chetanmeh opened a new pull request #4392: Enable attachment reads from CloudFront URL: https://github.com/apache/incubator-openwhisk/pull/4392 Enables support for reading attachment content from CloudFront which fronts the S3 bucket. ## Description For Multi Region deployments (#4277) we plan to make use of CloudFront CDN which fronts the S3 bucket used to store attachments. It makes use of [CloudFront support for serving private content][1] This feature is optional. By default `S3AttachmentStore` would perform read and writes from S3 directly. However once CloudFront configuration is provided then the reads would be performed from CloudFront while reads and deletes would be done at S3 level ### Usage Configure OpenWhisk S3 support with CloudFront config `cloud-front-config` ``` whisk { s3 { bucket = "openwhisk-test" prefix = "dev" cloud-front-config { domain-name = "foo.com" key-pair-id = "OPENWHISKISFUNTOUSE" private-key = """-----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBAOY+Q7vyH1SnCUoFIpzqmZe1TNCxiE6zuiMRmjuJqiAzQWdb5hEA ZaC+f7Lcu53IvczZR0KsP4JndzG23rVg/y0CAwEAAQJBAMK+F3x4ppdrUSgSf9xJ cfAnoPlDsA8hZWcUFGgXYJYqKYw3NqoYG5fwyZ7xrwdMhpbdgD++nsBC/JMwUhEB h+ECIQDzj5Tbd7WvfaKGjozwQgHA9u3f53kxCWovpFEngU6VNwIhAPIAkAPnzuDr q3cEyAbM49ozjyc6/NOV6QK65HQj1gC7AiBrax/Ty3At/dL4VVaDgBkV6dHvtj8V CXnzmRzRt43Y8QIhAIzrvPE5RGP/eEqHUz96glhm276Zf+5qBlTbpfrnf0/PAiEA r1vFsvC8+KSHv7XGU1xfeiHHpHxEfDvJlX7/CxeWumQ= -----END RSA PRIVATE KEY----- """ timeout = 10 m } } } ``` Here you need to provide the 1. `domain-name` - Like _xxx.cloudfront.net_. This would be determined based on the CloudFront distribution configured 2. `key-pair-id` - ID of the private key used to perform url signing. See [here][3] for steps 3. `private-key` - Content of RSA private key in `pem` format. You can also pass the key via an env variable 4. `timeout` - Timeout for generated signed url. This ened not be very high as generated url is consumed immediately to read the content Refer to [AWS Docs][2] for more details. ### Test Runs There is a `S3AttachmentStoreCloudFrontTests` test which run the integration test when CloudFront releated configuration is provided. It needs following env variables defined to run. See details above for what values need to provided for them. - `CLOUDFRONT_DOMAIN_NAME` - `CLOUDFRONT_KEY_PAIR_ID` - `CLOUDFRONT_PRIVATE_KEY` ## Related issue and scope <!--- Please include a link to a related issue if there is one. --> - [ ] I opened an issue to propose and discuss this change (#4277) ## My changes affect the following components <!--- Select below all system components are affected by your change. --> <!--- Enter an `x` in all applicable boxes. --> - [ ] API - [ ] Controller - [ ] Message Bus (e.g., Kafka) - [ ] Loadbalancer - [ ] Invoker - [ ] Intrinsic actions (e.g., sequences, conductors) - [ ] Data stores (e.g., CouchDB) - [ ] Tests - [ ] Deployment - [ ] CLI - [ ] General tooling - [ ] Documentation ## Types of changes <!--- What types of changes does your code introduce? Use `x` in all the boxes that apply: --> - [ ] Bug fix (generally a non-breaking change which closes an issue). - [ ] Enhancement or new feature (adds new functionality). - [ ] Breaking change (a bug fix or enhancement which changes existing behavior). ## Checklist: <!--- Please review the points below which help you make sure you've covered all aspects of the change you're making. --> - [ ] I signed an [Apache CLA](https://github.com/apache/incubator-openwhisk/blob/master/CONTRIBUTING.md). - [ ] I reviewed the [style guides](https://github.com/apache/incubator-openwhisk/wiki/Contributing:-Git-guidelines#code-readiness) and followed the recommendations (Travis CI will check :). - [ ] I added tests to cover my changes. - [ ] My changes require further changes to the documentation. - [ ] I updated the documentation where necessary. [1]: https://aws.amazon.com/blogs/developer/accessing-private-content-in-amazon-cloudfront/ [2]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html [3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
