From 8a0961cf5effd482d499f1c5c9bfcc6b2d76580c Mon Sep 17 00:00:00 2001 From: Ben Taussig Date: Tue, 22 Aug 2023 11:13:21 -0400 Subject: [PATCH 01/21] update API --- .../envoy/extensions/aws/filter.proto.sk.md | 2 + .../gloo/crds/gloo.solo.io_v1_Settings.yaml | 2 + .../envoy/extensions/aws/filter.proto | 2 + .../envoy/extensions/aws/filter.pb.clone.go | 2 + .../envoy/extensions/aws/filter.pb.equal.go | 4 ++ .../envoy/extensions/aws/filter.pb.go | 45 ++++++++++++------- .../envoy/extensions/aws/filter.pb.hash.go | 4 ++ 7 files changed, 44 insertions(+), 17 deletions(-) diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/aws/filter.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/aws/filter.proto.sk.md index 9c83f7125a5..3dacba60e51 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/aws/filter.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/aws/filter.proto.sk.md @@ -121,6 +121,7 @@ and therefore must be explicitly specified via the uri "cluster": string "uri": string "timeout": .google.protobuf.Duration +"region": string ``` @@ -129,6 +130,7 @@ and therefore must be explicitly specified via the uri | `cluster` | `string` | The name of the envoy cluster which represents the desired aws sts endpoint. | | `uri` | `string` | The full uri of the aws sts endpoint. | | `timeout` | [.google.protobuf.Duration](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/duration) | timeout for the request. | +| `region` | `string` | Region for the sts endpoint. | diff --git a/install/helm/gloo/crds/gloo.solo.io_v1_Settings.yaml b/install/helm/gloo/crds/gloo.solo.io_v1_Settings.yaml index db3797afb4e..07e4723ebdd 100644 --- a/install/helm/gloo/crds/gloo.solo.io_v1_Settings.yaml +++ b/install/helm/gloo/crds/gloo.solo.io_v1_Settings.yaml @@ -564,6 +564,8 @@ spec: properties: cluster: type: string + region: + type: string timeout: type: string uri: diff --git a/projects/gloo/api/external/envoy/extensions/aws/filter.proto b/projects/gloo/api/external/envoy/extensions/aws/filter.proto index 2820075017e..627c0510d0a 100644 --- a/projects/gloo/api/external/envoy/extensions/aws/filter.proto +++ b/projects/gloo/api/external/envoy/extensions/aws/filter.proto @@ -116,6 +116,8 @@ message AWSLambdaConfig { string uri = 2 [ (validate.rules).string.min_bytes = 1 ]; // timeout for the request google.protobuf.Duration timeout = 3; + // Region for the sts endpoint + string region = 4 [ (validate.rules).string.min_bytes = 1 ]; } // Send downstream path and method as `x-envoy-original-path` and diff --git a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.clone.go b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.clone.go index c9310309d42..70ed790600d 100644 --- a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.clone.go +++ b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.clone.go @@ -169,5 +169,7 @@ func (m *AWSLambdaConfig_ServiceAccountCredentials) Clone() proto.Message { target.Timeout = proto.Clone(m.GetTimeout()).(*github_com_golang_protobuf_ptypes_duration.Duration) } + target.Region = m.GetRegion() + return target } diff --git a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.equal.go b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.equal.go index 22cc4b62422..45a0ca3b8b7 100644 --- a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.equal.go +++ b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.equal.go @@ -287,5 +287,9 @@ func (m *AWSLambdaConfig_ServiceAccountCredentials) Equal(that interface{}) bool } } + if strings.Compare(m.GetRegion(), target.GetRegion()) != 0 { + return false + } + return true } diff --git a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.go b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.go index d3e8841dea5..40b56159694 100644 --- a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.go +++ b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.go @@ -425,6 +425,8 @@ type AWSLambdaConfig_ServiceAccountCredentials struct { Uri string `protobuf:"bytes,2,opt,name=uri,proto3" json:"uri,omitempty"` // timeout for the request Timeout *duration.Duration `protobuf:"bytes,3,opt,name=timeout,proto3" json:"timeout,omitempty"` + // Region for the sts endpoint + Region string `protobuf:"bytes,4,opt,name=region,proto3" json:"region,omitempty"` } func (x *AWSLambdaConfig_ServiceAccountCredentials) Reset() { @@ -480,6 +482,13 @@ func (x *AWSLambdaConfig_ServiceAccountCredentials) GetTimeout() *duration.Durat return nil } +func (x *AWSLambdaConfig_ServiceAccountCredentials) GetRegion() string { + if x != nil { + return x.Region + } + return "" +} + var File_github_com_solo_io_gloo_projects_gloo_api_external_envoy_extensions_aws_filter_proto protoreflect.FileDescriptor var file_github_com_solo_io_gloo_projects_gloo_api_external_envoy_extensions_aws_filter_proto_rawDesc = []byte{ @@ -547,7 +556,7 @@ var file_github_com_solo_io_gloo_projects_gloo_api_external_envoy_extensions_aws 