diff --git a/changelog/unreleased/kong/fix-balancer-health-checker.yml b/changelog/unreleased/kong/fix-balancer-health-checker.yml new file mode 100644 index 000000000000..10c81cb7aa10 --- /dev/null +++ b/changelog/unreleased/kong/fix-balancer-health-checker.yml @@ -0,0 +1,3 @@ +message: Fixed a bug where the health checker could fail to initialize in rare cases. +type: bugfix +scope: Core diff --git a/kong/runloop/balancer/healthcheckers.lua b/kong/runloop/balancer/healthcheckers.lua index da22bd001490..3e8b934cb66a 100644 --- a/kong/runloop/balancer/healthcheckers.lua +++ b/kong/runloop/balancer/healthcheckers.lua @@ -256,7 +256,7 @@ function healthcheckers_M.create_healthchecker(balancer, upstream) local ssl_cert, ssl_key if upstream.client_certificate then - local cert, err = get_certificate(upstream.client_certificate) + local cert, err = get_certificate(upstream.client_certificate, nil, upstream.ws_id) if not cert then log(ERR, "unable to fetch upstream client TLS certificate ", upstream.client_certificate.id, ": ", err) diff --git a/kong/runloop/certificate.lua b/kong/runloop/certificate.lua index bfd34d527bc7..2ad82919d2fb 100644 --- a/kong/runloop/certificate.lua +++ b/kong/runloop/certificate.lua @@ -188,8 +188,10 @@ local function fetch_sni(sni, i) end -local function fetch_certificate(pk, sni_name) - local certificate, err = kong.db.certificates:select(pk) +local function fetch_certificate(pk, sni_name, ws_id) + local certificate, err = kong.db.certificates:select(pk, { + workspace = ws_id, + }) if err then if sni_name then return nil, "failed to fetch certificate for '" .. sni_name .. "' SNI: " .. @@ -251,12 +253,12 @@ local function init() end -local function get_certificate(pk, sni_name) +local function get_certificate(pk, sni_name, ws_id) local cache_key = kong.db.certificates:cache_key(pk) local certificate, err, hit_level = kong.core_cache:get(cache_key, get_certificate_opts, fetch_certificate, - pk, sni_name) + pk, sni_name, ws_id) if certificate and hit_level ~= 3 and certificate["$refs"] then certificate = parse_key_and_cert(kong.vault.update(certificate))