solo-io · soloio-bulldozer · Sep 13, 2023 · Aug 22, 2023 · Aug 22, 2023 · Aug 22, 2023
diff --git a/Makefile b/Makefile
@@ -48,7 +48,7 @@ VERSION ?= 1.0.1-dev
 
 SOURCES := $(shell find . -name "*.go" | grep -v test.go)
 
-ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.26.4-patch1
+ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.26.4-patch3
 LDFLAGS := "-X github.com/solo-io/gloo/pkg/version.Version=$(VERSION)"
 GCFLAGS := all="-N -l"
 
@@ -595,8 +595,7 @@ package-chart: generate-helm-files
 # https://ftp.gnu.org/old-gnu/Manuals/make-3.79.1/html_chapter/make_6.html#SEC59
 git_tag = $(shell git describe --abbrev=0 --tags)
 # Semantic versioning format https://semver.org/
-# Regex copied from: https://github.com/solo-io/go-utils/blob/16d4d94e4e5f182ca8c10c5823df303087879dea/versionutils/version.go#L338
-tag_regex := v[0-9]+[.][0-9]+[.][0-9]+(-[a-z]+)*(-[a-z]+[0-9]*)?$
+tag_regex := ^v([0-9]{1,}\.){2}[0-9]{1,}$
 
 ifneq (,$(TEST_ASSET_ID))
 PUBLISH_CONTEXT := PULL_REQUEST

diff --git a/changelog/v1.16.0-beta10/handle-sts-credentials-region.yaml b/changelog/v1.16.0-beta10/handle-sts-credentials-region.yaml
@@ -0,0 +1,10 @@
+changelog:
+- type: FIX
+  issueLink: https://github.com/solo-io/gloo/issues/8578
+  resolvesIssue: false 
+  description: >
+    Support role chaining using EKS ServiceAccounts outside of us-east-1
+- type: DEPENDENCY_BUMP
+  dependencyOwner: solo-io
+  dependencyRepo: envoy-gloo
+  dependencyTag: v1.26.4-patch3
diff --git a/install/helm/gloo/crds/gloo.solo.io_v1_Settings.yaml b/install/helm/gloo/crds/gloo.solo.io_v1_Settings.yaml
@@ -572,6 +572,8 @@ spec:
                         properties:
                           cluster:
                             type: string
+                          region:
+                            type: string
                           timeout:
                             type: string
                           uri:

diff --git a/install/helm/gloo/templates/18-settings.yaml b/install/helm/gloo/templates/18-settings.yaml
@@ -53,8 +53,10 @@ spec:
         cluster: aws_sts_cluster
 {{- if not .Values.settings.aws.stsCredentialsRegion }}
         uri: sts.amazonaws.com
+        region: us-east-1
 {{- else }}
         uri: sts.{{ .Values.settings.aws.stsCredentialsRegion }}.amazonaws.com
+        region: {{ .Values.settings.aws.stsCredentialsRegion }}
 {{- end }}
 {{- else if .Values.settings.aws.enableCredentialsDiscovery }}
       enableCredentialsDiscovey: true

diff --git a/install/test/fixtures/settings/sts_discovery.yaml b/install/test/fixtures/settings/sts_discovery.yaml
@@ -37,6 +37,7 @@ spec:
       serviceAccountCredentials:
         cluster: aws_sts_cluster
         uri: sts.us-east-2.amazonaws.com
+        region: us-east-2
       propagateOriginalRouting: true
   kubernetesArtifactSource: {}
   kubernetesConfigSource: {}

diff --git a/projects/gloo/api/external/envoy/extensions/aws/filter.proto b/projects/gloo/api/external/envoy/extensions/aws/filter.proto
@@ -116,6 +116,8 @@ message AWSLambdaConfig {
     string uri = 2 [ (validate.rules).string.min_bytes = 1 ];
     // timeout for the request
     google.protobuf.Duration timeout = 3;
+    // Region for the sts endpoint. Defaults to us-east-1
+    string region = 4;
   }
 
   // Send downstream path and method as `x-envoy-original-path` and

diff --git a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.clone.go b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.clone.go
diff --git a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.equal.go b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.equal.go
diff --git a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.go b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.go
diff --git a/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.hash.go b/projects/gloo/pkg/api/external/envoy/extensions/aws/filter.pb.hash.go
diff --git a/test/e2e/aws_test.go b/test/e2e/aws_test.go
@@ -50,7 +50,8 @@ import (
 
 var _ = Describe("AWS Lambda", func() {
 	const (
-		region               = "us-east-1"
+		defaultRegion        = "us-east-1"
+		secondaryRegion      = "us-east-2"
 		webIdentityTokenFile = "AWS_WEB_IDENTITY_TOKEN_FILE"
 		jwtPrivateKey        = "JWT_PRIVATE_KEY"
 		awsRoleArn           = "AWS_ROLE_ARN"
@@ -160,11 +161,11 @@ var _ = Describe("AWS Lambda", func() {
 		upstream = &gloov1.Upstream{
 			Metadata: &core.Metadata{
 				Namespace: "default",
-				Name:      region,
+				Name:      defaultRegion,
 			},
 			UpstreamType: &gloov1.Upstream_Aws{
 				Aws: &aws_plugin.UpstreamSpec{
-					Region:    region,
+					Region:    defaultRegion,
 					SecretRef: secret.Metadata.Ref(),
 				},
 			},
@@ -199,7 +200,7 @@ var _ = Describe("AWS Lambda", func() {
 			},
 			UpstreamType: &gloov1.Upstream_Aws{
 				Aws: &aws_plugin.UpstreamSpec{
-					Region:    region,
+					Region:    defaultRegion,
 					SecretRef: secret.Metadata.Ref(),
 					// this is a separate account ID from the one that all other lambda
 					// functions tested in this file are in
@@ -544,7 +545,7 @@ var _ = Describe("AWS Lambda", func() {
 			secret = &gloov1.Secret{
 				Metadata: &core.Metadata{
 					Namespace: "default",
-					Name:      region,
+					Name:      defaultRegion,
 				},
 				Kind: &gloov1.Secret_Aws{
 					Aws: &gloov1.AwsSecret{
@@ -599,7 +600,7 @@ var _ = Describe("AWS Lambda", func() {
 