0x6e, 0x12, 0x32, 0x0a, 0x15, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x72, 0x6f, 0x6c, 0x65, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x69, 0x6e, 0x67, 0x18, 0x07, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x6c, 0x65, 0x43, 0x68, 0x61, - 0x69, 0x6e, 0x69, 0x6e, 0x67, 0x22, 0xb8, 0x04, 0x0a, 0x0f, 0x41, 0x57, 0x53, 0x4c, 0x61, 0x6d, + 0x69, 0x6e, 0x69, 0x6e, 0x67, 0x22, 0xd9, 0x04, 0x0a, 0x0f, 0x41, 0x57, 0x53, 0x4c, 0x61, 0x6d, 0x62, 0x64, 0x61, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x54, 0x0a, 0x17, 0x75, 0x73, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, @@ -572,7 +581,7 @@ var file_github_com_solo_io_gloo_projects_gloo_api_external_envoy_extensions_aws 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x16, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x52, 0x65, 0x66, 0x72, - 0x65, 0x73, 0x68, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x1a, 0x8e, 0x01, 0x0a, 0x19, 0x53, 0x65, 0x72, + 0x65, 0x73, 0x68, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x1a, 0xaf, 0x01, 0x0a, 0x19, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x12, 0x21, 0x0a, 0x07, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x20, 0x01, @@ -581,21 +590,23 @@ var file_github_com_solo_io_gloo_projects_gloo_api_external_envoy_extensions_aws 0x03, 0x75, 0x72, 0x69, 0x12, 0x33, 0x0a, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x42, 0x15, 0x0a, 0x13, 0x63, 0x72, 0x65, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x5f, 0x66, 0x65, 0x74, 0x63, 0x68, 0x65, 0x72, - 0x22, 0x1a, 0x0a, 0x18, 0x41, 0x70, 0x69, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x54, 0x72, - 0x61, 0x6e, 0x73, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0xa1, 0x01, 0xb8, - 0xf5, 0x04, 0x01, 0xc0, 0xf5, 0x04, 0x01, 0xd0, 0xf5, 0x04, 0x01, 0x0a, 0x34, 0x69, 0x6f, 0x2e, - 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, - 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, - 0x74, 0x74, 0x70, 0x2e, 0x61, 0x77, 0x73, 0x5f, 0x6c, 0x61, 0x6d, 0x62, 0x64, 0x61, 0x2e, 0x76, - 0x32, 0x42, 0x0e, 0x41, 0x77, 0x73, 0x4c, 0x61, 0x6d, 0x62, 0x64, 0x61, 0x50, 0x72, 0x6f, 0x74, - 0x6f, 0x50, 0x01, 0x5a, 0x4b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, - 0x73, 0x6f, 0x6c, 0x6f, 0x2d, 0x69, 0x6f, 0x2f, 0x67, 0x6c, 0x6f, 0x6f, 0x2f, 0x70, 0x72, 0x6f, - 0x6a, 0x65, 0x63, 0x74, 0x73, 0x2f, 0x67, 0x6c, 0x6f, 0x6f, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x61, - 0x70, 0x69, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x65, 0x6e, 0x76, 0x6f, - 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x61, 0x77, 0x73, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x12, 0x1f, 0x0a, 0x06, 0x72, 0x65, 0x67, + 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, + 0x20, 0x01, 0x52, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x42, 0x15, 0x0a, 0x13, 0x63, 0x72, + 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x5f, 0x66, 0x65, 0x74, 0x63, 0x68, 0x65, + 0x72, 0x22, 0x1a, 0x0a, 0x18, 0x41, 0x70, 0x69, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x54, + 0x72, 0x61, 0x6e, 0x73, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0xa1, 0x01, + 0xb8, 0xf5, 0x04, 0x01, 0xc0, 0xf5, 0x04, 0x01, 0xd0, 0xf5, 0x04, 0x01, 0x0a, 0x34, 0x69, 0x6f, + 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, + 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, + 0x68, 0x74, 0x74, 0x70, 0x2e, 0x61, 0x77, 0x73, 0x5f, 0x6c, 0x61, 0x6d, 0x62, 0x64, 0x61, 0x2e, + 0x76, 0x32, 0x42, 0x0e, 0x41, 0x77, 0x73, 0x4c, 0x61, 0x6d, 0x62, 0x64, 0x61, 0x50, 0x72, 0x6f, + 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x4b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, + 0x2f, 0x73, 0x6f, 0x6c, 0x6f, 0x2d, 0x69, 0x6f, 0x2f, 0x67, 0x6c, 0x6f, 0x6f, 0x2f, 0x70, 0x72, + 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x2f, 0x67, 0x6c, 0x6f, 0x6f, 0x2f, 0x70, 0x6b, 0x67, 0x2f, + 0x61, 0x70, 0x69, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x65, 0x6e, 0x76, + 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x61, 0x77, + 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.hash.go b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.hash.go index 3fdf7afccac..acab5157c6c 100644 --- a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.hash.go +++ b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.hash.go @@ -310,5 +310,9 @@ func (m *AWSLambdaConfig_ServiceAccountCredentials) Hash(hasher hash.Hash64) (ui } } + if _, err = hasher.Write([]byte(m.GetRegion())); err != nil { + return 0, err + } + return hasher.Sum64(), nil } From 5d6e4d1fbfcd4f5298ad285ca88e194903c1aa03 Mon Sep 17 00:00:00 2001 From: Ben Taussig Date: Tue, 22 Aug 2023 11:13:57 -0400 Subject: [PATCH 02/21] explicitly set region in serviceAccountCredentials --- install/helm/gloo/templates/18-settings.