Merge pull request #1482 from fluxcd/release-v1.6.1

Release v1.6.1
2025-07-08 09:57:05 +01:00 · 2025-07-08 09:40:18 +01:00 · 2025-07-08 09:39:35 +01:00 · 2025-07-03 18:09:48 +01:00 · 2025-07-03 16:54:03 +00:00
5 changed files with 105 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,24 @@

 All notable changes to this project are documented in this file.

+## 1.6.1
+
+**Release date:** 2025-07-08
+
+This patch release fixes a bug introduced in v1.6.0
+that causes SOPS decryption with US Government KMS
+keys to fail with the error:
+
+```
+STS: AssumeRoleWithWebIdentity, https response error\n   StatusCode: 0, RequestID: ,
+request send failed, Post\n \"https://sts.arn.amazonaws.com/\": dial tcp:
+lookupts.arn.amazonaws.com on 10.100.0.10:53: no such host
+```
+
+Fixes:
+- Fix regression in STS endpoint for SOPS decryption with AWS KMS in US Gov partition
+  [#1478](https://github.com/fluxcd/kustomize-controller/pull/1478)
+
 ## 1.6.0

 **Release date:** 2025-05-28
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@ -5,4 +5,4 @@ resources:
 images:
  - name: fluxcd/kustomize-controller
    newName: fluxcd/kustomize-controller
-    newTag: v1.6.0
+    newTag: v1.6.1
--- a/go.mod
+++ b/go.mod
@ -19,7 +19,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.4.1
 	github.com/dimchansky/utfbom v1.1.1
 	github.com/fluxcd/cli-utils v0.36.0-flux.13
-	github.com/fluxcd/kustomize-controller/api v1.6.0
+	github.com/fluxcd/kustomize-controller/api v1.6.1
 	github.com/fluxcd/pkg/apis/acl v0.7.0
 	github.com/fluxcd/pkg/apis/event v0.17.0
 	github.com/fluxcd/pkg/apis/kustomize v1.10.0
--- a/internal/sops/awskms/region.go
+++ b/internal/sops/awskms/region.go
@ -17,11 +17,27 @@ limitations under the License.
 package awskms

 import (
-	"strings"
+	"regexp"
 )

+// arnRegex matches an AWS ARN, for example:
+// "arn:aws:kms:us-west-2:107501996527:key/612d5f0p-p1l3-45e6-aca6-a5b005693a48".
+// The regex matches both KMS keys and aliases, and supports different AWS partition names (aws, aws-cn, aws-us-gov).
+//
+// Copied from SOPS:
+// https://github.com/getsops/sops/blob/b2edaade23453c8774fc28ec491ddbe2b9a4c994/kms/keysource.go#L30-L32
+//
+// ref:
+// https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html
+const arnPattern = `^arn:aws[\w-]*:kms:(.+):[0-9]+:(key|alias)/.+$`
+
+var arnRegex = regexp.MustCompile(arnPattern)
+
 // GetRegionFromKMSARN extracts the region from a KMS ARN.
 func GetRegionFromKMSARN(arn string) string {
-	arn = strings.TrimPrefix(arn, "arn:aws:kms:")
-	return strings.SplitN(arn, ":", 2)[0]
+	m := arnRegex.FindStringSubmatch(arn)
+	if m == nil {
+		return ""
+	}
+	return m[1]
 }
--- a/internal/sops/awskms/region_test.go
+++ b/internal/sops/awskms/region_test.go
@ -25,10 +25,70 @@ import (
 )

 func TestGetRegionFromKMSARN(t *testing.T) {
-	g := NewWithT(t)
-
-	arn := "arn:aws:kms:us-east-1:211125720409:key/mrk-3179bb7e88bc42ffb1a27d5038ceea25"
-
-	region := awskms.GetRegionFromKMSARN(arn)
-	g.Expect(region).To(Equal("us-east-1"))
+	for _, tt := range []struct {
+		arn      string
+		expected string
+	}{
+		{
+			arn:      "arn:aws:kms:us-west-2:107501996527:key/612d5f0p-p1l3-45e6-aca6-a5b005693a48",
+			expected: "us-west-2",
+		},
+		{
+			arn:      "arn:aws-cn:kms:cn-north-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+			expected: "cn-north-1",
+		},
+		{
+			arn:      "arn:aws-us-gov:kms:us-gov-west-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+			expected: "us-gov-west-1",
+		},
+		{
+			arn:      "arn:aws:kms:us-west-2:107501996527:alias/my-key-alias",
+			expected: "us-west-2",
+		},
+		{
+			arn:      "arn:aws:kms:us-west-2:107501996527:key/",
+			expected: "",
+		},
+		{
+			arn:      "arn:aws:kms:us-west-2:107501996527:alias/",
+			expected: "",
+		},
+		{
+			arn:      "not-an-arn",
+			expected: "",
+		},
+		{
+			arn:      "arn:aws:s3:::my-bucket",
+			expected: "",
+		},
+		{
+			arn:      "arn:aws:ec2:us-west-2:123456789012:instance/i-1234567890abcdef0",
+			expected: "",
+		},
+		{
+			arn:      "arn:aws:iam::123456789012:user/David",
+			expected: "",
+		},
+		{
+			arn:      "arn:aws:lambda:us-west-2:123456789012:function:my-function",
+			expected: "",
+		},
+		{
+			arn:      "arn:aws:dynamodb:us-west-2:123456789012:table/my-table",
+			expected: "",
+		},
+		{
+			arn:      "arn:aws:rds:us-west-2:123456789012:db:my-database",
+			expected: "",
+		},
+		{
+			arn:      "arn:aws:sns:us-west-2:123456789012:my-topic",
+			expected: "",
+		},
+	} {
+		t.Run(tt.arn, func(t *testing.T) {
+			g := NewWithT(t)
+			g.Expect(awskms.GetRegionFromKMSARN(tt.arn)).To(Equal(tt.expected))
+		})
+	}
 }
Author	SHA1	Message	Date
Matheus Pimenta	8ec4a6e91f	Merge pull request #1482 from fluxcd/release-v1.6.1 Release v1.6.1	2025-07-08 09:57:05 +01:00
Matheus Pimenta	84115f6516	Release v1.6.1 Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>	2025-07-08 09:40:18 +01:00
Matheus Pimenta	2333a7413c	Add changelog entry for v1.6.1 Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>	2025-07-08 09:39:35 +01:00
Matheus Pimenta	9a203c8775	Merge pull request #1480 from fluxcd/backport-1478-to-release/v1.6.x [release/v1.6.x] Fix regression in STS endpoint for SOPS decryption with AWS KMS in US Gov partition	2025-07-03 18:09:48 +01:00
Matheus Pimenta	127d696d33	Fix regression in STS endpoint for SOPS decryption with AWS KMS in US Gov partition Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> (cherry picked from commit `4623a38989`)	2025-07-03 16:54:03 +00:00