s3ForcePathStyle"
 	bucketKey           = "bucket"
@@ -41,6 +42,7 @@ const (
 type objectStore struct {
 	log        logrus.FieldLogger
 	s3         *s3.S3
+	preSignS3  *s3.S3
 	s3Uploader *s3manager.Uploader
 	kmsKeyID   string
 }
@@ -53,6 +55,7 @@ func (o *objectStore) Init(config map[string]string) error {
 	var (
 		region              = config[regionKey]
 		s3URL               = config[s3URLKey]
+		publicURL           = config[publicURLKey]
 		kmsKeyID            = config[kmsKeyIDKey]
 		s3ForcePathStyleVal = config[s3ForcePathStyleKey]
 
@@ -82,20 +85,52 @@ func (o *objectStore) Init(config map[string]string) error {
 		}
 	}
 
+	serverConfig, err := newAWSConfig(s3URL, region, s3ForcePathStyle)
+	if err != nil {
+		return err
+	}
+
+	serverSession, err := getSession(serverConfig)
+	if err != nil {
+		return err
+	}
+
+	o.s3 = s3.New(serverSession)
+	o.s3Uploader = s3manager.NewUploader(serverSession)
+	o.kmsKeyID = kmsKeyID
+
+	if publicURL != "" {
+		publicConfig, err := newAWSConfig(publicURL, region, s3ForcePathStyle)
+		if err != nil {
+			return err
+		}
+		publicSession, err := getSession(publicConfig)
+		if err != nil {
+			return err
+		}
+		o.preSignS3 = s3.New(publicSession)
+	} else {
+		o.preSignS3 = o.s3
+	}
+
+	return nil
+}
+
+func newAWSConfig(url, region string, forcePathStyle bool) (*aws.Config, error) {
 	awsConfig := aws.NewConfig().
 		WithRegion(region).
-		WithS3ForcePathStyle(s3ForcePathStyle)
+		WithS3ForcePathStyle(forcePathStyle)
 
-	if s3URL != "" {
-		if !IsValidS3URLScheme(s3URL) {
-			return errors.Errorf("Invalid s3Url: %s", s3URL)
+	if url != "" {
+		if !IsValidS3URLScheme(url) {
+			return nil, errors.Errorf("Invalid s3 url: %s", url)
 		}
 
 		awsConfig = awsConfig.WithEndpointResolver(
 			endpoints.ResolverFunc(func(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) {
 				if service == endpoints.S3ServiceID {
 					return endpoints.ResolvedEndpoint{
-						URL: s3URL,
+						URL: url,
 					}, nil
 				}
 
@@ -104,16 +139,7 @@ func (o *objectStore) Init(config map[string]string) error {
 		)
 	}
 
-	sess, err := getSession(awsConfig)
-	if err != nil {
-		return err
-	}
-
-	o.s3 = s3.New(sess)
-	o.s3Uploader = s3manager.NewUploader(sess)
-	o.kmsKeyID = kmsKeyID
-
-	return nil
+	return awsConfig, nil
 }
 
 func (o *objectStore) PutObject(bucket, key string, body io.Reader) error {
@@ -202,7 +228,7 @@ func (o *objectStore) DeleteObject(bucket, key string) error {
 }
 
 func (o *objectStore) CreateSignedURL(bucket, key string, ttl time.Duration) (string, error) {
-	req, _ := o.s3.GetObjectRequest(&s3.GetObjectInput{
+	req, _ := o.preSignS3.GetObjectRequest(&s3.GetObjectInput{
 		Bucket: aws.String(bucket),
 		Key:    aws.String(key),
 	})
