Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[backport -> release/3.8.x] fix(vault): let shdict secret vault cache presist enough time during resurrect_ttl #13561

Merged
merged 1 commit into from
Aug 23, 2024
Merged

[backport -> release/3.8.x] fix(vault): let shdict secret vault cache presist enough time during resurrect_ttl #13561

merged 1 commit into from
Aug 23, 2024

Conversation

team-gateway-bot
Copy link
Collaborator

Automated backport to release/3.8.x, triggered by a label in #13471.

Original description

Summary

This PR fixes an issue that rotate_secret may flush a secret value with NEGATIVE_CACHED_VALUE when vault backend is down and a secret value stored in the shared dict has passed its ttl and hasn't finished consuming its resurrect_ttl.

TLDR; this issue happens easily when a reference is being used via the vault PDK function in custom codes(serverless functions, custom plugins, etc.), and some of the worker processes may not be triggered via the service/routes that use these custom codes, and these worker processes do not hold a valid LRU cache for the secret value

The issue was first reported in FTI-6137.

Checklist

  • The Pull Request has tests
  • A changelog file has been created under changelog/unreleased/kong or skip-changelog label added on PR if changelog is unnecessary. README.md
  • There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE

Issue reference

FTI-6137

@windmgc @github-actions
fix(vault): let shdict secret vault cache presist enough time during …
135ef8a 
…resurrect_ttl (#13471)

This PR fixes an issue that rotate_secret may flush a secret value with NEGATIVE_CACHED_VALUE when vault backend is down and a secret value stored in the shared dict has passed its ttl and hasn't finished consuming its resurrect_ttl.

TLDR; this issue happens easily when a reference is being used via the vault PDK function in custom codes(serverless functions, custom plugins, etc.), and some of the worker processes may not be triggered via the service/routes that use these custom codes, and these worker processes do not hold a valid LRU cache for the secret value

The issue was first reported in FTI-6137.

---------

Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com>
Co-authored-by: Aapo Talvensaari <aapo.talvensaari@gmail.com>
(cherry picked from commit 9269195)
@team-gateway-bot team-gateway-bot added this to the 3.8.0 milestone Aug 23, 2024
@team-gateway-bot team-gateway-bot added cherry-pick kong-ee schedule this PR for cherry-picking to kong/kong-ee core/pdk size/L labels Aug 23, 2024
@team-gateway-bot team-gateway-bot mentioned this pull request Aug 23, 2024
Merged
3 tasks
@windmgc windmgc merged commit ddcfaa4 into release/3.8.x Aug 23, 2024
43 checks passed
@windmgc windmgc deleted the backport-13471-to-release/3.8.x branch August 23, 2024 06:15
@ms2008 ms2008 mentioned this pull request Sep 18, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@windmgc windmgc windmgc approved these changes

@catbro666 catbro666 catbro666 approved these changes

Assignees

@windmgc windmgc

Labels
cherry-pick kong-ee schedule this PR for cherry-picking to kong/kong-ee core/pdk size/L
Projects
None yet
Milestone
3.8.0
Development

Successfully merging this pull request may close these issues.
3 participants
@team-gateway-bot @windmgc @catbro666