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/helm/gloo/templates/18-settings.yaml b/install/helm/gloo/templates/18-settings.yaml index af6447e0b21..3fb2be037e2 100644 --- a/install/helm/gloo/templates/18-settings.yaml +++ b/install/helm/gloo/templates/18-settings.yaml @@ -48,8 +48,10 @@ spec: cluster: aws_sts_cluster {{- if not .Values.settings.aws.stsCredentialsRegion }} uri: sts.amazonaws.com + region: us-east-1 {{- else }} uri: sts.{{ .Values.settings.aws.stsCredentialsRegion }}.amazonaws.com + region: {{ .Values.settings.aws.stsCredentialsRegion }} {{- end }} {{- else if .Values.settings.aws.enableCredentialsDiscovery }} enableCredentialsDiscovey: true From 621afc3f264b396bfad2a9acdeb7751d10b97410 Mon Sep 17 00:00:00 2001 From: Ben Taussig Date: Tue, 22 Aug 2023 11:15:38 -0400 Subject: [PATCH 03/21] add changelog entry --- changelog/v1.16.0-beta4/handle-sts-credentials-region.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelog/v1.16.0-beta4/handle-sts-credentials-region.yaml diff --git a/changelog/v1.16.0-beta4/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta4/handle-sts-credentials-region.yaml new file mode 100644 index 00000000000..936cb88e2b8 --- /dev/null +++ b/changelog/v1.16.0-beta4/handle-sts-credentials-region.yaml @@ -0,0 +1,6 @@ +changelog: +- type: FIX + issueLink: https://github.com/solo-io/gloo/issues/8578 + resolvesIssue: false + description: > + Support role chaining using EKS ServiceAccounts outside of us-east-1 \ No newline at end of file From c32379a1ae4efd65eb834c350ec9aced53641253 Mon Sep 17 00:00:00 2001 From: Ben Taussig Date: Tue, 22 Aug 2023 11:22:54 -0400 Subject: [PATCH 04/21] relocate changelog entry to proper release --- .../handle-sts-credentials-region.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename changelog/{v1.16.0-beta4 => v1.16.0-beta5}/handle-sts-credentials-region.yaml (100%) diff --git a/changelog/v1.16.0-beta4/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta5/handle-sts-credentials-region.yaml similarity index 100% rename from changelog/v1.16.0-beta4/handle-sts-credentials-region.yaml rename to changelog/v1.16.0-beta5/handle-sts-credentials-region.yaml From 8d632a5cdcf3e0bcc238efeb5989e57b6f6dbc94 Mon Sep 17 00:00:00 2001 From: Ben Taussig Date: Tue, 22 Aug 2023 11:39:51 -0400 Subject: [PATCH 05/21] update test fixture in helm tests --- install/test/fixtures/settings/sts_discovery.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/install/test/fixtures/settings/sts_discovery.yaml b/install/test/fixtures/settings/sts_discovery.yaml index 0a689745ba8..c11cfecf42f 100644 --- a/install/test/fixtures/settings/sts_discovery.yaml +++ b/install/test/fixtures/settings/sts_discovery.yaml @@ -37,6 +37,7 @@ spec: serviceAccountCredentials: cluster: aws_sts_cluster uri: sts.us-east-2.amazonaws.com + region: us-east-2 propagateOriginalRouting: true kubernetesArtifactSource: {} kubernetesConfigSource: {} From 89db23655072aaa4c6c6b4f7ceb2200f20367c11 Mon Sep 17 00:00:00 2001 From: changelog-bot Date: Tue, 29 Aug 2023 19:26:30 +0000 Subject: [PATCH 06/21] Adding changelog file to new location --- changelog/v1.16.0-beta6/handle-sts-credentials-region.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelog/v1.16.0-beta6/handle-sts-credentials-region.yaml diff --git a/changelog/v1.16.0-beta6/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta6/handle-sts-credentials-region.yaml new file mode 100644 index 00000000000..936cb88e2b8 --- /dev/null +++ b/changelog/v1.16.0-beta6/handle-sts-credentials-region.yaml @@ -0,0 +1,6 @@ +changelog: +- type: FIX + issueLink: https://github.com/solo-io/gloo/issues/8578 + resolvesIssue: false + description: > + Support role chaining using EKS ServiceAccounts outside of us-east-1 \ No newline at end of file From 49b3f1b60fe98e1e8108c6131e55f15ce74b8086 Mon Sep 17 00:00:00 2001 From: changelog-bot Date: Tue, 29 Aug 2023 19:26:30 +0000 Subject: [PATCH 07/21] Deleting changelog file from old location --- changelog/v1.16.0-beta5/handle-sts-credentials-region.yaml | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 changelog/v1.16.0-beta5/handle-sts-credentials-region.yaml diff --git a/changelog/v1.16.0-beta5/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta5/handle-sts-credentials-region.yaml deleted file mode 100644 index 936cb88e2b8..00000000000 --- a/changelog/v1.16.0-beta5/handle-sts-credentials-region.yaml +++ /dev/null @@ -1,6 +0,0 @@ -changelog: -- type: FIX - issueLink: https://github.com/solo-io/gloo/issues/8578 - resolvesIssue: false - description: > - Support role chaining using EKS ServiceAccounts outside of us-east-1 \ No newline at end of file From 72248c41558b488e9b6fe37a96aca8b825eac76e Mon Sep 17 00:00:00 2001 From: changelog-bot Date: Fri, 1 Sep 2023 12:21:24 +0000 Subject: [PATCH 08/21] Adding changelog file to new location --- changelog/v1.16.0-beta7/handle-sts-credentials-region.