fix(vaults): fixes to vault in cli mode

* call globalpatches to assure shared dict mocks * make vault function `is_reference` static * added the new vaults_secrets shdict to constants Signed-off-by: Joshua Schmid <jaiks@posteo.de>
Kong · Jul 26, 2023 · ce9813a · ce9813a · khcp-gha-bot · Jul 26, 2023
1 parent 8a8db1d
commit ce9813a
Show file tree

Hide file tree

Showing 10 changed files with 29 additions and 24 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -30,7 +30,7 @@ jobs:
       with:
         path: |
           ${{ env.BUILD_ROOT }}
-        key: ${{ hashFiles('.requirements', 'kong-*.rockspec', '.bazelversion', '.bazelrc', 'build/**', 'BUILD.bazel', 'WORKSPACE', '.github/workflows/build_and_test.yml') }}
+        key: ${{ hashFiles('bin/kong', '.requirements', 'kong-*.rockspec', '.bazelversion', '.bazelrc', 'build/**', 'BUILD.bazel', 'WORKSPACE', '.github/workflows/build_and_test.yml') }}
 
     - name: Install packages
       if: steps.cache-deps.outputs.cache-hit != 'true'

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -174,7 +174,7 @@ jobs:
       with:
         path: |
           bazel-bin/pkg
-        key: ${{ matrix.label }}-build-${{ hashFiles('.requirements', 'kong-*.rockspec', 'kong/**/*.lua', '**/*.bzl', '**/*.bazel') }}
+        key: ${{ matrix.label }}-build-${{ hashFiles('bin/kong', '.requirements', 'kong-*.rockspec', 'kong/**/*.lua', '**/*.bzl', '**/*.bazel') }}
 
     - name: Set .requirements into environment variables
       run: |

diff --git a/bin/kong b/bin/kong
@@ -3,6 +3,8 @@
 setmetatable(_G, nil)
 pcall(require, "luarocks.loader")
 package.path = (os.getenv("KONG_LUA_PATH_OVERRIDE") or "") .. "./?.lua;./?/init.lua;" .. package.path
+require("kong.globalpatches")({ cli = true })
+math.randomseed() -- Generate PRNG seed
 
 local pl_app = require "pl.lapp"
 local pl_utils = require "pl.utils"

diff --git a/kong/constants.lua b/kong/constants.lua
@@ -184,6 +184,7 @@ local constants = {
     "kong_cluster_events",
     "kong_healthchecks",
     "kong_rate_limiting_counters",
+    "kong_secrets",
   },
   DATABASE = {
     POSTGRES = {

diff --git a/kong/db/schema/init.lua b/kong/db/schema/init.lua
@@ -4,7 +4,7 @@ local utils        = require "kong.tools.utils"
 local cjson        = require "cjson"
 local new_tab      = require "table.new"
 local nkeys        = require "table.nkeys"
-local is_reference = require "kong.pdk.vault".new().is_reference
+local is_reference = require "kong.pdk.vault".is_reference
 
 
 local setmetatable = setmetatable

diff --git a/kong/pdk/vault.lua b/kong/pdk/vault.lua
@@ -48,6 +48,22 @@ local ROTATION_INTERVAL = tonumber(os.getenv("KONG_VAULT_ROTATION_INTERVAL") or
 local REFERENCE_IDENTIFIER = "reference"
 local DAO_MAX_TTL = constants.DATABASE.DAO_MAX_TTL
 
+
+local BRACE_START = byte("{")
+local BRACE_END = byte("}")
+local COLON = byte(":")
+local SLASH = byte("/")
+
+local function is_reference(reference)
+  return type(reference)      == "string"
+      and byte(reference, 1)   == BRACE_START
+      and byte(reference, -1)  == BRACE_END
+      and byte(reference, 7)   == COLON
+      and byte(reference, 8)   == SLASH
+      and byte(reference, 9)   == SLASH
+      and sub(reference, 2, 6) == "vault"
+end
+
 local function new(self)
   -- Don't put this onto the top level of the file unless you're prepared for a surprise
   local Schema = require "kong.db.schema"
@@ -56,7 +72,7 @@ local function new(self)
   local ROTATION_WAIT = 0
 
   local LRU = lrucache.new(1000)
-  local SHDICT = ngx.shared["kong_secrets"]
+  local SHDICT = ngx.shared.kong_secrets
 
   local KEY_BUFFER = buffer.new(100)
 
