From f27cf37ade8120c1a6a7e5ccf2f730d2a40d1d08 Mon Sep 17 00:00:00 2001
From: Sohan Kunkerkar <skunkerk@redhat.com>
Date: Tue, 12 Jan 2021 02:46:45 -0500
Subject: [PATCH] Fix AWS probing by using the IMDS token URL

---
 ignition.spec                                 |  8 +-
 ...oviders-aws-probe-the-IMDS-token-URL.patch | 76 +++++++++++++++++++
 2 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 internal-providers-aws-probe-the-IMDS-token-URL.patch

diff --git a/ignition.spec b/ignition.spec
index 8fecad6..ed1c496 100644
--- a/ignition.spec
+++ b/ignition.spec
@@ -61,11 +61,14 @@
 
 Name:           ignition
 Version:        2.9.0
-Release:        1.git%{shortcommit}%{?dist}
+Release:        2.git%{shortcommit}%{?dist}
 Summary:        First boot installer and configuration tool
 License:        ASL 2.0
 URL:            https://%{provider_prefix}
 Source0:        https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
+# Fix AWS probing by using the IMDS token URL to ensure that networking is up
+# https://github.com/coreos/ignition/pull/1161
+Patch0:         internal-providers-aws-probe-the-IMDS-token-URL.patch 
 
 %define gopath %{_datadir}/gocode
 ExcludeArch: ppc64
@@ -606,6 +609,9 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %endif
 
 %changelog
+* Tue Jan 12 2021 Sohan Kunkerkar <skunkerk@redhat.com> - 2.9.0-2.git1d56dc8
+- Fix AWS probing by using the IMDS token URL to ensure that networking is up
+
 * Fri Jan 08 2021 Sohan Kunkerkar <skunkerk@redhat.com> - 2.9.0-1.git1d56dc8
 - New release
 
diff --git a/internal-providers-aws-probe-the-IMDS-token-URL.patch b/internal-providers-aws-probe-the-IMDS-token-URL.patch
new file mode 100644
index 0000000..d989482
--- /dev/null
+++ b/internal-providers-aws-probe-the-IMDS-token-URL.patch
@@ -0,0 +1,76 @@
+From 74ffe3749d70b9d115a9b9790969b8dcb4a76e12 Mon Sep 17 00:00:00 2001
+From: Stephen Lowrie <stephen.lowrie@gmail.com>
+Date: Mon, 11 Jan 2021 11:27:12 -0600
+Subject: [PATCH] internal/providers/aws: probe the IMDS token URL
+
+Probing the `/latest` path causes a 401 Unauthorized when running with
+IMDSv2 only. Instead ping the token URL.
+---
+ internal/providers/aws/aws.go | 37 +++++++++++++++++++----------------
+ 1 file changed, 20 insertions(+), 17 deletions(-)
+
+diff --git a/internal/providers/aws/aws.go b/internal/providers/aws/aws.go
+index 54373dbb..4a6655f0 100644
+--- a/internal/providers/aws/aws.go
++++ b/internal/providers/aws/aws.go
+@@ -40,11 +40,6 @@ var (
+ 		Host:   "169.254.169.254",
+ 		Path:   "2019-10-01/user-data",
+ 	}
+-	metadataServiceProbeURL = url.URL{
+-		Scheme: "http",
+-		Host:   "169.254.169.254",
+-		Path:   "latest",
+-	}
+ 	imdsTokenURL = url.URL{
+ 		Scheme: "http",
+ 		Host:   "169.254.169.254",
+@@ -78,17 +73,17 @@ func NewFetcher(l *log.Logger) (resource.Fetcher, error) {
+ // Init prepares the fetcher for this platform
+ func Init(f *resource.Fetcher) error {
+ 	// During the fetch stage we might be running before the networking
+-	// is fully ready. Perform an HTTP fetch against the metadata probe
+-	// URL to ensure that networking is up before we attempt to fetch
+-	// the region hint from ec2metadata.
++	// is fully ready. Perform an HTTP fetch against the IMDS token URL
++	// to ensure that networking is up before we attempt to fetch the
++	// region hint from ec2metadata.
+ 	//
+-	// NOTE: the FetchToBuffer call against the metadata service probe
+-	// URL is a temporary solution to handle waiting for networking
+-	// before fetching from the AWS API. We do this instead of an
+-	// infinite retry loop on the API call because, without a clear
+-	// understanding of the failure cases, that would risk provisioning
+-	// failures due to quirks of the ec2metadata API.  Additionally a
+-	// finite retry loop would have to time out quickly enough to avoid
++	// NOTE: the FetchToBuffer call against the IMDS token URL is a
++	// temporary solution to handle waiting for networking before
++	// fetching from the AWS API. We do this instead of an infinite
++	// retry loop on the API call because, without a clear understanding
++	// of the failure cases, that would risk provisioning failures due
++	// to quirks of the ec2metadata API.  Additionally a finite retry
++	// loop would have to time out quickly enough to avoid
+ 	// extraordinarily long boots on failure (since this code runs in
+ 	// every stage) but that would risk premature timeouts if the
+ 	// network takes a while to come up.
+@@ -102,8 +97,16 @@ func Init(f *resource.Fetcher) error {
+ 	// NOTE: FetchToBuffer is handling the ErrNeedNet case.  If we move
+ 	// to an alternative method, we will need to handle the detection in
+ 	// this function.
+-	_, err := f.FetchToBuffer(metadataServiceProbeURL, resource.FetchOptions{})
+-	if err != nil {
++	opts := resource.FetchOptions{
++		Headers: http.Header{
++			"x-aws-ec2-metadata-token-ttl-seconds": []string{"21600"},
++		},
++		HTTPVerb: "PUT",
++	}
++	_, err := f.FetchToBuffer(imdsTokenURL, opts)
++	// ErrNotFound would just mean that the instance might not have
++	// IMDSv2 enabled
++	if err != nil && err != resource.ErrNotFound {
+ 		return err
+ 	}
+ 
+-- 
+2.29.2