 		addCredentials := func() {
 			localAwsCredentials := credentials.NewSharedCredentials("", "")
-			sess, err := session.NewSession(&aws.Config{Region: aws.String(region), Credentials: localAwsCredentials})
+			sess, err := session.NewSession(&aws.Config{Region: aws.String(defaultRegion), Credentials: localAwsCredentials})
 			if err != nil {
 				Fail("no AWS creds available")
 			}
@@ -611,7 +612,7 @@ var _ = Describe("AWS Lambda", func() {
 			secret = &gloov1.Secret{
 				Metadata: &core.Metadata{
 					Namespace: "default",
-					Name:      region,
+					Name:      defaultRegion,
 				},
 				Kind: &gloov1.Secret_Aws{
 					Aws: &gloov1.AwsSecret{
@@ -707,7 +708,7 @@ var _ = Describe("AWS Lambda", func() {
 			}
 		}
 
-		addUpstreamSts := func() {
+		addUpstreamSts := func(region string) {
 			upstream = &gloov1.Upstream{
 				Metadata: &core.Metadata{
 					Namespace: "default",
@@ -741,11 +742,19 @@ var _ = Describe("AWS Lambda", func() {
 			}))
 		}
 
-		setupEnvoySts := func(justGloo bool) {
+		setupEnvoySts := func(justGloo bool, region string) {
 			ctx, cancel = context.WithCancel(context.Background())
 
 			envoyInstance = envoyFactory.NewInstance()
 
+			var uri string
+			if region == "" {
+				region = defaultRegion
+				uri = "sts.amazonaws.com"
+			} else {
+				uri = fmt.Sprintf("sts.%s.amazonaws.com", region)
+			}
+
 			ns := defaults.GlooSystem
 			ro := &services.RunOptions{
 				NsToWrite: ns,
@@ -759,7 +768,8 @@ var _ = Describe("AWS Lambda", func() {
 							CredentialsFetcher: &gloov1.GlooOptions_AWSOptions_ServiceAccountCredentials{
 								ServiceAccountCredentials: &aws2.AWSLambdaConfig_ServiceAccountCredentials{
 									Cluster: "aws_sts_cluster",
-									Uri:     "sts.amazonaws.com",
+									Uri:     uri,
+									Region:  region,
 								},
 							},
 						},
@@ -783,29 +793,49 @@ var _ = Describe("AWS Lambda", func() {
 			os.Unsetenv(webIdentityTokenFile)
 		})
 		Context("No gateway translation ", func() {
-			BeforeEach(func() {
-				setupEnvoySts(true)
-				addCredentialsSts()
-				addUpstreamSts()
+			Context("primary region", func() {
+				BeforeEach(func() {
+					setupEnvoySts(true, defaultRegion)
+					addCredentialsSts()
+					addUpstreamSts(defaultRegion)
+				})
+				/*
+				 * these tests can start failing if certs get rotated underneath us.
+				 * the fix is to update the rotated thumbprint on our fake AWS OIDC per
+				 * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
+				 */
+				It("should be able to call lambda", testProxy)
+
+				It("should be able to call lambda with response transform", testProxyWithResponseTransform)
+
+				It("should be able to call lambda with request transform", testProxyWithRequestTransform)
+
+				It("should be able to call lambda with request and response transforms", testProxyWithRequestAndResponseTransforms)
+			})
+			Context("secondary region", func() {
+				BeforeEach(func() {
+					setupEnvoySts(true, secondaryRegion)
+					addCredentialsSts()
+					addUpstreamSts(secondaryRegion)
+				})
+
+				It("should be able to call lambda", testProxy)
+			})
+			Context("default region", func() {
+				BeforeEach(func() {
+					setupEnvoySts(true, "")
+					addCredentialsSts()
+					addUpstreamSts(defaultRegion)
+				})
+
+				It("should be able to call lambda", testProxy)
 			})
-			/*
-			 * these tests can start failing if certs get rotated underneath us.
-			 * the fix is to update the rotated thumbprint on our fake AWS OIDC per
-			 * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
-			 */
-			It("should be able to call lambda", testProxy)
-
-			It("should be able to call lambda with response transform", testProxyWithResponseTransform)
-
-			It("should be able to call lambda with request transform", testProxyWithRequestTransform)
-
-			It("should be able to call lambda with request and response transforms", testProxyWithRequestAndResponseTransforms)
 		})
 		Context("With gateway translation", func() {
 			BeforeEach(func() {
-				setupEnvoySts(false)
+				setupEnvoySts(false, defaultRegion)
 				addCredentialsSts()
-				addUpstreamSts()
+				addUpstreamSts(defaultRegion)
 			})
 			It("should be able to call lambda via gateway", testLambdaWithVirtualService)