Skip to content

add aws-smithy-http-client#940

Open
sky1122 wants to merge 6 commits into
bottlerocket-os:developfrom
sky1122:aws-smithy-http-client
Open

add aws-smithy-http-client#940
sky1122 wants to merge 6 commits into
bottlerocket-os:developfrom
sky1122:aws-smithy-http-client

Conversation

@sky1122

@sky1122 sky1122 commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description of changes:
This PR adds a local carry of aws-smithy-http-client from aws-sdk-rs and migrates pluto and cfsignal from the deprecated
aws-smithy-experimental crate. The old aws-smithy-experimental crate is removed from the workspace.

The carry makes two key modifications from upstream:

  1. Exposes CryptoMode::Custom without the aws_sdk_unstable gate, allowing callers to supply their own rustls CryptoProvider in stable builds for runtime FIPS crypto selection
  2. Strips unused code (hyper 0.14 legacy support, s2n-tls provider, test utilities)

A full diff against upstream is available in this gist.

Note: The first three commits will disappear after the previous PR is merged.

Testing done:

  • test1: build a k8s variant and it join the cluster and success boot
[root@admin]# apiclient get os
{
  "os": {
    "arch": "x86_64",
    "build_id": "f0dfc999-dirty",
    "pretty_name": "Bottlerocket OS 1.58.0 (aws-k8s-1.33-fips)",
    "variant_id": "aws-k8s-1.33-fips",
    "version_id": "1.58.0"
  }
}
[root@admin]#
  • test2: api call success
bash-5.2# journalctl -u cfsignal
Jun 02 22:27:28 localhost systemd[1]: Started Send signal to CloudFormation Stack.
Jun 02 22:27:30 ip-192-168-78-63.us-west-2.compute.internal cfsignal[1593]: 22:27:30 [INFO] System status is: running [0]
Jun 02 22:27:30 ip-192-168-78-63.us-west-2.compute.internal systemd[1]: cfsignal.service: Deactivated successfully.
Jun 03 17:50:22 ip-192-168-78-63.us-west-2.compute.internal systemd[1]: Started Send signal to CloudFormation Stack.
Jun 03 17:50:22 ip-192-168-78-63.us-west-2.compute.internal cfsignal[667621]: 17:50:22 [INFO] System status is: running [0]
Jun 03 17:50:22 ip-192-168-78-63.us-west-2.compute.internal cfsignal[667621]: 17:50:22 [INFO] Connecting to IMDS
Jun 03 17:50:22 ip-192-168-78-63.us-west-2.compute.internal cfsignal[667621]: 17:50:22 [INFO] Received meta-data/instance-id
Jun 03 17:50:22 ip-192-168-78-63.us-west-2.compute.internal cfsignal[667621]: 17:50:22 [INFO] Received dynamic/instance-identity/document
Jun 03 17:50:22 ip-192-168-78-63.us-west-2.compute.internal cfsignal[667621]: 17:50:22 [INFO] Region: "us-west-2" - InstanceID: "i-08176c2a5e21b30ca" - Signal: "SUCCESS"
Jun 03 17:50:22 ip-192-168-78-63.us-west-2.compute.internal cfsignal[667621]: 17:50:22 [ERROR] Error while sending signal: SignalResource request failed: service error
Jun 03 17:50:22 ip-192-168-78-63.us-west-2.compute.internal systemd[1]: cfsignal.service: Deactivated successfully.
bash-5.2#
  • test3: proxcy
    setting bottlerocket with
apiclient set --json '{
  "network": {
    "https-proxy": "http://192.168.61.113:8888",
    "no-proxy": ["169.254.169.254"]
  }
}'