@@ -69,11 +85,6 @@ local function new(self)
   local SCHEMAS = {}
   local CONFIGS = {}
 
-  local BRACE_START = byte("{")
-  local BRACE_END = byte("}")
-  local COLON = byte(":")
-  local SLASH = byte("/")
-
   local BUNDLED_VAULTS = constants.BUNDLED_VAULTS
   local VAULT_NAMES
   do
@@ -378,17 +389,6 @@ local function new(self)
   end
 
 
-  local function is_reference(reference)
-    return type(reference)      == "string"
-       and byte(reference, 1)   == BRACE_START
-       and byte(reference, -1)  == BRACE_END
-       and byte(reference, 7)   == COLON
-       and byte(reference, 8)   == SLASH
-       and byte(reference, 9)   == SLASH
-       and sub(reference, 2, 6) == "vault"
-  end
-
-
   local function parse_reference(reference)
     if not is_reference(reference) then
       return nil, fmt("not a reference [%s]", tostring(reference))
@@ -1240,4 +1240,5 @@ end
 
 return {
   new = new,
+  is_reference = is_reference,
 }
diff --git a/kong/templates/nginx_kong_stream.lua b/kong/templates/nginx_kong_stream.lua
@@ -22,6 +22,7 @@ lua_shared_dict stream_kong_core_db_cache          ${{MEM_CACHE_SIZE}};
 lua_shared_dict stream_kong_core_db_cache_miss     12m;
 lua_shared_dict stream_kong_db_cache               ${{MEM_CACHE_SIZE}};
 lua_shared_dict stream_kong_db_cache_miss          12m;
+lua_shared_dict stream_kong_secrets                5m;
 
 > if ssl_ciphers then
 ssl_ciphers ${{SSL_CIPHERS}};

diff --git a/spec/02-integration/02-cmd/14-vault_spec.lua b/spec/02-integration/02-cmd/14-vault_spec.lua
@@ -153,8 +153,7 @@ describe("kong vault #" .. strategy, function()
       local ok, stderr, stdout = helpers.kong_exec("vault get test-env/nonexist", {
         prefix = helpers.test_conf.prefix,
       })
-      assert.matches("Error: unable to load value (nonexist) from vault (test-env): not found", stderr, nil, true)
-      assert.matches("[{vault://test-env/nonexist}]", stderr, nil, true)
+      assert.matches("could not get value from external vault", stderr, nil, true)
       assert.is_nil(stdout)
       assert.is_false(ok)
     end)
@@ -163,8 +162,7 @@ describe("kong vault #" .. strategy, function()
       local ok, stderr, stdout = helpers.kong_exec("vault get nonexist/nonexist", {
         prefix = helpers.test_conf.prefix,
       })
-      assert.matches("Error: vault not found (nonexist)", stderr, nil, true)
-      assert.matches("[{vault://nonexist/nonexist}]", stderr, nil, true)
+      assert.matches("could not find vault (nonexist)", stderr, nil, true)
       assert.is_nil(stdout)
       assert.is_false(ok)
     end)

diff --git a/spec/fixtures/custom_nginx.template b/spec/fixtures/custom_nginx.template
@@ -942,6 +942,7 @@ stream {
     lua_shared_dict stream_kong_core_db_cache_miss     12m;
     lua_shared_dict stream_kong_db_cache               ${{MEM_CACHE_SIZE}};
     lua_shared_dict stream_kong_db_cache_miss          12m;
+    lua_shared_dict stream_kong_secrets                5m;
 
 > if ssl_ciphers then
     ssl_ciphers ${{SSL_CIPHERS}};

diff --git a/spec/fixtures/default_nginx.template b/spec/fixtures/default_nginx.template
@@ -645,6 +645,7 @@ stream {
     lua_shared_dict stream_kong_core_db_cache_miss     12m;
     lua_shared_dict stream_kong_db_cache               ${{MEM_CACHE_SIZE}};
     lua_shared_dict stream_kong_db_cache_miss          12m;
+    lua_shared_dict stream_kong_secrets                5m;
 > if database == "cassandra" then
     lua_shared_dict stream_kong_cassandra              5m;
 > end