fix(vault): secret is temporarily empty after changed vault config

When vault config is changed, in the worker event we first flush the LRU cache, then start to update the secrets from vault provider. There’s a period of time in between that the cache is empty. The `kong.vault.update()` function only lookups cache and will update the secret to an empty string when cache is empty. This can cause plugins to throw nil errors. This commit changed the worker event callback to not flush the LRU cache. The cache will be updated when the secrets are fetched from vault prodiver.
Kong · Jan 23, 2025 · 4f7cf09 · 4f7cf09
1 parent 2929e18
commit 4f7cf09
Showing 1 changed file with 2 additions and 8 deletions.
diff --git a/kong/pdk/vault.lua b/kong/pdk/vault.lua
@@ -950,11 +950,7 @@ local function new(self)
       self.log.warn("error updating secret reference ", reference, ": ", err)
     end
 
-    if value then
-      record[field] = value
-    elseif is_reference(record[field]) then
-      record[field] = ""
-    end
+    record[field] = value or ""
   end
 
 
@@ -1006,7 +1002,7 @@ local function new(self)
   -- are specified in a `$refs` field.
   --
   -- If a reference cannot be fetched from the cache, the corresponding field is
-  -- not changed and an warning is logged.
+  -- set to nil and an warning is logged.
   --
   -- @local
   -- @function update
@@ -1433,8 +1429,6 @@ local function new(self)
       end
     end
 
-    LRU:flush_all()
-
     -- refresh all the secrets
     local _, err = self.timer:named_at("secret-rotation-on-crud-event", 0, rotate_secrets_timer)
     if err then