1780613661.245    966 192.168.72.183 TCP_TUNNEL/200 5418 CONNECT 328549459982.dkr.ecr.us-west-2.amazonaws.com:443 - HIER_DIRECT/35.83.11.234 -
1780613661.245   1014 192.168.72.183 TCP_TUNNEL/200 9181 CONNECT api.ecr.us-west-2.amazonaws.com:443 - HIER_DIRECT/34.223.25.158 -
1780613661.253   8536 192.168.72.183 TCP_TUNNEL/200 5418 CONNECT 328549459982.dkr.ecr.us-west-2.amazonaws.com:443 - HIER_DIRECT/35.83.11.234 -
1780613661.253   8591 192.168.72.183 TCP_TUNNEL/200 9180 CONNECT api.ecr.us-west-2.amazonaws.com:443 - HIER_DIRECT/34.223.25.158 -
1780613682.921  19999 192.168.72.183 TCP_TUNNEL/200 4785 CONNECT ec2messages.us-west-2.amazonaws.com:443 - HIER_DIRECT/44.254.14.102 -
1780613703.044  20021 192.168.72.183 TCP_TUNNEL/200 5114 CONNECT ec2messages.us-west-2.amazonaws.com:443 - HIER_DIRECT/44.254.14.102 -
1780613722.970  60073 192.168.72.183 TCP_TUNNEL/200 6480 CONNECT ssm.us-west-2.amazonaws.com:443 - HIER_DIRECT/18.246.120.242 -
1780613723.173  20026 192.168.72.183 TCP_TUNNEL/200 5114 CONNECT ec2messages.us-west-2.amazonaws.com:443 - HIER_DIRECT/44.254.14.102 -
1780613729.325   6050 192.168.72.183 TCP_TUNNEL/200 6100 CONNECT ec2messages.us-west-2.amazonaws.com:443 - HIER_DIRECT/44.254.15.44 -
1780613736.645  60101 192.168.72.183 TCP_TUNNEL/200 8267 CONNECT ssm.us-west-2.amazonaws.com:443 - HIER_DIRECT/18.246.120.242 -
1780613737.949  75030 192.168.72.183 TCP_TUNNEL/200 5739 CONNECT ssmmessages.us-west-2.amazonaws.com:443 - HIER_DIRECT/44.254.14.31 -
1780613766.644  60048 192.168.72.183 TCP_TUNNEL/200 9205 CONNECT api.ecr.us-west-2.amazonaws.com:443 - HIER_DIRECT/34.223.25.158 -
1780613766.674  60074 192.168.72.183 TCP_TUNNEL/200 9205 CONNECT api.ecr.us-west-2.amazonaws.com:443 - HIER_DIRECT/34.223.25.158 -
1780613796.718  90066 192.168.72.183 TCP_TUNNEL/200 5418 CONNECT 328549459982.dkr.ecr.us-west-2.amazonaws.com:443 - HIER_DIRECT/35.83.11.234 -
1780613796.756  90098 192.168.72.183 TCP_TUNNEL/200 5418 CONNECT 328549459982.dkr.ecr.us-west-2.amazonaws.com:443 - HIER_DIRECT/35.83.11.234 -
1780613803.001  75046 192.168.72.183 TCP_TUNNEL/200 5707 CONNECT ssmmessages.us-west-2.amazonaws.com:443 - HIER_DIRECT/44.254.14.191 -

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

sky1122 added 2 commits June 1, 2026 18:54
@sky1122
sources: add bottlerocket-crypto-provider crate
536f2ff 
Add a centralized CryptoProvider crate that provides runtime FIPS
detection and TLS algorithm selection for Bottlerocket Rust binaries.

When the kernel FIPS flag is enabled (/proc/sys/crypto/fips_enabled = 1),
the provider restricts TLS to FIPS-approved algorithms only (AES-GCM
cipher suites, P-256/P-384 key exchange). On non-FIPS systems, the full
algorithm set is available.

Signed-off-by: Jingwei Wang <jweiw@amazon.com>
@sky1122
sources: update rustls version to 0.23.40
714d5ae 
Signed-off-by: Jingwei Wang <jweiw@amazon.com>
@sky1122 sky1122 force-pushed the aws-smithy-http-client branch 3 times, most recently from b9e6362 to d559d7b Compare June 3, 2026 00:02
@sky1122 sky1122 marked this pull request as ready for review June 3, 2026 17:55
@jpculp jpculp self-requested a review June 6, 2026 00:22
jpculp
jpculp requested changes Jun 6, 2026
View reviewed changes

@jpculp jpculp left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like it's on the right track, but don't forget to update the COPYRIGHT both in the commit where you add aws-smithy-http-client and the commit you remove aws-smithy-experimental.

sky1122 added 4 commits June 16, 2026 16:28
@sky1122
sources: add aws-smithy-http-client crate
c0f57ba 
Add a local carry of the aws-smithy-http-client crate from smithy-rs
with support for custom CryptoProvider injection. This enables
Bottlerocket binaries to configure TLS at runtime rather than relying
on compile-time feature flags for FIPS crypto selection.

This replaces aws-smithy-experimental as the HTTP client abstraction
for binaries that need explicit control over TLS configuration.

Signed-off-by: Jingwei Wang <jweiw@amazon.com>
@sky1122
pluto: use aws-smithy-http-client for TLS configuration
6405276 
Replace the deprecated aws-smithy-experimental crate with
aws-smithy-http-client for HTTP client construction in pluto. The new
crate provides explicit TLS provider selection and proxy configuration
through the ConnectorBuilder API.

Signed-off-by: Jingwei Wang <jweiw@amazon.com>
@sky1122
cfsignal: switch to aws-smithy-http-client for HTTP transport
9f3d7a1 
Replace aws-smithy-experimental with aws-smithy-http-client for
CloudFormation signal HTTP client construction. The new crate provides
explicit TLS provider selection and proxy configuration through the
ConnectorBuilder API.

Signed-off-by: Jingwei Wang <jweiw@amazon.com>
@sky1122
sources: remove aws-smithy-experimental crate
cc85b99 
Remove the deprecated aws-smithy-experimental crate from the workspace.
This crate has been superseded by aws-smithy-http-client which provides
the same HTTP client functionality with support for custom CryptoProvider
injection.

No binaries depend on aws-smithy-experimental after the pluto and
cfsignal migrations to aws-smithy-http-client.

Signed-off-by: Jingwei Wang <jweiw@amazon.com>
@sky1122 sky1122 force-pushed the aws-smithy-http-client branch from d559d7b to cc85b99 Compare June 16, 2026 16:30
@sky1122

sky1122 commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

forced pushed to change the copy right and I also drop the bloodhound commit from this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jpculp jpculp jpculp requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sky1122 @jpculp