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelog/v1.16.0-beta7/handle-sts-credentials-region.yaml diff --git a/changelog/v1.16.0-beta7/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta7/handle-sts-credentials-region.yaml new file mode 100644 index 00000000000..936cb88e2b8 --- /dev/null +++ b/changelog/v1.16.0-beta7/handle-sts-credentials-region.yaml @@ -0,0 +1,6 @@ +changelog: +- type: FIX + issueLink: https://github.com/solo-io/gloo/issues/8578 + resolvesIssue: false + description: > + Support role chaining using EKS ServiceAccounts outside of us-east-1 \ No newline at end of file From 8e774631cd49481b2e88e5c46626c7c087df1254 Mon Sep 17 00:00:00 2001 From: changelog-bot Date: Fri, 1 Sep 2023 12:21:24 +0000 Subject: [PATCH 09/21] Deleting changelog file from old location --- changelog/v1.16.0-beta6/handle-sts-credentials-region.yaml | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 changelog/v1.16.0-beta6/handle-sts-credentials-region.yaml diff --git a/changelog/v1.16.0-beta6/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta6/handle-sts-credentials-region.yaml deleted file mode 100644 index 936cb88e2b8..00000000000 --- a/changelog/v1.16.0-beta6/handle-sts-credentials-region.yaml +++ /dev/null @@ -1,6 +0,0 @@ -changelog: -- type: FIX - issueLink: https://github.com/solo-io/gloo/issues/8578 - resolvesIssue: false - description: > - Support role chaining using EKS ServiceAccounts outside of us-east-1 \ No newline at end of file From 646c7fc1d4e6454692bc48da1f57499a33eb443a Mon Sep 17 00:00:00 2001 From: Ben Taussig Date: Wed, 6 Sep 2023 09:49:58 -0400 Subject: [PATCH 10/21] add STS tests --- test/e2e/aws_test.go | 77 ++++++++++++++++++++++++++++++-------------- 1 file changed, 52 insertions(+), 25 deletions(-) diff --git a/test/e2e/aws_test.go b/test/e2e/aws_test.go index ad0989e8c98..4dd6f87f3bf 100644 --- a/test/e2e/aws_test.go +++ b/test/e2e/aws_test.go @@ -50,7 +50,8 @@ import ( var _ = Describe("AWS Lambda", func() { const ( - region = "us-east-1" + defaultRegion = "us-east-1" + secondaryRegion = "us-east-2" webIdentityTokenFile = "AWS_WEB_IDENTITY_TOKEN_FILE" jwtPrivateKey = "JWT_PRIVATE_KEY" awsRoleArn = "AWS_ROLE_ARN" @@ -160,11 +161,11 @@ var _ = Describe("AWS Lambda", func() { upstream = &gloov1.Upstream{ Metadata: &core.Metadata{ Namespace: "default", - Name: region, + Name: defaultRegion, }, UpstreamType: &gloov1.Upstream_Aws{ Aws: &aws_plugin.UpstreamSpec{ - Region: region, + Region: defaultRegion, SecretRef: secret.Metadata.Ref(), }, }, @@ -199,7 +200,7 @@ var _ = Describe("AWS Lambda", func() { }, UpstreamType: &gloov1.Upstream_Aws{ Aws: &aws_plugin.UpstreamSpec{ - Region: region, + Region: defaultRegion, SecretRef: secret.Metadata.Ref(), // this is a separate account ID from the one that all other lambda // functions tested in this file are in @@ -544,7 +545,7 @@ var _ = Describe("AWS Lambda", func() { secret = &gloov1.Secret{ Metadata: &core.Metadata{ Namespace: "default", - Name: region, + Name: defaultRegion, }, Kind: &gloov1.Secret_Aws{ Aws: &gloov1.AwsSecret{ @@ -599,7 +600,7 @@ var _ = Describe("AWS Lambda", func() { addCredentials := func() { localAwsCredentials := credentials.NewSharedCredentials("", "") - sess, err := session.NewSession(&aws.Config{Region: aws.String(region), Credentials: localAwsCredentials}) + sess, err := session.NewSession(&aws.Config{Region: aws.String(defaultRegion), Credentials: localAwsCredentials}) if err != nil { Fail("no AWS creds available") } @@ -611,7 +612,7 @@ var _ = Describe("AWS Lambda", func() { secret = &gloov1.Secret{ Metadata: &core.Metadata{ Namespace: "default", - Name: region, + Name: defaultRegion, }, Kind: &gloov1.Secret_Aws{ Aws: &gloov1.AwsSecret{ @@ -707,7 +708,7 @@ var _ = Describe("AWS Lambda", func() { } } - addUpstreamSts := func() { + addUpstreamSts := func(region string) { upstream = &gloov1.Upstream{ Metadata: &core.Metadata{ Namespace: "default", @@ -741,11 +742,19 @@ var _ = Describe("AWS Lambda", func() { })) } - setupEnvoySts := func(justGloo bool) { + setupEnvoySts := func(justGloo bool, region string) { ctx, cancel = context.WithCancel(context.Background()) envoyInstance = envoyFactory.NewInstance() + var uri string + if region == "" { + region = defaultRegion + uri = "sts.amazonaws.com" + } else { + uri = fmt.Sprintf("sts.