fix(vault): let vault entity cache key not containing workspace id (#13610)

windmgc · github-actions[bot] · commit 727de7fa85cd · 2024-09-14T03:21:37.000Z
This PR modifies the `cache_key` function of the vault entity to always generate a cache key without workspace id. Vault entity is workspace-able, but our secret rotation timer always run without workspace settings(thus the default workspace is being used), so during secret rotation, the code https://github.com/Kong/kong/blob/4e38b965b922f57febe8652fb96b7d74aeab591a/kong/pdk/vault.lua#L620-L621 will generate a duplicate vault cache with default workspace id for each non-default workspace vault entity, and those cache will never be refreshed. The result of this issue is that when you update a vault entity's configuration inside a non-default workspace, it will never take effect in the secret rotation. Since the prefix of vault entity is unique across workspaces, it should be safe to only use one cache key without workspace id, so that the correct cache is used during secret rotation. FTI-6152 (cherry picked from commit 3455151)
diff --git a/changelog/unreleased/kong/fix-vault-cache-workspace-id.yml b/changelog/unreleased/kong/fix-vault-cache-workspace-id.yml
@@ -0,0 +1,4 @@
+message: |
+   **Vault**: Fixed an issue where updating a vault entity in a non-default workspace will not take effect.
+type: bugfix
+scope: Core
diff --git a/kong/db/dao/vaults.lua b/kong/db/dao/vaults.lua
@@ -84,4 +84,14 @@ function Vaults:load_vault_schemas(vault_set)
 end
 
 
+function Vaults:cache_key(prefix)
+  if type(prefix) == "table" then
+    prefix = prefix.prefix
+  end
+
+  -- Always return the cache_key without a workspace because prefix is unique across workspaces
+  return "vaults:" .. prefix .. ":::::"
+end
+
+
 return Vaults
diff --git a/spec/02-integration/13-vaults/01-vault_spec.lua b/spec/02-integration/13-vaults/01-vault_spec.lua
@@ -175,5 +175,10 @@ for _, strategy in helpers.each_strategy() do
       assert.is_equal("{vault://unknown/missing-key}", certificate.key_alt)
       assert.is_nil(certificate["$refs"])
     end)
+
+    it("generate correct cache key", function ()
+      local cache_key = db.vaults:cache_key("test")
+      assert.equal("vaults:test:::::", cache_key)
+    end)
   end)
 end
