Passing in custom HTTP client for signing Elasticsearch requests

RyanThomas · January 20, 2021, 6:44pm

We’d like to be able to pass in a custom HTTP Client that gets used to sign Elasticsearch requests. Ideally we’d be able to pass it in as an optional parameter to temporal.NewServer() similar to how temporal.WithAuthorizer works.

Currently if you want to sign requests, you can specify values for AWSStaticCredentialProvider in the config, but that doesn’t give us the level of control we need because our AWS server-to-server secrets expire after a few hours.

Basically we want to pass in our own implementation of the client that gets used here:

github.com

temporalio/temporal/blob/1ed8d9bfaca62847e56ec1f3d8d7a3bb1a26cf7b/common/elasticsearch/client_v6.go#L63


		// if the ES instance happens to be down.
		elastic6.SetHealthcheck(false),
		elastic6.SetRetrier(elastic6.NewBackoffRetrier(elastic6.NewExponentialBackoff(128*time.Millisecond, 513*time.Millisecond))),
		// critical to ensure decode of int64 won't lose precision
		elastic6.SetDecoder(&elastic6.NumberDecoder{}),
	}
	if config.AWSRequestSigning.Enabled {
		httpClient, err := newAWSElasticsearchHTTPClient(config.AWSRequestSigning)
		if err != nil {
			return nil, err
		}
		options = append(options, elastic6.SetHttpClient(httpClient))
	}
	client, err := elastic6.NewClient(options...)
	if err != nil {
		return nil, convertV6ErrorToV7(err)
	}

alex · January 26, 2021, 5:55am

Yes, this is definitely possible. I am creating task for it.