Skip to content

Commit

Permalink
fix(health-checker): get certificate with upstream.ws_id (#13882)
Browse files Browse the repository at this point in the history
This is to avoid calling get_certificatewith workspace id from ngx.ctx.workspace which is volatile when in a timer callback.

https://konghq.atlassian.net/browse/KAG-5821
  • Loading branch information
Oyami-Srk authored Nov 18, 2024
1 parent a1ef850 commit e862d9c
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 5 deletions.
3 changes: 3 additions & 0 deletions changelog/unreleased/kong/fix-balancer-health-checker.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
message: Fixed a bug where the health checker could fail to initialize in rare cases.
type: bugfix
scope: Core
2 changes: 1 addition & 1 deletion kong/runloop/balancer/healthcheckers.lua
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,7 @@ function healthcheckers_M.create_healthchecker(balancer, upstream)

local ssl_cert, ssl_key
if upstream.client_certificate then
local cert, err = get_certificate(upstream.client_certificate)
local cert, err = get_certificate(upstream.client_certificate, nil, upstream.ws_id)
if not cert then
log(ERR, "unable to fetch upstream client TLS certificate ",
upstream.client_certificate.id, ": ", err)
Expand Down
10 changes: 6 additions & 4 deletions kong/runloop/certificate.lua
Original file line number Diff line number Diff line change
Expand Up @@ -188,8 +188,10 @@ local function fetch_sni(sni, i)
end


local function fetch_certificate(pk, sni_name)
local certificate, err = kong.db.certificates:select(pk)
local function fetch_certificate(pk, sni_name, ws_id)
local certificate, err = kong.db.certificates:select(pk, {
workspace = ws_id,
})
if err then
if sni_name then
return nil, "failed to fetch certificate for '" .. sni_name .. "' SNI: " ..
Expand Down Expand Up @@ -251,12 +253,12 @@ local function init()
end


local function get_certificate(pk, sni_name)
local function get_certificate(pk, sni_name, ws_id)
local cache_key = kong.db.certificates:cache_key(pk)
local certificate, err, hit_level = kong.core_cache:get(cache_key,
get_certificate_opts,
fetch_certificate,
pk, sni_name)
pk, sni_name, ws_id)

if certificate and hit_level ~= 3 and certificate["$refs"] then
certificate = parse_key_and_cert(kong.vault.update(certificate))
Expand Down

1 comment on commit e862d9c

@github-actions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bazel Build

Docker image available kong/kong:e862d9c36431b0a380a1d445978f5863ce8a63af
Artifacts available https://github.com/Kong/kong/actions/runs/11887309276

Please sign in to comment.