From ba27b64594777e0f0c1b154087ef90ecbc696d61 Mon Sep 17 00:00:00 2001 From: Aapo Talvensaari Date: Fri, 16 Feb 2024 14:06:42 +0200 Subject: [PATCH] fix(vault): use global query when finding a vault by prefix (#12572) ### Summary In FTI-5762 it was reported that there is a problem with secret rotation when vaults are stored inside a workspace. This commit will fix it by passing `workspace = null` aka making a call a global call which will not then use the possibly incorrect workspace (default) to find vault entity (the vault config). The vault entity prefix is unique across workspaces. Signed-off-by: Aapo Talvensaari (cherry picked from commit 2fb898da9b3de51e894c1336a6598de4d5ebd9f5) --- changelog/unreleased/kong/fix-vault-workspaces.yml | 3 +++ kong/pdk/vault.lua | 7 +++++-- 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 changelog/unreleased/kong/fix-vault-workspaces.yml diff --git a/changelog/unreleased/kong/fix-vault-workspaces.yml b/changelog/unreleased/kong/fix-vault-workspaces.yml new file mode 100644 index 00000000000..c381ebcda87 --- /dev/null +++ b/changelog/unreleased/kong/fix-vault-workspaces.yml @@ -0,0 +1,3 @@ +message: "**Vault**: do not use incorrect (default) workspace identifier when retrieving vault entity by prefix" +type: bugfix +scope: Core diff --git a/kong/pdk/vault.lua b/kong/pdk/vault.lua index 442d7c6d839..2666c925f5d 100644 --- a/kong/pdk/vault.lua +++ b/kong/pdk/vault.lua @@ -60,6 +60,9 @@ local COLON = byte(":") local SLASH = byte("/") +local VAULT_QUERY_OPTS = { workspace = ngx.null } + + --- -- Checks if the passed in reference looks like a reference. -- Valid references start with '{vault://' and end with '}'. @@ -606,10 +609,10 @@ local function new(self) if cache then local vault_cache_key = vaults:cache_key(prefix) - vault, err = cache:get(vault_cache_key, nil, vaults.select_by_prefix, vaults, prefix) + vault, err = cache:get(vault_cache_key, nil, vaults.select_by_prefix, vaults, prefix, VAULT_QUERY_OPTS) else - vault, err = vaults:select_by_prefix(prefix) + vault, err = vaults:select_by_prefix(prefix, VAULT_QUERY_OPTS) end if not vault then