From 0c78b36080c001ec75b1f7ce250e0b8f0aa30bb2 Mon Sep 17 00:00:00 2001 From: Keery Nie Date: Thu, 5 Sep 2024 10:49:29 +0800 Subject: [PATCH] fix(vault): let vault entity cache key not containing workspace id (#13610) This PR modifies the `cache_key` function of the vault entity to always generate a cache key without workspace id. Vault entity is workspace-able, but our secret rotation timer always run without workspace settings(thus the default workspace is being used), so during secret rotation, the code https://github.com/Kong/kong/blob/4e38b965b922f57febe8652fb96b7d74aeab591a/kong/pdk/vault.lua#L620-L621 will generate a duplicate vault cache with default workspace id for each non-default workspace vault entity, and those cache will never be refreshed. The result of this issue is that when you update a vault entity's configuration inside a non-default workspace, it will never take effect in the secret rotation. Since the prefix of vault entity is unique across workspaces, it should be safe to only use one cache key without workspace id, so that the correct cache is used during secret rotation. FTI-6152 (cherry picked from commit 34551516b47d2d84b90587b570e018f47f54f788) --- .../unreleased/kong/fix-vault-cache-workspace-id.yml | 4 ++++ kong/db/dao/vaults.lua | 10 ++++++++++ spec/02-integration/13-vaults/01-vault_spec.lua | 5 +++++ 3 files changed, 19 insertions(+) create mode 100644 changelog/unreleased/kong/fix-vault-cache-workspace-id.yml diff --git a/changelog/unreleased/kong/fix-vault-cache-workspace-id.yml b/changelog/unreleased/kong/fix-vault-cache-workspace-id.yml new file mode 100644 index 000000000000..2ac640a2e16d --- /dev/null +++ b/changelog/unreleased/kong/fix-vault-cache-workspace-id.yml @@ -0,0 +1,4 @@ +message: | + **Vault**: Fixed an issue where updating a vault entity in a non-default workspace will not take effect. +type: bugfix +scope: Core diff --git a/kong/db/dao/vaults.lua b/kong/db/dao/vaults.lua index 1c7238b15b93..477f6960d7d5 100644 --- a/kong/db/dao/vaults.lua +++ b/kong/db/dao/vaults.lua @@ -84,4 +84,14 @@ function Vaults:load_vault_schemas(vault_set) end +function Vaults:cache_key(prefix) + if type(prefix) == "table" then + prefix = prefix.prefix + end + + -- Always return the cache_key without a workspace because prefix is unique across workspaces + return "vaults:" .. prefix .. ":::::" +end + + return Vaults diff --git a/spec/02-integration/13-vaults/01-vault_spec.lua b/spec/02-integration/13-vaults/01-vault_spec.lua index 0457923e7c64..dd5a58c6de42 100644 --- a/spec/02-integration/13-vaults/01-vault_spec.lua +++ b/spec/02-integration/13-vaults/01-vault_spec.lua @@ -175,5 +175,10 @@ for _, strategy in helpers.each_strategy() do assert.is_equal("{vault://unknown/missing-key}", certificate.key_alt) assert.is_nil(certificate["$refs"]) end) + + it("generate correct cache key", function () + local cache_key = db.vaults:cache_key("test") + assert.equal("vaults:test:::::", cache_key) + end) end) end