Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[backport -> release/3.6.x] fix(vault): let vault entity cache key not containing workspace id #13671

Merged
merged 1 commit into from
Sep 14, 2024
Merged

[backport -> release/3.6.x] fix(vault): let vault entity cache key not containing workspace id #13671

merged 1 commit into from
Sep 14, 2024

Conversation

team-gateway-bot
Copy link
Collaborator

Automated backport to release/3.6.x, triggered by a label in #13610.

Original description

Summary

This PR modifies the cache_key function of the vault entity to always generate a cache key without workspace id.

Vault entity is workspace-able, but our secret rotation timer always run without workspace settings(thus the default workspace is being used), so during secret rotation, the code

kong/kong/pdk/vault.lua

Lines 620 to 621 in 4e38b96

local vault_cache_key = vaults:cache_key(prefix)
vault, err = cache:get(vault_cache_key, nil, vaults.select_by_prefix, vaults, prefix, VAULT_QUERY_OPTS)
will generate a duplicate vault cache with default workspace id for each non-default workspace vault entity, and those cache will never be refreshed. The result of this issue is that when you update a vault entity's configuration inside a non-default workspace, it will never take effect in the secret rotation.

Since the prefix of vault entity is unique across workspaces, it should be safe to only use one cache key without workspace id, so that the correct cache is used during secret rotation.

Checklist

  • The Pull Request has tests
  • A changelog file has been created under changelog/unreleased/kong or skip-changelog label added on PR if changelog is unnecessary. README.md
  • There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE

Issue reference

FTI-6152

@windmgc @github-actions
fix(vault): let vault entity cache key not containing workspace id (#…
d32705a 
…13610)

This PR modifies the `cache_key` function of the vault entity to always generate a cache key without workspace id.

Vault entity is workspace-able, but our secret rotation timer always run without workspace settings(thus the default workspace is being used), so during secret rotation, the code https://github.com/Kong/kong/blob/4e38b965b922f57febe8652fb96b7d74aeab591a/kong/pdk/vault.lua#L620-L621 will generate a duplicate vault cache with default workspace id for each non-default workspace vault entity, and those cache will never be refreshed. The result of this issue is that when you update a vault entity's configuration inside a non-default workspace, it will never take effect in the secret rotation.

Since the prefix of vault entity is unique across workspaces, it should be safe to only use one cache key without workspace id, so that the correct cache is used during secret rotation.

FTI-6152

(cherry picked from commit 3455151)
@team-gateway-bot team-gateway-bot mentioned this pull request Sep 14, 2024
Merged
3 tasks
@windmgc windmgc merged commit 7071384 into release/3.6.x Sep 14, 2024
39 checks passed
@windmgc windmgc deleted the backport-13610-to-release/3.6.x branch September 14, 2024 07:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vm-001 vm-001 vm-001 approved these changes

@catbro666 catbro666 catbro666 approved these changes

Assignees

@windmgc windmgc

Labels
core/db schema-change-noteworthy size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@team-gateway-bot @vm-001 @catbro666 @windmgc