%s.amazonaws.com", region) + } + ns := defaults.GlooSystem ro := &services.RunOptions{ NsToWrite: ns, @@ -759,7 +768,8 @@ var _ = Describe("AWS Lambda", func() { CredentialsFetcher: &gloov1.GlooOptions_AWSOptions_ServiceAccountCredentials{ ServiceAccountCredentials: &aws2.AWSLambdaConfig_ServiceAccountCredentials{ Cluster: "aws_sts_cluster", - Uri: "sts.amazonaws.com", + Uri: uri, + Region: region, }, }, }, @@ -783,29 +793,46 @@ var _ = Describe("AWS Lambda", func() { os.Unsetenv(webIdentityTokenFile) }) Context("No gateway translation ", func() { - BeforeEach(func() { - setupEnvoySts(true) - addCredentialsSts() - addUpstreamSts() + Context("primary region", func() { + BeforeEach(func() { + setupEnvoySts(true, defaultRegion) + addCredentialsSts() + addUpstreamSts(defaultRegion) + }) + /* + * these tests can start failing if certs get rotated underneath us. + * the fix is to update the rotated thumbprint on our fake AWS OIDC per + * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html + */ + It("should be able to call lambda", testProxy) + + It("should be able to call lambda with response transform", testProxyWithResponseTransform) + + It("should be able to call lambda with request transform", testProxyWithRequestTransform) + + It("should be able to call lambda with request and response transforms", testProxyWithRequestAndResponseTransforms) }) - /* - * these tests can start failing if certs get rotated underneath us. - * the fix is to update the rotated thumbprint on our fake AWS OIDC per - * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html - */ - It("should be able to call lambda", testProxy) + Context("secondary region", func() { + BeforeEach(func() { + setupEnvoySts(true, secondaryRegion) + addCredentialsSts() + addUpstreamSts(secondaryRegion) + }) - It("should be able to call lambda with response transform", testProxyWithResponseTransform) + It("should be able to call lambda", testProxy) - It("should be able to call lambda with request transform", testProxyWithRequestTransform) + It("should be able to call lambda with response transform", testProxyWithResponseTransform) - It("should be able to call lambda with request and response transforms", testProxyWithRequestAndResponseTransforms) + It("should be able to call lambda with request transform", testProxyWithRequestTransform) + + It("should be able to call lambda with request and response transforms", testProxyWithRequestAndResponseTransforms) + }) }) Context("With gateway translation", func() { BeforeEach(func() { - setupEnvoySts(false) + setupEnvoySts(false, defaultRegion) addCredentialsSts() - addUpstreamSts() + addUpstreamSts(defaultRegion) }) It("should be able to call lambda via gateway", testLambdaWithVirtualService) From 0c76c8f03717f956c8a836ea6e17781c96768430 Mon Sep 17 00:00:00 2001 From: changelog-bot Date: Wed, 6 Sep 2023 17:14:58 +0000 Subject: [PATCH 11/21] Adding changelog file to new location --- changelog/v1.16.0-beta8/handle-sts-credentials-region.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelog/v1.16.0-beta8/handle-sts-credentials-region.yaml diff --git a/changelog/v1.16.0-beta8/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta8/handle-sts-credentials-region.yaml new file mode 100644 index 00000000000..936cb88e2b8 --- /dev/null +++ b/changelog/v1.16.0-beta8/handle-sts-credentials-region.yaml @@ -0,0 +1,6 @@ +changelog: +- type: FIX + issueLink: https://github.com/solo-io/gloo/issues/8578 + resolvesIssue: false + description: > + Support role chaining using EKS ServiceAccounts outside of us-east-1 \ No newline at end of file From 9ccd10d6923d81059124604f13e94ba51927821d Mon Sep 17 00:00:00 2001 From: changelog-bot Date: Wed, 6 Sep 2023 17:14:58 +0000 Subject: [PATCH 12/21] Deleting changelog file from old location --- changelog/v1.16.0-beta7/handle-sts-credentials-region.yaml | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 changelog/v1.16.0-beta7/handle-sts-credentials-region.yaml diff --git a/changelog/v1.16.0-beta7/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta7/handle-sts-credentials-region.yaml deleted file mode 100644 index 936cb88e2b8..00000000000 --- a/changelog/v1.16.0-beta7/handle-sts-credentials-region.yaml +++ /dev/null @@ -1,6 +0,0 @@ -changelog: -- type: FIX - issueLink: https://github.com/solo-io/gloo/issues/8578 - resolvesIssue: false - description: > - Support role chaining using EKS ServiceAccounts outside of us-east-1 \ No newline at end of file From f94a42fee8a1450b7e5807b14953733c2edb92bd Mon Sep 17 00:00:00 2001 From: changelog-bot Date: Thu, 7 Sep 2023 20:11:49 +0000 Subject: [PATCH 13/21] Adding changelog file to new location --- changelog/v1.16.0-beta9/handle-sts-credentials-region.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelog/v1.16.0-beta9/handle-sts-credentials-region.yaml diff --git a/changelog/v1.16.0-beta9/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta9/handle-sts-credentials-region.yaml new file mode 100644 index 00000000000..936cb88e2b8 --- /dev/null +++ b/changelog/v1.16.0-beta9/handle-sts-credentials-region.yaml @@ -0,0 +1,6 @@ +changelog: +- type: FIX + issueLink: https://github.com/solo-io/gloo/issues/8578 + resolvesIssue: false + description: > + Support role chaining using EKS ServiceAccounts outside of us-east-1 \ No newline at end of file From 4a238bec9db6cd8a9d5166a671d14f71a9d1d152 Mon Sep 17 00:00:00 2001 From: changelog-bot Date: Thu, 7 Sep 2023 20:11:50 +0000 Subject: [PATCH 14/21] Deleting changelog file from