Release: Gateway 3.4.3.13 (#8015)

* changelog and version bump for 3.4.3.13

* add new changes

---------

Co-authored-by: Angel <[email protected]>
Co-authored-by: Angel <[email protected]>

app/_data/kong_versions.yml

@@ -57,7 +57,7 @@
     pcre: 8.45
   lua_doc: true
 - release: "3.4.x"
-  ee-version: "3.4.3.12"
+  ee-version: "3.4.3.13"
   ce-version: "3.4.2"
   edition: "gateway"
   luarocks_version: "3.0.0-0"

app/_src/gateway/kong-enterprise/aws-iam-auth-to-rds-database.md

@@ -36,9 +36,11 @@ Before you enable the AWS IAM authentication, you must configure your AWS RDS da
 
    {:.warning}
    > **Warning:** You **can't** change the value of the environment variables you used to provide the AWS credential after booting {{site.base_gateway}}. Any changes are ignored.
-{% if_version gte:3.8.x %}
+{% if_version gte:3.4.x %}
+  {% unless page.release == "3.5.x" or page.release == "3.6.x" or page.release == "3.7.x" %}
    - If you want to assume a role, make sure the original IAM role that Kong uses has the correct permission to assume the role of the target IAM role, and the target IAM role has the correct permission to connect to the database using IAM authentication.
    - If you have users with non-public VPC networks and private VPC endpoints (without private DNS names enabled), you can configure an AWS Service Token Service (STS) endpoint globally with `vault_aws_sts_endpoint_url` or on a custom AWS Vault entity with `sts_endpoint_url`.
+  {% endunless %}
 {% endif_version %}
 
 - **Assign an IAM policy to the {{site.base_gateway}} IAM role**. For more information, see [Creating and using an IAM policy for IAM database access](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html) in the Amazon RDS documentation.
@@ -76,7 +78,8 @@ KONG_PG_IAM_AUTH=off # This line can be omitted because off is the default value
 KONG_PG_RO_IAM_AUTH=on
 ```
 
-{% if_version gte:3.8.x %}
+{% if_version gte:3.4.x %}
+{% unless page.release == "3.5.x" or page.release == "3.6.x" or page.release == "3.7.x" %}
 If you want to [assume a role](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html), also set the following environment variables:
 
 ```bash
@@ -98,7 +101,7 @@ KONG_PG_RO_IAM_AUTH_ROLE_SESSION_NAME=<role_session_name>
 # Optional, same as KONG_PG_IAM_AUTH_STS_ENDPOINT_URL
 KONG_PG_RO_IAM_AUTH_STS_ENDPOINT_URL=https://your.endpoint.to.aws.sts.service.amazonaws.com
 ```
-
+{% endunless %}
 {% endif_version %}
 
 ### Enable AWS IAM authentication in the configuration file

app/gateway/changelog.md

@@ -2584,10 +2584,60 @@ was called multiple times in a request lifecycle.
   * Bumped `curl` from 8.3.0 to 8.4.0
   * Bumped `nghttp2` from 1.56.0 to 1.57.0
 
-
-## 3.4.3.12
+## 3.4.3.13
+**Release Date** 2024/11/15
 
 ### Features
+#### Core
+
+* Added support for AWS IAM role assuming in AWS IAM Database Authentication, with the following new configuration fields: `pg_iam_auth_assume_role_arn`, `pg_iam_auth_role_session_name`, `pg_ro_iam_auth_assume_role_arn`, and `pg_ro_iam_auth_role_session_name`.
+
+* Added support for a configurable STS endpoint for RDS IAM Authentication, with the following new configuration fields: `pg_iam_auth_sts_endpoint_url` and `pg_ro_iam_auth_sts_endpoint_url`.
+
+* Added support for a configurable STS endpoint for AWS Vault. This can either be configured by `vault_aws_sts_endpoint_url` as a global configuration, or `sts_endpoint_url` on a custom AWS Vault entity.
+
+#### Plugins
+
+* [**AWS Lambda**](/hub/kong-inc/aws-lambda) (`aws-lambda`):
+  * Added support for a configurable STS endpoint with the new configuration field `aws_sts_endpoint_url`.
+
+* [**Rate Limiting Advanced**](/hub/kong-inc/rate-limiting-advanced/) (`rate-limiting-advanced`) 
+  * Increased the time resolution of sliding window weight calculation.
+
+### Fixes
+#### Core
+
+* Fixed an issue where the Vault secret cache got refreshed during `resurrect_ttl` time and could not be fetched by other workers.
+* Moved internal Unix sockets to a subdirectory (`sockets`) of the Kong prefix.
+* Shortened the names of internal Unix sockets to avoid exceeding the socket name limit.
+* Fixed an issue where AWS IAM assume role could not be used in AWS IAM database authentication by using the following fields: 
+  * `pg_iam_auth_assume_role_arn`
+  * `pg_iam_auth_role_session_name`
+  * `pg_ro_iam_auth_assume_role_arn`
+  * `pg_ro_iam_auth_role_session_name`
+* Fixed an issue where the STS endpoint could not be configured manually in RDS IAM Authentication, AWS Vault and AWS Lambda plugin. For RDS IAM authentication, it can be configured by `pg_iam_auth_sts_endpoint_url` and `pg_ro_iam_auth_sts_endpoint_url`. For AWS vault, it can be configured using `vault_aws_sts_endpoint_url` as a global configuration, or `sts_endpoint_url` on a custom AWS vault entity. For the AWS Lambda plugin, it can be configured using the `aws_sts_endpoint_url`. 
+* Fixed an issue where `luarocks-admin` was not available in `/usr/local/bin`.
+* Fixed an issue where analytics could break when the value type of rate limiting-related headers was not `integer`.
+* Fixed an issue where the IAM auth token was not refreshed when the underlying AWS credential expired.
+
+#### Plugins
+
+* [**OpenTelemetry**](/hub/kong-inc/opentelemetry) (`opentelemetry`)
+  * Fixed an issue where `header_type` being `nil` caused a log message concatenation error.
+
+* [**Rate Limiting Advanced**](/hub/kong-inc/rate-limiting-advanced/) (`rate-limiting-advanced`) 
+  * Fixed an issue where the sync timer could stop working due to a race condition.
+  * Fixed an issue where when the sliding window and `window_size` was very small, the precision of the rate limit wasn't accurate enough.
+
+### Dependencies
+
+* Bumped `LPEG` from 1.0.2 to 1.1.0 to keep the version consistent across all active branches. 
+The version bump includes fixes like UTF-8 ranges, a larger limit for rules and matches, accumulator capture, and more.
+* Bumped `lua-resty-aws` to 1.5.3 to fix a bug related to the STS regional endpoint.
+* Bumped `lua-resty-azure` to 1.6.1 to fix a `GET` request build issue.
+* Made the RPM package relocatable with the default prefix set to `/`.
+
+## 3.4.3.12
 **Release Date** 2024/08/08
 
 ### Deprecations