Merge pull request #1482 from fluxcd/release-v1.6.1

Release v1.6.1
2025-07-08 09:57:05 +01:00 · 2025-07-08 09:40:18 +01:00 · 2025-07-08 09:39:35 +01:00 · 2025-07-03 18:09:48 +01:00 · 2025-07-03 16:54:03 +00:00
5 changed files with 105 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,24 @@
 All notable changes to this project are documented in this file.
 ## 1.6.1
 **Release date:** 2025-07-08
 This patch release fixes a bug introduced in v1.6.0
 that causes SOPS decryption with US Government KMS
 keys to fail with the error:
 ```
 STS: AssumeRoleWithWebIdentity, https response error\n   StatusCode: 0, RequestID: ,
 request send failed, Post\n \"https://sts.arn.amazonaws.com/\": dial tcp:
 lookupts.arn.amazonaws.com on 10.100.0.10:53: no such host
 ```
 Fixes:
 - Fix regression in STS endpoint for SOPS decryption with AWS KMS in US Gov partition
  [#1478](https://github.com/fluxcd/kustomize-controller/pull/1478)
 ## 1.6.0
 **Release date:** 2025-05-28
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@ -5,4 +5,4 @@ resources:
 images:
  - name: fluxcd/kustomize-controller
    newName: fluxcd/kustomize-controller
-    newTag: v1.6.0
+    newTag: v1.6.1
--- a/go.mod
+++ b/go.mod
@ -19,7 +19,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.4.1
 	github.com/dimchansky/utfbom v1.1.1
 	github.com/fluxcd/cli-utils v0.36.0-flux.13
-	github.com/fluxcd/kustomize-controller/api v1.6.0
+	github.com/fluxcd/kustomize-controller/api v1.6.1
 	github.com/fluxcd/pkg/apis/acl v0.7.0
 	github.com/fluxcd/pkg/apis/event v0.17.0
 	github.com/fluxcd/pkg/apis/kustomize v1.10.0
--- a/internal/sops/awskms/region.go
+++ b/internal/sops/awskms/region.go
@ -17,11 +17,27 @@ limitations under the License.
 package awskms
 import (
-	"strings"
+	"regexp"
 )
 // arnRegex matches an AWS ARN, for example:
 // "arn:aws:kms:us-west-2:107501996527:key/612d5f0p-p1l3-45e6-aca6-a5b005693a48".
 // The regex matches both KMS keys and aliases, and supports different AWS partition names (aws, aws-cn, aws-us-gov).
 //
 // Copied from SOPS:
 // https://github.com/getsops/sops/blob/b2edaade23453c8774fc28ec491ddbe2b9a4c994/kms/keysource.go#L30-L32
 //
 // ref:
 // https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html
 const arnPattern = `^arn:aws[\w-]*:kms:(.+):[0-9]+:(key|alias)/.+$`
 var arnRegex = regexp.MustCompile(arnPattern)
 // GetRegionFromKMSARN extracts the region from a KMS ARN.
 func GetRegionFromKMSARN(arn string) string {
-	arn = strings.TrimPrefix(arn, "arn:aws:kms:")
+	m := arnRegex.FindStringSubmatch(arn)
-	return strings.SplitN(arn, ":", 2)[0]
+	if m == nil {
 		return ""
 	}
 	return m[1]
 }
--- a/internal/sops/awskms/region_test.go
+++ b/internal/sops/awskms/region_test.go
@ -25,10 +25,70 @@ import (
 )
 func TestGetRegionFromKMSARN(t *testing.T) {
-	g := NewWithT(t)
+	for _, tt := range []struct {
-
+		arn      string
-	arn := "arn:aws:kms:us-east-1:211125720409:key/mrk-3179bb7e88bc42ffb1a27d5038ceea25"
+		expected string
-
+	}{
-	region := awskms.GetRegionFromKMSARN(arn)
+		{
-	g.Expect(region).To(Equal("us-east-1"))
+			arn:      "arn:aws:kms:us-west-2:107501996527:key/612d5f0p-p1l3-45e6-aca6-a5b005693a48",
 			expected: "us-west-2",
 		},
 		{
 			arn:      "arn:aws-cn:kms:cn-north-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 			expected: "cn-north-1",
 		},
 		{
 			arn:      "arn:aws-us-gov:kms:us-gov-west-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 			expected: "us-gov-west-1",
 		},
 		{
 			arn:      "arn:aws:kms:us-west-2:107501996527:alias/my-key-alias",
 			expected: "us-west-2",
 		},
 		{
 			arn:      "arn:aws:kms:us-west-2:107501996527:key/",
 			expected: "",
 		},
 		{
 			arn:      "arn:aws:kms:us-west-2:107501996527:alias/",
 			expected: "",
 		},
 		{
 			arn:      "not-an-arn",
 			expected: "",
 		},
 		{
 			arn:      "arn:aws:s3:::my-bucket",
 			expected: "",
 		},
 		{
 			arn:      "arn:aws:ec2:us-west-2:123456789012:instance/i-1234567890abcdef0",
 			expected: "",
 		},
 		{
 			arn:      "arn:aws:iam::123456789012:user/David",
 			expected: "",
 		},
 		{
 			arn:      "arn:aws:lambda:us-west-2:123456789012:function:my-function",
 			expected: "",
 		},
 		{
 			arn:      "arn:aws:dynamodb:us-west-2:123456789012:table/my-table",
 			expected: "",
 		},
 		{
 			arn:      "arn:aws:rds:us-west-2:123456789012:db:my-database",
 			expected: "",
 		},
 		{
 			arn:      "arn:aws:sns:us-west-2:123456789012:my-topic",
 			expected: "",
 		},
 	} {
 		t.Run(tt.arn, func(t *testing.T) {
 			g := NewWithT(t)
 			g.Expect(awskms.GetRegionFromKMSARN(tt.arn)).To(Equal(tt.expected))
 		})
 	}
 }
Author	SHA1	Message	Date
Matheus Pimenta	8ec4a6e91f	Merge pull request #1482 from fluxcd/release-v1.6.1 Release v1.6.1	2025-07-08 09:57:05 +01:00
Matheus Pimenta	84115f6516	Release v1.6.1 Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>	2025-07-08 09:40:18 +01:00
Matheus Pimenta	2333a7413c	Add changelog entry for v1.6.1 Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>	2025-07-08 09:39:35 +01:00
Matheus Pimenta	9a203c8775	Merge pull request #1480 from fluxcd/backport-1478-to-release/v1.6.x [release/v1.6.x] Fix regression in STS endpoint for SOPS decryption with AWS KMS in US Gov partition	2025-07-03 18:09:48 +01:00
Matheus Pimenta	127d696d33	Fix regression in STS endpoint for SOPS decryption with AWS KMS in US Gov partition Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> (cherry picked from commit `4623a38989`)	2025-07-03 16:54:03 +00:00