old location --- changelog/v1.16.0-beta8/handle-sts-credentials-region.yaml | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 changelog/v1.16.0-beta8/handle-sts-credentials-region.yaml diff --git a/changelog/v1.16.0-beta8/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta8/handle-sts-credentials-region.yaml deleted file mode 100644 index 936cb88e2b8..00000000000 --- a/changelog/v1.16.0-beta8/handle-sts-credentials-region.yaml +++ /dev/null @@ -1,6 +0,0 @@ -changelog: -- type: FIX - issueLink: https://github.com/solo-io/gloo/issues/8578 - resolvesIssue: false - description: > - Support role chaining using EKS ServiceAccounts outside of us-east-1 \ No newline at end of file From 5a54772a3fb929cda3f6c09d6e8fa1607111ea39 Mon Sep 17 00:00:00 2001 From: changelog-bot Date: Mon, 11 Sep 2023 12:32:08 +0000 Subject: [PATCH 15/21] Adding changelog file to new location --- changelog/v1.16.0-beta10/handle-sts-credentials-region.yaml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelog/v1.16.0-beta10/handle-sts-credentials-region.yaml diff --git a/changelog/v1.16.0-beta10/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta10/handle-sts-credentials-region.yaml new file mode 100644 index 00000000000..936cb88e2b8 --- /dev/null +++ b/changelog/v1.16.0-beta10/handle-sts-credentials-region.yaml @@ -0,0 +1,6 @@ +changelog: +- type: FIX + issueLink: https://github.com/solo-io/gloo/issues/8578 + resolvesIssue: false + description: > + Support role chaining using EKS ServiceAccounts outside of us-east-1 \ No newline at end of file From ce9e7ce341cef35d0161fc52e6d70614691aa984 Mon Sep 17 00:00:00 2001 From: changelog-bot Date: Mon, 11 Sep 2023 12:32:08 +0000 Subject: [PATCH 16/21] Deleting changelog file from old location --- changelog/v1.16.0-beta9/handle-sts-credentials-region.yaml | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 changelog/v1.16.0-beta9/handle-sts-credentials-region.yaml diff --git a/changelog/v1.16.0-beta9/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta9/handle-sts-credentials-region.yaml deleted file mode 100644 index 936cb88e2b8..00000000000 --- a/changelog/v1.16.0-beta9/handle-sts-credentials-region.yaml +++ /dev/null @@ -1,6 +0,0 @@ -changelog: -- type: FIX - issueLink: https://github.com/solo-io/gloo/issues/8578 - resolvesIssue: false - description: > - Support role chaining using EKS ServiceAccounts outside of us-east-1 \ No newline at end of file From f52cad4dbb7cab17b8ceb43ae8be89fe3c047269 Mon Sep 17 00:00:00 2001 From: Ben Taussig Date: Tue, 12 Sep 2023 09:17:34 -0400 Subject: [PATCH 17/21] make region not required --- .../envoy/extensions/aws/filter.proto.sk.md | 2 +- .../envoy/extensions/aws/filter.proto | 4 +- .../envoy/extensions/aws/filter.pb.go | 39 +++++++++---------- 3 files changed, 22 insertions(+), 23 deletions(-) diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/aws/filter.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/aws/filter.proto.sk.md index 3dacba60e51..c00d3e51b2b 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/aws/filter.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/external/envoy/extensions/aws/filter.proto.sk.md @@ -130,7 +130,7 @@ and therefore must be explicitly specified via the uri | `cluster` | `string` | The name of the envoy cluster which represents the desired aws sts endpoint. | | `uri` | `string` | The full uri of the aws sts endpoint. | | `timeout` | [.google.protobuf.Duration](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/duration) | timeout for the request. | -| `region` | `string` | Region for the sts endpoint. | +| `region` | `string` | Region for the sts endpoint. Defaults to us-east-1. | diff --git a/projects/gloo/api/external/envoy/extensions/aws/filter.proto b/projects/gloo/api/external/envoy/extensions/aws/filter.proto index 627c0510d0a..0a3904e7c4c 100644 --- a/projects/gloo/api/external/envoy/extensions/aws/filter.proto +++ b/projects/gloo/api/external/envoy/extensions/aws/filter.proto @@ -116,8 +116,8 @@ message AWSLambdaConfig { string uri = 2 [ (validate.rules).string.min_bytes = 1 ]; // timeout for the request google.protobuf.Duration timeout = 3; - // Region for the sts endpoint - string region = 4 [ (validate.rules).string.min_bytes = 1 ]; + // Region for the sts endpoint. Defaults to us-east-1 + string region = 4; } // Send downstream path and method as `x-envoy-original-path` and diff --git a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.go b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.go index 40b56159694..d063c3bb7a1 100644 --- a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.go +++ b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.go @@ -425,7 +425,7 @@ type AWSLambdaConfig_ServiceAccountCredentials struct { Uri string `protobuf:"bytes,2,opt,name=uri,proto3" json:"uri,omitempty"` // timeout for the request Timeout *duration.Duration `protobuf:"bytes,3,opt,name=timeout,proto3" json:"timeout,omitempty"` - // Region for the sts endpoint + // Region for the sts endpoint. Defaults to us-east-1 Region string `protobuf:"bytes,4,opt,name=region,proto3" json:"region,omitempty"` } @@ -556,7 +556,7 @@ var file_github_com_solo_io_gloo_projects_gloo_api_external_envoy_extensions_aws 0x6e, 0x12, 0x32, 0x0a, 0x15, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x72, 0x6f, 0x6c, 0x65, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x69, 0x6e, 0x67, 0x18, 0x07, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x6c, 0x65, 0x43, 0x68, 0x61, - 0x69, 0x6e, 0x69, 0x6e, 0x67, 0x22, 0xd9, 0x04, 0x0a, 0x0f, 0x41, 0x57, 0x53, 0x4c, 0x61, 0x6d, + 0x69, 0x6e, 0x69, 0x6e, 0x67, 0x22, 0xd0, 0x04, 0x0a, 0x0f, 0x41, 0x57, 0x53, 0x4c, 0x61, 0x6d, 0x62, 0x64, 0x61, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x54, 0x0a, 0x17, 0x75, 0x73, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, @@ -581,7 +581,7 @@ var file_github_com_solo_io_gloo_projects_gloo_api_external_envoy_extensions_aws 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x16, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x52, 0x65, 0x66, 0x72, - 0x65, 0x73, 0x68, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x1a, 0xaf, 0x01, 0x0a, 0x19, 0x53, 0x65, 0x72, + 0x65, 0x73, 0x68, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x1a, 0xa6, 0x01, 0x0a, 0x19, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x43, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x12, 0x21, 0x0a, 0x07, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x20, 0x01, @@ -590,23 +590,22 @@ var file_github_com_solo_io_gloo_projects_gloo_api_external_envoy_extensions_aws 0x03, 0x75, 0x72, 0x69, 0x12, 0x33, 0x0a, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x12, 0x1f, 0x0a, 0x06, 0x72, 0x65, 0x67, - 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, - 0x20, 0x01, 0x52, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x42, 0x15, 0x0a, 0x13, 0x63, 0x72, - 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, 0x5f, 0x66, 0x65, 0x74, 0x63, 0x68, 0x65, - 0x72, 0x22, 0x1a, 0x0a, 0x18, 0x41, 0x70, 0x69, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x54, - 0x72, 0x61, 0x6e, 0x73, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0xa1, 0x01, - 0xb8, 0xf5, 0x04, 0x01, 0xc0, 0xf5, 0x04, 0x01, 0xd0, 0xf5, 0x04, 0x01, 0x0a, 0x34, 0x69, 0x6f, - 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, - 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, - 0x68, 0x74, 0x74, 0x70, 0x2e, 0x61, 0x77, 0x73, 0x5f, 0x6c, 0x61, 0x6d, 0x62, 0x64, 0x61, 0x2e, - 0x76, 0x32, 0x42, 0x0e, 0x41, 0x77, 0x73, 0x4c, 0x61, 0x6d, 0x62, 0x64, 0x61, 0x50, 0x72, 0x6f, - 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x4b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, - 0x2f, 0x73, 0x6f, 0x6c, 0x6f, 0x2d, 0x69, 0x6f, 0x2f, 0x67, 0x6c, 0x6f, 0x6f, 0x2f, 0x70, 0x72, - 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x2f, 0x67, 0x6c, 0x6f, 0x6f, 0x2f, 0x70, 0x6b, 0x67, 0x2f, - 0x61, 0x70, 0x69, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x65, 0x6e, 0x76, - 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x61, 0x77, - 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x67, + 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, + 0x6e, 0x42, 0x15, 0x0a, 0x13, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x73, + 0x5f, 0x66, 0x65, 0x74, 0x63, 0x68, 0x65, 0x72, 0x22, 0x1a, 0x0a, 0x18, 0x41, 0x70, 0x69, 0x47, + 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x66, 0x6f, 0x72, 0x6d, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x42, 0xa1, 0x01, 0xb8, 0xf5, 0x04, 0x01, 0xc0, 0xf5, 0x04, 0x01, 0xd0, + 0xf5, 0x04, 0x01, 0x0a, 0x34, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, + 0x78, 0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, + 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x61, 0x77, 0x73, 0x5f, + 0x6c, 0x61, 0x6d, 0x62, 0x64, 0x61, 0x2e, 0x76, 0x32, 0x42, 0x0e, 0x41, 0x77, 0x73, 0x4c, 0x61, + 0x6d, 0x62, 0x64, 0x61, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x4b, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x6f, 0x6c, 0x6f, 0x2d, 0x69, 0x6f, 0x2f, + 0x67, 0x6c, 0x6f, 0x6f, 0x2f, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x2f, 0x67, 0x6c, + 0x6f, 0x6f, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72, + 0x6e, 0x61, 0x6c, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, + 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x61, 0x77, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( From b3ea57b80ed0f7b2040d0399d583697b6e913b96 Mon Sep 17 00:00:00 2001 From: Ben Taussig Date: Tue, 12 Sep 2023 09:20:00 -0400 Subject: [PATCH 18/21] add e2e tests against default region --- test/e2e/aws_test.