fix(vault): use global query when finding a vault by prefix (#12572)

### Summary In FTI-5762 it was reported that there is a problem with secret rotation when vaults are stored inside a workspace. This commit will fix it by passing `workspace = null` aka making a call a global call which will not then use the possibly incorrect workspace (default) to find vault entity (the vault config). The vault entity prefix is unique across workspaces. Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com> (cherry picked from commit 2fb898d)
Kong · Mar 6, 2024 · aa04f71 · aa04f71
1 parent 12872cb
commit aa04f71
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/changelog/unreleased/kong/fix-vault-workspaces.yml b/changelog/unreleased/kong/fix-vault-workspaces.yml
@@ -0,0 +1,3 @@
+message: "**Vault**: do not use incorrect (default) workspace identifier when retrieving vault entity by prefix"
+type: bugfix
+scope: Core
diff --git a/kong/pdk/vault.lua b/kong/pdk/vault.lua
@@ -60,6 +60,9 @@ local COLON = byte(":")
 local SLASH = byte("/")
 
 
+local VAULT_QUERY_OPTS = { workspace = ngx.null }
+
+
 ---
 -- Checks if the passed in reference looks like a reference.
 -- Valid references start with '{vault://' and end with '}'.
@@ -606,10 +609,10 @@ local function new(self)
 
     if cache then
       local vault_cache_key = vaults:cache_key(prefix)
-      vault, err = cache:get(vault_cache_key, nil, vaults.select_by_prefix, vaults, prefix)
+      vault, err = cache:get(vault_cache_key, nil, vaults.select_by_prefix, vaults, prefix, VAULT_QUERY_OPTS)
 
     else
-      vault, err = vaults:select_by_prefix(prefix)
+      vault, err = vaults:select_by_prefix(prefix, VAULT_QUERY_OPTS)
     end
 
     if not vault then