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/test/e2e/aws_test.go b/test/e2e/aws_test.go index 4dd6f87f3bf..0add44ef7c5 100644 --- a/test/e2e/aws_test.go +++ b/test/e2e/aws_test.go @@ -827,6 +827,21 @@ var _ = Describe("AWS Lambda", func() { It("should be able to call lambda with request and response transforms", testProxyWithRequestAndResponseTransforms) }) + Context("default region", func() { + BeforeEach(func() { + setupEnvoySts(true, "") + addCredentialsSts() + addUpstreamSts(defaultRegion) + }) + + It("should be able to call lambda", testProxy) + + It("should be able to call lambda with response transform", testProxyWithResponseTransform) + + It("should be able to call lambda with request transform", testProxyWithRequestTransform) + + It("should be able to call lambda with request and response transforms", testProxyWithRequestAndResponseTransforms) + } }) Context("With gateway translation", func() { BeforeEach(func() { From e853181a85af1352e304a5364e5bc35fb5aba97f Mon Sep 17 00:00:00 2001 From: Ben Taussig Date: Tue, 12 Sep 2023 09:38:50 -0400 Subject: [PATCH 19/21] correct typo in aws e2e tests --- test/e2e/aws_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/aws_test.go b/test/e2e/aws_test.go index 0add44ef7c5..fb2200553b9 100644 --- a/test/e2e/aws_test.go +++ b/test/e2e/aws_test.go @@ -841,7 +841,7 @@ var _ = Describe("AWS Lambda", func() { It("should be able to call lambda with request transform", testProxyWithRequestTransform) It("should be able to call lambda with request and response transforms", testProxyWithRequestAndResponseTransforms) - } + }) }) Context("With gateway translation", func() { BeforeEach(func() { From 2544b70195994781f5696b8f78388c71479534f6 Mon Sep 17 00:00:00 2001 From: Ben Taussig Date: Wed, 13 Sep 2023 09:41:46 -0400 Subject: [PATCH 20/21] bump envoy-gloo version --- Makefile | 5 ++--- changelog/v1.16.0-beta10/handle-sts-credentials-region.yaml | 6 +++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index fed1dd4491f..3d5ce61ca1b 100644 --- a/Makefile +++ b/Makefile @@ -48,7 +48,7 @@ VERSION ?= 1.0.1-dev SOURCES := $(shell find . -name "*.go" | grep -v test.go) -ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.26.4-patch1 +ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.26.4-patch3 LDFLAGS := "-X github.com/solo-io/gloo/pkg/version.Version=$(VERSION)" GCFLAGS := all="-N -l" @@ -595,8 +595,7 @@ package-chart: generate-helm-files # https://ftp.gnu.org/old-gnu/Manuals/make-3.79.1/html_chapter/make_6.html#SEC59 git_tag = $(shell git describe --abbrev=0 --tags) # Semantic versioning format https://semver.org/ -# Regex copied from: https://github.com/solo-io/go-utils/blob/16d4d94e4e5f182ca8c10c5823df303087879dea/versionutils/version.go#L338 -tag_regex := v[0-9]+[.][0-9]+[.][0-9]+(-[a-z]+)*(-[a-z]+[0-9]*)?$ +tag_regex := ^v([0-9]{1,}\.){2}[0-9]{1,}$ ifneq (,$(TEST_ASSET_ID)) PUBLISH_CONTEXT := PULL_REQUEST diff --git a/changelog/v1.16.0-beta10/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta10/handle-sts-credentials-region.yaml index 936cb88e2b8..e4c29220545 100644 --- a/changelog/v1.16.0-beta10/handle-sts-credentials-region.yaml +++ b/changelog/v1.16.0-beta10/handle-sts-credentials-region.yaml @@ -3,4 +3,8 @@ changelog: issueLink: https://github.com/solo-io/gloo/issues/8578 resolvesIssue: false description: > - Support role chaining using EKS ServiceAccounts outside of us-east-1 \ No newline at end of file + Support role chaining using EKS ServiceAccounts outside of us-east-1 +- type: DEPENDENCY_BUMP + dependencyOwner: solo-io + dependencyRepo: envoy-gloo + dependencyTag: v1.26.4-patch3 \ No newline at end of file From 776da72fe472e02b4d4f9c3c0d531f38d856c69c Mon Sep 17 00:00:00 2001 From: Ben Taussig Date: Wed, 13 Sep 2023 14:42:02 -0400 Subject: [PATCH 21/21] remove unnecessary tests from AWS e2e test --- test/e2e/aws_test.go | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/test/e2e/aws_test.go b/test/e2e/aws_test.go index fb2200553b9..a11074eaca7 100644 --- a/test/e2e/aws_test.go +++ b/test/e2e/aws_test.go @@ -820,12 +820,6 @@ var _ = Describe("AWS Lambda", func() { }) It("should be able to call lambda", testProxy) - - It("should be able to call lambda with response transform", testProxyWithResponseTransform) - - It("should be able to call lambda with request transform", testProxyWithRequestTransform) - - It("should be able to call lambda with request and response transforms", testProxyWithRequestAndResponseTransforms) }) Context("default region", func() { BeforeEach(func() { @@ -835,12 +829,6 @@ var _ = Describe("AWS Lambda", func() { }) It("should be able to call lambda", testProxy) - - It("should be able to call lambda with response transform", testProxyWithResponseTransform) - - It("should be able to call lambda with request transform", testProxyWithRequestTransform) - - It("should be able to call lambda with request and response transforms", testProxyWithRequestAndResponseTransforms) }) }) Context("With gateway translation", func() {